Mar 02, 2021
The Cyber Risk of Remote Work: A Primer for Attorneys on Working Securely at Home
Mar 02, 2021
By George Usi
In a world where hackers seem to be able to break into just about any computer connected to the internet, have you considered the security of the tech you use every day? An important question at any time, it’s even more critical in our current work-from-home era.
Great security requires excellent cyber hygiene and an overall cyber risk strategy. It also necessitates basic awareness of your vulnerable areas, and tactics to reduce the risk of being compromised. Start by asking yourself some basic questions about cybersecurity: Are you handling the security of your computer on your own, or is an IT provider helping? If you have help, are you aware of just how secure they are? What about outsourced marketing teams handling your website, or even more importantly, the makers and hosts of the applications, databases and tools you use to run your practice?
I’ll focus on computer security basics and user-friendly tools that you can try on your own. I’ll also offer suggested guidelines, tips, and insights for the overall improvement of your cyber hygiene. Effective cyber security offers not only protection, but opportunities to grow your practice in an emerging landscape of privacy and breach law.
The Cyber Hygiene List
I. Understand Sensitive Information.
In the legal profession, personal information is particularly important. This isn’t just Social Security and driver’s license numbers but even basics like names and addresses. You should have specific definitions of sensitive information, including at a minimum:
- Personal information of partners and employees;
- Personal information of clients;
- Personal information of anyone else;
- Case information;
- Business financial information;
- Business proprietary information.
II. Protecting Sensitive Information. You’re legally responsible for protecting this sensitive information. Without the safeguards of the office, you have to make sure your home workstation is secure. Begin with:
- Implementing a formal cyber security policy for all workers.
- Understanding the security differences between Bring-Your-Own-Devices (BYOD) and company-owned computers.
- Trusting your instincts—let common sense reign! If you ever have to use a family member’s computer, for instance, don’t use it to access work tools or your work email.
III. Checklist for Staying Secure at Home Using ‘BYOD.’
- Keep digital workspaces clean by clearing junk from cache and log files. My firm suggests “Clean My Mac” and “Clean My PC.”
- Install a comprehensive security suite that includes anti-malware, a Virtual Private Network (VPN) for connecting to public WiFi, and a password manager. We suggest BitDefender’s Total Security.
- Keep your Windows or Mac workstation in “lock” mode when not in use.
- Shred unnecessary printed document copies before throwing them out.
- Make sure all devices and applications stay up to date by turning on automatic updates (especially for your internet router).
- Use strong passwords for logging into computers and when creating WiFi home networks; passwords should be at least twelve alphanumeric characters in length, be somewhat memorable, and have at least one special character (e.g., M@rinCoun7yB@r).
- Change the default login password for your home router and turn off remote management.
IV. Checklist for Staying Secure in a Public Place.
As commerce opens back up and spring weather begins to set in, the temptation to slip away to the Starbucks patio for a few hours can be strong. If you do find yourself in the position of working in a public space, make sure to:
- Position yourself to prevent others from viewing your work screen.
- Never leave your computer or any other work unattended.
- If you’re on a call, step outside to avoid being overheard.
- Use your own cellular network instead of public or free WiFi.
- If you must use WiFi, never do so without a VPN.
V. Checklist for Handling Devices and Accounts.
Hackers have adapted to the remote-worker surge and are counting on you to go home, connect to your WiFi, and make a mistake so they can attack your computer from one of the many connected devices in your home. For device handling, especially laptops that travel with you, make sure to:
- Use passwords for accessing other devices like phones, internet-connected printers, tablets, and iPads, just in case they end up in the wrong hands.
- Never share your computer with anyone, as it could come back to you with a virus. Even evidence that someone else used it can get you into trouble (and that evidence can show up unexpectedly: Note the attorney who recently grappled to turn off a cat filter during a virtual hearing with a judge).
- Make sure your devices automatically “lock” in case you lose them or they are stolen.
- Use encryption for sensitive data files. We suggest axcrypt.net for Windows and iPhones or Concealer for Macs.
