Cybersecurity for the Remote Law Firm

cybersecurity for remote law firms

You don’t want to be the lawyer who loses a laptop or phone full of sensitive information.

Picture what would happen in that scenario: Would you lose any confidential client information?  What would the conversations with your clients, partners, or boss be like?

Sure, most of us are stuck at home now during this pandemic. But eventually, as we slowly return to our offices, one of the anticipated side effects of this time of social distancing is a widespread increase in remote work. Some law firms might say, give employees the option of working remote certain days of the week since it worked well during this time. However, the more you move around and the more you work remote, the more you need to be aware of new security risks (i.e. ones that don’t exist if you’re simply planted in your office or in your home.)

The good news is that the rules are simple:

Make sure all devices are protected with a password or passcode.

At a minimum, your phone needs a passcode to access it. Additionally, I recommend setting the screen to lock after a minute or two of inactivity.

Likewise, any laptop must be protected with a password and should similarly have a timeout session.

I’m not a fan of those Android “drag a pattern with your finger” passcodes.  If a malicious actor were to hold your screen up to the light at a certain angle, the path traced over and over again by your finger can be visible.

Use good passwords.

The two most common passwords in America, year in and year out, are “123456” or “password.”  Every year they jockey for first and second place.  Between those two and a user’s birth or anniversary date, you have a solid shot of guessing someone’s password.

We all get nagged about passwords and are familiar with the basic rules: use upper and lowercase characters, numbers, and punctuation.

In my opinion, you can make a password even stronger: You can have a “base” password that you extend uniquely for each site you visit.  For example, perhaps your passwords always start with M@ry4, but for your bank it’s M@ry4Bank! and for your email it’s M@ry4Email!.

And don’t worry about complicated passwords—a password manager like LastPass or 1Password will help you keep track of things.

Keep your operating system updated.

The reason Windows, iOS, Mac OS, and Android are constantly nagging you to update your systems is that they’ve found a vulnerability that bad guys could use to find a way in.  As sci-fi as it sounds, these vulnerabilities are often bought and sold on the Dark Web.

For these reasons, it’s absolutely imperative that you update your operating systems as soon as you can.  Many of the major ransomware attacks that have been affecting municipalities and other large bureaucracies in recent years are a direct result of those organizations failing to update their systems in time.

Use encryption: HTTPS or VPN.

If you’re using software over the web, make sure you’re using a secure connection with HTTPS.

If you’re using remote desktop software, such as a copy of Time Matters on a hosted server somewhere (if this is the case you really need to get in touch with Rocket Matter today!), you should only access that software over a VPN connection.

With both HTTPS and VPN, your information is sent back and forth over an encrypted channel, so if someone were to snoop on your network (via a technique called “packet sniffing,”) they wouldn’t be able to read your data.

Your personal hotspot is your friend.

At our recent Rocket Aid conference, John Simek, a security expert from Sensei Enterprises, strongly suggested against using the public WiFi at a coffee shop or a hotel (that is, when we can actually go to coffee shops and hotels again!)  

Instead, he suggests connecting to your phone’s own personal hotspot, which essentially turns your phone into a router for your laptop.

It’s a great idea. Cellular hotspot data transmission is much more secure than public WiFi. You just don’t want other people connecting to your phone, so make sure you password protect the hotspot (see comments about good passwords above).

If you are really paranoid like I am, name your phone something like “hacker” so no one nearby thinks it’s a good idea to try to connect to your phone.

NOTE: If you are going to use public WiFi, you must take other precautions: namely, an up-to-date operating system and the use of HTTPS or VPN for sensitive information.

Consider a privacy screen.

The reality is most digital theft occurs in decidedly unglamorous and mundane ways.  It’s not what you see in the movies and is more often than not physical in nature.

When working on sensitive information in public (in the future), I would be just as aware if not more so about people looking at your screen (or eavesdropping on your conversations) than people scanning the WiFi network. Fortunately, you can protect neighbors from snooping on you inexpensively.  Devices known as privacy filters prevent your screens from being viewed by anyone other than the person directly in front of it. They cost less than $20.

This privacy filter for my computer, a 15” Macbook Pro, clocks in at $19.99.

Know how to avoid phishing scams.

“Phishing” is when a perpetrator sends you an email that looks to be legitimate from an institution you trust such as your bank or insurance company. You click a link in the email, go to an imposter site that looks identical to the institution’s site, and hand over your username, password, and other authentication information to a bad actor. Those people now have all your login information to that site. Another danger of phishing attacks: The link can take you to a site that infects your computer with malware.

So how do you prevent this? First, make it a rule to never click on links in emails unless you’re expecting the email. For instance, if your friend texts you and says, “I’m emailing you the funniest cat video!” then, by all means, open the email.

If you are not expecting the email, however, then type the internet address directly into the address bar of the browser instead of clicking on it. So, if you receive an email from, say, Chase bank, don’t click on the link. Do this instead: Type chase.com into your address bar yourself and log in from there. It’ll only take a few seconds, but it can protect you from hackers looking to steal all of your financial information (or worse.)

Conclusion

Cybersecurity isn’t that complicated.  Taking just a few steps will ensure that you and your clients can sleep well at night.