We owe our clients a duty of confidence, and we owe it to ourselves to keep our business data secure. But in fact, security means more than keeping data out of the hands of the bad guys: it also means having steady access to our data and maintaining its integrity. Keeping a law firm secure isn’t a one-time fix, but instead involves implementing ongoing policies. In this post, we’ll lay out some straightforward practices that can increase your law firm's security. These steps are:
Two-factor authentication puts an extra barrier in the way of someone who wants to access a service such as your email account, Cloud storage provider, or other system that stores confidential data. Without two factor authentication, if an attacker guesses your password: game over. Similarly, if an attacker accesses to your email account: game over (once in the email account, resets can be triggered on other accounts). With two factor on the other hand, a password is not sufficient to gain access. Instead, it’s necessary to have something else—typically a code sent to your smartphone via SMS message or via an app like Google Authenticator. Therefore, obtaining access would generally require either having your smartphone or convincing your phone company to send SMS messages to a different number—both unlikely.
Our Recommendation: sign up for 2-factor for all services / apps that house sensitive data. Use services that offer this feature.
Does your computer regularly annoy you that it has updates to install? Good—that means it is trying to help you be more secure! Installing updates is strongly recommended for security reasons. Many updates involve fixing known bugs in the operating system (Windows or Mac) that create security vulnerabilities. Yes, installing these things (particularly in Windows-land) can be slow and can even seize up the computer, but you’ve got to do it, or else you’re a sitting duck. It’s also a good practice to be on the latest version of your—e.g., Windows 10 or Microsoft’s El Capitan (as of this writing). Not surprisingly, these businesses spend more time and energy making their new product line better—and more secure!
Our Recommendation: install those pesky OS updates as soon as they’re available and stay on the latest version of your computer’s operating system. If your computer is too old or slow to handle the latest version, get yourself to the store and buy a new one! The computer is where we do much of our legal work, and it pays to have a good one.
It’s quite simple to encrypt the entire disk of both Mac and Windows computers. The benefits are enormous and the costs are negligible. In fact, I haven’t noted any performance difference on my Macbook Pro with FileVault turned on. Same with BitLocker on my Windows machine. With the disk encrypted, its contents are unreadable unless you’ve logged in with your password. Without encryption, a hacker or thief could easily read the entire contents of your disk (all active files, folders, and even deleted files with the right equipment) without having your password. Laptops get stolen all the time, and desktop computers are also vulnerable. No matter who you are, you have to assume that your computer could get stolen (from your house, car, whatever). In light of that fact, it’s borderline irresponsible not to encrypt the disk.
Our Recommendation: if you haven’t already, encrypt your disk using FileVault or BitLocker. Don’t delay!
The human brain can only hold so many passwords. Well, it can only hold so many good passwords. We can remember tons of bad passwords based on things like the names of our pets, our street, or simply the word “password”, or “12345678.” Weak passwords can be:
All of the above are bad because they can be either guessed or iterated over quickly by a so-called brute force attack. Good passwords are random and long. Here are a few examples:
I generated these from a password manager. A password manager means that I only have to ever remember one good password. This password is my skeleton key. It gives me access to all of my other passwords. My bank, e-mail, Dropbox, etc. now all have uncrackable passwords like the example at the top without my needing to remember them. Given that most of us have credentials at many dozens of services, we need a password manager if we’re going to use strong and unique passwords. There are several great options available, such as 1Password, Dashlane, and LastPass.
Our Recommendation: use a password manager so you only have to remember one password, but all of our other passwords are super strong.
Our Recommendation: ensure that all members of your firm (staff & lawyers) are educated about phishing and know the red flags to look for. Also use a mail server or cloud email service with strong spam and threat detection algorithms. There are guides for spotting these at CNET and TechRepublic.
We lawyers often have a lot of sensitive data to protect. Following the steps above will go a long way towards keeping client data and critical business data out of the hands of the wrong people. While this list is a good start, you can’t rest on your heels after completing it. Additional steps to consider include
We also recommend subscribing to several blogs that provide excellent coverage of security issues, including