- Use multifactor authentication that requires entering a code after logging in with a username and password. We suggest Authenticator for Office 365 although Google Authenticator seems to be the popular choice for most non-Microsoft solutions.
VI. Ensure Third Parties Are Secure.
I have completed many cyber risk assessments and security tests in the last twenty-five years. Most of the risks we discover for businesses are poor information handling processes or third-party security issues caused by rushed projects. “Open doors” from technologies installed and configured by vendors who lack a security program of their own are also common. Here are some things you can do about these issues:
- Require third parties to have their own information security policies and program.
- Conduct a cybersecurity risk assessment on your supply chain (not just third parties you have direct contact with but anyone handling your data), or look for security certifications on websites for cloud and software providers.
- Force vendors to sign contracts requiring that they submit to audits and can illustrate that they are following the new U.S. guidelines in cybersecurity and privacy by the National Institute of Standards and Technology (or NISTⓇ).
- Conduct a regulatory assessment with an experienced law firm associated with www.iapp.org.
Guidelines and Resources
Protecting your sensitive data is as much about how you operate as it is about specific tools. If some of the foregoing suggestions “sound all Geek to you,” help is available! The following guidelines include links to companies or resources that can help.
I. Use Vendors, Especially IT Service Providers, that Follow U.S. Guidelines.
For those of you who have, or need, IT support, work with a provider that follows the latest official guidelines in cybersecurity, privacy, and risk, as published by NIST to enforce security controls suggested by the Center for Information Security (CIS). Your provider should have a proven track record serving the legal industry and at least five other core industries to show breadth. For full IT services in the North Bay, contact David Park of Xterra or you can visit Xterra’s website.
II. Work with a Marketing Firm that Understands Both Law Firms and Security.
A marketing firm’s priority is helping you grow your practice, but you should still make sure that any partner you choose understands cybersecurity and how it intersects with your specific business. If you can, find a marketing or software development company that’s focused on the legal industry. My recommendation is Allen Rodriguez of Los Angeles-based ONE400, who can be reached at firstname.lastname@example.org.
III. Check for Stolen Usernames and Passwords.
In a recent survey, at least 35% of companies that were hacked traced the breach to the actions of a remote worker. Shockingly, 25% of all hacks were a result of password issues. Checking to see if any of your email accounts have been compromised should be an absolute priority. Begin with a visit to www.haveibeenpwned.com.
IV. Get Trained.
Even with all of the tools in the world protecting you, the weak point hackers most often exploit is you. Tactics like phishing emails that install ransomware when an attachments or link is clicked are still wildly successful, and it’s due to a basic lack of online security awareness. Take a training course to educate yourself and your team. This free remote work course from Knowbe4 is a good place to start.
V. Network with a Privacy Law Attorney.
In the eyes of the law (specifically, California’s Consumer Privacy Act), compromised data is now a matter of when and not if. This new approach to cyber risk is likely to drive more demand for attorney consultations on the topic. Many of you have likely been asked by at least one of your clients how they should deal with regulations or hacks. To build expertise here, build relationships with boutique law firms experienced with privacy and regulatory matters. Rebecca L Rakoski of XPAN Law Partners can help and can be reached via email@example.com.
Where is the “Get this Done” Button? You’re busy. You’d rather spend your time focusing on your clients than doing everything in this article. Companies like mine offer cyber compliance services that do much of the work for you. Whether you need advice on a specific topic or are looking for those services, I’d be happy to help.
George Usi is a Bay Area native and internet pioneer who has worked directly with some of the scientists who designed and built the internet. He speaks regularly at conferences around the world about cyber risk and compliance, privacy, and security standards. He started his career with NTT and went on to found or own a number of leading IT and security service companies. He is passionate about helping “the other 98% of businesses” reduce their risk and prepare for when hackers succeed. His company, Omnistruct, provides risk assessments, penetration tests, cyber integrity monitoring, and compliance as a service management packages. Visit Omnistruct’s website or use this link to book a free thirty-minute consultation with George. You can also reach him directly at 916-469-4102 or by email.