It’s not too late to add improving cybersecurity practices to your New Year’s resolutions. In fact, it’s one resolution you can’t afford to leave off your list. In the recent years, information privacy and security has moved to the forefront of legal issues. No industry has been immune from cyberattacks.
Last year, the ABA presented a webinar, “Ethics and Technology: Avoiding Traps and Pitfalls”, to help understand the ethical standards for technology use. The webinar highlighted the amendment to Model Rule 1.1, stating that the competent representation of a client includes an analysis of “the benefits and risks associated with relevant technology.” Furthermore, under Model Rule 1.6, attorneys have a duty of confidentiality. The Rules underpin lawyers’ obligations to properly address cybersecurity risks.
It’s time to throw past excuses out the window! Building strong cybersecurity practices may seem daunting, but here are five action items to get you started in the right direction.
The first line of defense to cybersecurity is the physical security of your devices. Set up password-protected screens that will automatically lock down your device after you have stepped away to prevent unauthorized access. Furthermore, installing device-tracking software may save you headaches if your device is lost or stolen. In the case your device cannot be recovered, enabling remote wiping of data will ensure your information does not end up in the wrong hands. Apple products come with the “Find My [Device]” app that can be turned on through your iCloud settings. This app provides tracking and remote wiping capabilities. For PCs and Androids, Prey offers free tracking capabilities. For a $5 monthly subscription, Prey will also enable remote wiping capabilities for up to three devices.
Irene Mo will be speaking at a Legal Innovation & Tech Talks at Katten event on Thursday, Jan. 26 at 5:30 p.m. in Chicago at Katten Muchin Rosenman LLP, 525 West Monroe St. Other presenters include:
• Daniel W. Linna, Attorney, Law Professor, & Director of LegalRnD at Michigan State University College of Law.
• Daniel Katz, Associate Professor at IIT Chicago Kent College of Law
• Geoffrey Burkhart, Deputy Director of the ABA Center for Innovation
• Yaniv Schiller, Chief Operating Officer at CourtAlert
In addition to physical security measures, the software on your devices is equally important. First, install device updates promptly. Updates often included patches to recently discovered security flaws. Not immediately updating leaves your device vulnerable. Next, install and run an antivirus on your device often. One common myth is Apple products are immune to malware, but that is not true anymore. I currently use Avira for my MacBook and iPhone antivirus, but it also provides antivirus for PCs and Android devices. Avira is free and can provide essential protection for all of your devices. Finally, before connecting to public Wi-Fi on any devices, use a virtual private network (VPN) to encrypt your connection. TechCrunch has a great article explain what a VPN is and why you should use one when you on public Wi-Fi and on unsecured websites.
Back Up Data
Just do it. No ifs, ands, or buts. To reduce vulnerability to malware attacks like ransomware, back up early and often.
However, not all backups are equal. It is best to back up “on an external device that is not tied to the network and completely offline.” During the ABA TECHSHOW, Adriana Linares warns against popular cloud-based services because they “simply replicate everything . . . which means that if you have a virus on your laptop, the problem can spread to your backup file.” A good back up “does versioning—saving older versions of your files.” If a computer or a law firm’s data does get attacked, a good back up will allow access to uninfected files and reduce interruptions to business.
Use a Password Manager
With the availability of password managers, there is no excuse to use the same username and password for all of your accounts. In fact, that might not even be an option anymore with password requirements are becoming more complex and each organization using its own set of requirements. 1Password and LastPass are the two most-recommended password managers. You create a master password to unlock the app that will track all of your other passwords. And if you are worried about losing your master password, write it down and physically lock it away. If you have a strong password on your device and a strong password on your password manager, the chances of a hacker gaining access to your list of other passwords is slim.
Enable Two-Factor Authentication
Perhaps the most infamous cyberattack in 2016 was the hack into Hilary Clinton’s presidential campaign through a phishing email. Phishing is obtaining a user’s personal information through a fraudulent link. After receiving an email from “Google” (not actually Google) stating Google had detected and prevented suspicious sign-in activity of Campaign Chairman John Podesta’s Gmail account, one of Podesta’s aid forwarded the email to Charles Delavan, dubbed by the media as “an IT guy.” Delavan replied the phishing email was “a legitimate email” when what he actually meant to say was that the email was “an illegitimate email” or “not a legitimate email.”
Moreover in Delavan’s reply, he suggested Podesta turn on two-factor authentication. Two-factor authentication requires the user to submit two forms verification by knowledge (e.g., passwords, security questions), possession (e.g., security tokens, verification code texted to your phone), or inherence (e.g., finger print or retina scanners). Even if the hackers gained access to Podesta’s password, two-factor authentication may have provided the extra layer of protection necessary to prevent access. In fact, many cybersecurity experts claim two-factor authentication would have prevented the hack into Clinton’s campaign entirely.
If you’re still not convinced two-factor authentication is necessary, Google has a great explanation for why you need it, how it works, and how it protects you. Turn on two-factor authentication and do it immediately.
Be Conscious about Social Hacking
Social hacking takes advantages of vulnerabilities in human behavior to gain personal information. Phishing emails, like the one used on Clinton’s campaign, work because the emails warning of a threat appear to be official. Another example of social hacking is pretexting: establishing a false sense of trust by impersonating an authority figure to gain access to personal information. I and my peers at law school often receive pretexting emails from “Michigan State University’s IT Department” asking for our password or other information to perform “necessary account updates.” Another pretexting attempt targeting people are callers pretending to be the IRS. To “clear back taxes,” the person must divulge personal information about themselves.
Lastly, be careful of what you share on social media and with whom you share information. Social media exploitation is obtaining a user’s personal information through social media. Stop adding people on Facebook or LinkedIn who you do not know or who you cannot verify as a real person! More likely than not, the answers to the security questions are all over your social media accounts. One solution to this security weakness may be to give untruthful answers to security questions (e.g. place of birth, hometown, college mascot) and to store your untruthful answer in your password manager. That way your security questions can still provide an additional layer of protection but your answers are not available to the public.
There you have it – Five action items to get your cybersecurity practices on point for 2017!