Practical cybersecurity for law firms: How to batten down the hatches
John W. Simek
PATCHES AND UPDATES
Firms need to prioritize efforts to keep hardware and software as current as possible. Keeping up to date doesn’t always have to cost money—see Windows security updates. You don’t need to be first in line for the latest and greatest, but don’t be the last in line either. Once software becomes unsupported, it is unethical to use it because it is no longer receiving security updates and is vulnerable to attacks.
In January, Microsoft stated that Windows 7 is so outdated that patches can no longer keep it secure. Extended support ends Jan. 13, 2020, so the OS will not get any further enhancements and receive security updates only. What does this mean? It is time to plan an upgrade to Windows 10 if you haven’t migrated already. Windows 10 security is leaps and bounds better than what Windows 7 provides.
Firms need to apply patches as soon as they are available to reduce the vulnerability to attack or compromise. A perfect example: NotPetya ransomware—released by hackers in April—attacks a vulnerability of the Windows Server Message Block that is believed to have been first developed and exploited by the National Security Agency. Even though Microsoft released a patch to address this security vulnerability in March, a computer system that wasn’t updated could be vulnerable to this ransomware variant.
If you have a Windows domain environment, have your IT provider configure Windows Server Update Services to download and push out Windows security updates to all of your client computers and servers as they are released, a free solution to updating your operating systems.
ENCRYPTION
Once just technical jargon or something the German World War II Enigma machine used, encryption is now becoming the de facto recommendation from cybersecurity companies. Why? It’s no longer cumbersome and time-consuming but cheap and easy to set up and use—and maybe ethically required for attorneys. (See “21st-Century Standards,” July.)
Your laptop should be protected with whole-disk encryption—no exceptions. Ditto for any external USB flash drive or hard drive used to store firm information. Stolen and lost laptops are one of the leading causes of data breaches. Many of the newer machines have built-in whole-disk encryption. To state the obvious, make sure you enable the encryption, or your data won’t be protected.
For others, Windows BitLocker and Apple FileVault 2 are free encryption options included with Windows and Mac operating systems. There is no excuse for not using this free protection.
Also, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe at power on. Failure at that point leaves the computer hard drive fully encrypted.
The same applies to mobile devices: Encrypt, encrypt, encrypt. For modern phones, just enable a PIN or password lock code. We recommend six or more characters. Yes, if you use an iPhone, the recommendation is still the same, as these devices are not inherently more secure than others. You would not believe how many users (and attorneys) still believe that Apple products aren’t capable of contracting malware. Apple itself refutes that thought.
For the Samsung Galaxy S8, users can use a fingerprint, iris scan or facial recognition. (Don’t use the selfie—this form of “protection” was compromised within 24 hours!) And don’t forget anti-malware software on your mobile devices, such as Sophos, Lookout, Kaspersky or McAfee. Ransomware attacking mobile devices is on the rise.
Sometimes convenience causes issues. Providing remote or mobile users with access to your computer system can create more vulnerabilities than you might realize. To combat this, mandate that all work-related internet sessions be encrypted. Prohibit the use of public computers and unsecured, open public Wi-Fi networks.
Access to the office network must always occur through the use of a VPN, MiFi, smartphone hot spot or some other type of encrypted connection. For users who need to connect directly to their work computer, use an encrypted remote control solution such as Citrix, LogMeIn or GoToMyPC.
The setup of this kind of software couldn’t be any easier, and we’ve seen many attorneys accomplish this on their own.
The authors are, respectively, the president, vice president and CEO of Sensei Enterprises, a legal technology, cybersecurity and digital forensics firm based in Fairfax, Virginia. This article appeared in the October 2017 issue of the
