It has not been a great week for DLA Piper. Among many other global companies such as Maersk, BNP and TNT, the firm was hit by a major ransomware attack. The attack arrived only weeks after the ‘WannaCry’ hack which hit global corporations (including the UK NHS) in May. Clearly, this sort of thing is becoming commonplace. The worst thing is, you could be next.
The alarming rise in cyber attacks is leaving us with no choice but to keep on addressing cybersecurity as a top priority. But what measures can you as a lawyer take to avoid catastrophe? We will be looking at some of the ways in which we at Clocktimizer keep our data safe. From two-factor authentication to VPN’s, here’s a few of the basic things you can do to avoid being a victim of the next ransomware attack.
Two factor authentication and complex passwords
Two factor authentication is a fairly simple concept. Namely, it requires you to provide two pieces of information before you can access a protected vault. Often this takes the form of a password, followed by a code sent to your mobile phone. In doing so you dramatically reduce the risk of someone else being able to access your private data. It’s why we at Clocktimizer always offer two factor authentication for our clients. However, according to Law Practice Today
“76% of firms do not require two factor authentication” Law Practice Today
This is an unacceptably low number for an industry handling such confidential information. Google Authenticator is one of the industry leaders in two factor authentication. Alternatively, it is possible to have an in-house version for all client information. Either way, this can be what comes between the world and all of your client’s private documents.
And let us look to the passwords themselves. We hope it goes without saying not to use passwords like ‘12345’ or ‘mynewpassword’. However, really complex passwords are difficult to remember. The solution? Use a password manager. Great options include LastPass and KeePass, but do some research and pick your favourite. Simply set up your own master password, and then use the program to generate complex options for you, which the system then remembers and autocompletes on your behalf.
Encrypt your data
Encryption does sound like a fairly complicated step, but we assure you it’s not. Those of you familiar with Whatsapp or Facetime will be aware that these services already offer end to end encryption. Should the worst happen and someone is able to intercept your data, the most they can walk away with is a jumble of letters and numbers. At Clocktimizer we encrypt all of our data in transit and at rest to ensure complete data safety.
This level of security should be present throughout all exchanges of information inside (and outside) of your firm. Any information that leaves firm premises should be encrypted. If your clients do not use such high level security measures then insist on them. After all, it’s no use ensuring the safety of your client’s data if they don’t also follow suit. For a great introduction to encryption, check out this guide from Upwork.
Use a VPN for total connection security
We’ve all done it. Sat in a coffee shop or at the airport and connected to the open wifi. The problem is, this presents a myriad of security issues for your data. Not only is it incredibly simple for hackers to impersonate open wifi connections, but the nature of the open portal makes your data incredibly vulnerable. The solution? Use a VPN, or Virtual Private Network. As Lifehacker describes it, a VPN is
“a group of computers (or discrete networks) networked together over a public network—namely, the internet.” Lifehacker
Simply put, a VPN encrypts everything going from, or coming to, your computer. This includes everything from confidential client information to your username and password. Never forget that every time you use your phone to access your company email, your password and username is being verified through whatever internet connection you are using. It is easily intercepted.
Many firms will already offer VPN’s. Ensure, however, that you have a VPN portal installed on any device you use for end to end security. If you are still in search of some good VPN options, this guide from The Lawyerist can offer some advice.
Don’t make your inbox a phishing ground
Key to many recent ransomware attacks, ‘phishing’ is the most common infiltration method for viruses. How does it work? Phishing usually involves sending fraudulent emails, pretending to be reputable companies in order to illegally obtain sensitive information. Most commonly passwords or usernames. The emails often direct parties to external websites, ostensibly to fill in information or as a means of infecting the host with malware. Phishing scams are often highly sophisticated. Scammers will put a lot of effort into impersonating clients or business partners. The websites they set up are often very convincing.
So how to avoid being lured in? First, ensure you have a good mail management system. Both Outlook and Gmail are excellent at weeding out phishing emails. Second, don’t open attachments from unrecognised email addresses. Don’t open attachments with unfamiliar looking extensions (such as pif, exe or something else). Not even from a recognised email address. The same goes for links. If anything seems funky, call your help desk.
Ensure you have the most up to date versions of virus software. Restarts are often required to complete updates, so don’t put them off. If you receive an email and you recognise the company but not the person, call first to confirm their identity. Don’t forget that this style of phishing, impersonating recognised businesses, was successful during the US election. Russian hackers impersonated employees from recognised PR companies to phish members of the Democrat party.
Listen to your IT security team
Now, I know this goes without saying. However, we have all been guilty of finding a proposed security solution too time consuming. Of thinking the solution offered by the IT security team is too complicated. Of not bothering with two factor authentication because it takes just a little to long to sort out. However these measures are put in place to protect you and your clients. Data security is a complex beast. Hackers are coming up with ever more complex ways of accessing confidential information. A failure to implement new procedures mean it could be your desk that causes the next firm-wide breach. Not to mention, inadequately protecting your client’s data is a failure of your duty of care. So next time IT stops by your desk and adds a security feature, be thankful and use it.
For a more in-depth look at cyber security risks for lawyers, including data theft and data breach, we recommend looking at this report from Law Practice Today.