As long as attorney work requires access to the sensitive personal records of end clients, law firms will always be a top target for hackers.
SaaS software typically offers greater security and less maintenance than locally installed products. But, users share some basic responsibility for keeping client data secure. As an attorney, this is part of your ethical duty of confidentiality. If you plan to work with your clients’ data online, it’s important to take the time to learn some basic security precautions.
1. Use strong, unique passwords (and PINs) for eDiscovery and document management software.
If you have many online accounts, it can be tempting to use the same usernames and passwords for convenience. However, this exposes you to broad risk if just one of your accounts is compromised, and security experts often warn against it.
It is difficult to keep track of unique passwords without writing them down, which isn’t a very secure practice either. We recommend using a password manager such as LastPass or Dashlane to save and complete all your usernames and passwords for you.
Two-factor authentication, such as the kind employed by Nextpoint, adds a second layer of security. Each time a user logs on from a new device, they are emailed a temporary PIN for accessing the software. This keeps unauthorized users out of your account even if they manage to obtain your login credentials.
2. Set up a VPN anytime you work on public Wi-Fi.
A VPN, or virtual private network, protects your computer from the serious security vulnerabilities inherent in many public Wi-Fi networks (for example, at the airport or your favorite coffee shop). The technology works by routing your connection through a secure tunnel before exposing it to the internet at large.
Browsing and using web applications on public Wi-Fi without a VPN is an invitation to trouble. Don’t believe us? Read this chilling article by journalist Steven Petrow. Steven describes being approached by a fellow airline passenger who hacked his laptop and knew every detail about the story he was working on during a flight from Dallas to Raleigh. That’s not something you want to happen to your client data.
Some businesses provide their own VPNs, so ask your IT administrator if your firm has one for you to use. If not, there are a number of subscription-based options (including this list of VPN services recommended by PC Magazine) that should do the trick.
3. Consider disabling vulnerable platforms like Java and Flash in your browser.
Adobe’s Flash, the late Steve Jobs’ favorite punching bag, has long been targeted by hackers for its numerous security flaws. Some have even been able to use it to wrest control of a user’s computer.
According to CSO, Java is installed on 65 percent of computers. But 48 percent of users aren’t using the latest, patched version. This disconnect, coupled with the high number of exploitable security loopholes it presents, puts Java consistently at or near the top of the list of risk lists issued by security consultants and software companies. Both of these languages can be disabled in most common browsers. Look for these options in your “Settings” or “Preferences” menu before you work with privileged information online.
4. Be wary of common “social engineering” tricks hackers use to gather personal information for a later attack.
Lots of people still think of hackers as socially inept recluses. But some of today’s most dangerous hackers do setup work in person or over the phone. These “social engineering” schemes employ clever conversational tactics to establish trust and persuade victims to give up their personal information.
As seen in the video above (start at 1:25), a hacker may impersonate you or someone you know in order to collect data. A collected email address or password can later be pieced together to access more damaging information. Be suspicious of anyone who asks for your personal information in any context. Investigate any changes to your online accounts that you don’t remember making, no matter how innocuous they might seem.
5. Don’t click on suspicious email links or attachments.
It used to be pretty easy to spot email scams based on poorly spelled subject lines, nonsensical content and shady-looking landing pages. But modern hackers are becoming increasingly sophisticated.
Phishing emails often link to a “spoof” (i.e. imitation) of a transactional landing page from a brand you trust. For example, you receive an email purportedly from your bank telling you about a disputed charge, asking you to log into your account to resolve the matter. The login form looks just like one you use routinely, but entering your information or clicking a button sends the hackers your personal information or runs a script that lets them into your operating system. The best way to guard against phishing attacks is to avoid clicking a link in an email unless you’re confident you know the sender.
In “pharming” scams, hackers attack the address of the brand’s actual website, causing it to redirect visitors to the hacker’s illegitimate landing page. While these attacks are more complex and rare, they’re harder to detect and thus potentially many times more dangerous.
Before you click a link in an email, hover your mouse over it and read the URL carefully. If the website address doesn’t clearly match the destination you thought you were being taken to, ignore the email or report it as spam. You should also double check the URL in your browser after you’ve loaded the landing page, and make sure it uses a secure “https://” prefix instead of “http://”.
What Not to Worry About: Ransomware
One clear security advantage of keeping privileged data in the cloud is that it is protected from ransomware, an increasing threat to law firms who store evidence on local computers. These attacks trick victims into running a program that quietly encrypts every file on their computer. They later demand payment to unlock the data.
Ransomware needs an operating system to flourish, so evidence stored online is safe from this particularly vicious cybersecurity threat.
In the legal world, trust is hard to build and much harder to repair. By following these five rules and using an ultra-secure SaaS product like Nextpoint to manage your clients’ data, you’ll greatly reduce the risk of becoming the next firm to make TechCrunch for all the wrong reasons.