COVID-19 sent thousands of attorneys scrambling to make arrangements to work from home, but it seems clear that even after the pandemic subsides, many of those attorneys won’t ever be going back to the office, or at least not full-time. With work-from-home assuming a permanently larger position in the legal profession, cybersecurity experts say that attorneys now need to be more vigilant than ever in keeping their data safe and their clients’ confidentiality secure.
Unfortunately, some attorneys are “notoriously bad” at cybersecurity because it can be inconvenient, said Eric Sanchez, vice president of strategy and innovation at the Law Offices of James Scott Farrin, which has an office in Charlotte.
“Your mindset has to be the same as though you are in the office,” Sanchez said. “When you are on the internet, you are in a room where all the windows are completely open. Would you walk into that room naked? You don’t have any less of any obligation to maintain confidentiality just because you are sitting at home.”
Phishing attempts, breached passwords, listening devices, and failures to keep software updated and data backed up are some of the top cybersecurity threats that attorneys need to be cognizant of, whether they are back in the office or still working at home.
First and foremost, attorneys should use their work computer for work, and their personal computer for personal use. And all law firms, big or small, should use virtual private networks (VPNs) to “avoid being the low-hanging fruit for attackers,” said Saad Gul, a partner with Poyner Spruill who co-chairs the firm’s privacy and cybersecurity team.
Firms such as his and Womble Bond Dickinson, which has offices throughout the state, provide attorneys and many staff employees with laptop computers that are used solely for work, and they are installed with a VPN that allows attorneys to connect their computers to the firms’ systems through encryption, the first line of defense in connecting to the office.
“A VPN is a low investment with a high return,” Gul said. “I have never worked for a law firm that did not have one. It’s standard across the board, but I do know folks who don’t have one, and they are taking a terrible risk.”
Correct horse battery staple
Womble Bond Dickinson’s computers require strong passwords and multi-factor authentication to remotely access the firm’s system, said Brad Bragg, the firm’s chief information officer. But some people still insist on using such flimsy passwords, or using the same ones repeatedly, and that’s a mistake.
The National Institute of Standards and Technology, which sets cybersecurity standards for federal agencies, estimates that tens of millions of people use recycled passwords, “giving hackers access to an endless collection of username and password combinations” and increasing their chances of gaining access to additional accounts and exposing more data.
To that end, Sanchez recommends using passphrases (“correcthorsebatterystaple” is an example of a passphrase that became well-known thanks to a popular online comic strip). Nexsen Pruet, which also has offices statewide, and James Scott Farrin both require their attorneys to have passphrases that are at least 16 characters long. Sanchez advises attorneys to pick phrases that are very specific to them or their interests.
“If you like to fish, you might say, “idontlikepurpletrout,” Sanchez said.
And whenever attorneys are either on the phone or a Zoom meeting, it’s important to make sure that devices such as Alexa and Google Home are either out of earshot or unplugged. They are literally listening devices, and it’s crucial to keep work phone conversations away from their omnipresent microphones, Sanchez said.
But your emails
On TV, hackers are usually depicted as cybersecurity savants who fight their way past firewalls, but the reality is much more mundane. Most hacking is done via relatively unsophisticated phishing attacks that try to capitalize on a human target’s lack of vigilance. The best rule in cybersecurity is thus common sense, particularly when it comes to email phishing.
Most attorneys know better than to click on an email that purports to come from a foreign prince looking for help managing his millions of dollars. But with more attorneys working from home, they’re now more susceptible to benign-looking emails that ostensibly come from the firm’s own IT department.
When in doubt, don’t click the link. Think critically about the email and who it’s from–the return address might look familiar, but it could be one letter or number off–and don’t hesitate to pick up the phone.
“If your IT guy says they need your password, that warrants a phone call or a text message,” Sanchez said.
Gul stressed the importance of updating security software on a regular basis, but cautioned that computer systems should always be taken offline during such updates. Even though the downtime causes an unwanted loss of productivity, if the system is kept online hackers can analyze the update to identify the vulnerability in patches. Gul also recommended keeping data backed up on a flash drive and storing that drive in a safe place.
“If you follow certain steps and update your firewall and software regularly, that should take off 90 percent of your problems. It’s like diet and exercise, but life tends to get in the way,” Gul said. “In the regular course of business, an attack through an exploited vulnerability might be a nuisance. With the entire business running remotely, such an attack can be near-fatal.”
Follow Bill Cresenzo on Twitter @bcresenzosclw