Take active role toward enhancing security

Listen to this article

Last week, the Wisconsin Law Journal looked at some of the strategic planning that firms need to consider when addressing security issues. In part two of Technology Security, a security expert suggests some of the things individuals can do to improve client and firm security.

A technology security specialist maintains that when it comes to protecting computer files and client records, lawyers need to assume individual responsibility for security.

Ben Sherwood, of Sherwood Personal Security LLC, asked a group of lawyers at a Milwaukee Bar Association technology show who at their firm was responsible for their computer’s security. The immediate response from one lawyer was the firm’s information technology officer.

Wrong. Sherwood said each lawyer was responsible for taking steps to enhance technology security at the firm. Failing to recognize this opens the door to security breaches despite an IT person’s best efforts.

Sherwood offered a list of 10 security tips that both firms and individual lawyers should keep in mind when considering the issue of technology security.

1) Back up, back up, back up.

Backing up information involves more than simply saving files to a disk or a back up drive, Sherwood warned. It’s important to test back up practices to ensure that they work properly. Failing to do that means a firm will not know if back up procedures work until they need to restore information. At that point it might be too late.

“What we find is that people have great back up solutions, but they have terrible back up procedures and testing measures,” Sherwood said.

2) Secure your Internet connection.

Although having security software in place might seem like a basic step, Sherwood referred to an American Bar Association technology survey indicating that only 40 percent of lawyers have security software.

“That means 60 percent of you do not have a firewall on your computer,” Sherwood said.

Failing to have a firewall leaves the door open for someone to infect or mine information from a computer or network.

Those security measures should not be limited to the office, Sherwood explained. Given that most of the lawyers indicated they do some work at home, he noted, that firewalls and virus protection at the firm will not help when working on a computer at home.

“The information on your computer there (at home) is not secure unless you take steps to secure it,” he said.

3) Safeguard your critical data.

Password protection and encryption are important steps for enhancing the security of your clients’ files. Sherwood compared leaving electronic files unprotected with leaving valuables sitting on a desktop. He asked how many people leave money lying on their desks at work.

“You put it in a safe place,” Sherwood said. “You protect that. The same has to be done with your valuable information. Password-protect your valuable files.”

4) Manage your passwords.

However, passwords alone are not enough to provide a true sense of security. When your office is filled with Packers paraphernalia, it may not be too difficult for someone to figure out that your password is “Favre.”

“I bet I could guess — if I spend enough time with you — all of your passwords,” Sherwood said.

He noted that typical passwords come from a child’s birthday or even Brett Favre’s birthday. Instead, he urged using a password that is at least eight characters long, consisting of both letters and numbers.

On top of that, most people use the same password for all of their accounts. In that case, if someone borrows your password for something innocuous, Sher-wood warned, they have the key to the rest of your password-protected world. That makes it important to use different passwords for different purposes.

The problem becomes remembering multiple passwords. Sherwood suggested using a fingerprint reader to take the pressure off remembering passwords. Biometric authentication devices, such as fingerprint readers allow someone to scan a finger and confirm identification. Other biometric devices use iris or voice patterns to control access to information. Some fingerprint readers are available for under $200 and easily plug into computers.

5) Encrypt your e-mails.

Lawyers regularly e-mail confidential information to clients without encrypting those messages. Sherwood compared that with writing the message on a piece of paper and passing it from person to person. Since it contains a privacy policy stating that “Information contained in this message is intended only for…” no one else would read it. Right?

Wrong.

“Your contracts that you send to clients, any type of information that you send via e-mail … have as much security as the piece of paper that I passed to the back of the room,” Sherwood said.

Even though the Supreme Court has determined that there is an expectation of privacy with e-mail communications, Sherwood explained, that is not the case. He discussed the availability of encryption software and its ease of use. The lawyer simply provides a client with the software to remove the encryption. Then messages can be sent between the two with an added measure of security.

6) Kill viruses and pests.

Obviously, it is important to have anti-virus software to combat viruses and worms. Those programs need to be updated regularly to protect against the latest threats.

However, computer users also need to beware of Trojan Horses, keystroke loggers, spyware, mallware. Traditional Internet security software does not always look for those “pests,” yet they can pose a significant security risk.

A Trojan Horse is a malicious program that disguises itself as a beneficial or entertaining program but that actually damages a computer or installs code that can counteract security measures. Spy-ware is software that covertly monitors the use of a computer. Both can be used to capture every keystroke that a computer user makes and transmit that information to another source.

Sherwood explained that there are types of software, such as PestPatrol, specifically designed to look for pests, which cost about the same as software targeting viruses.

7) Keep up to date.

Security software needs to be updated regularly, Sherwood said.

“There are people out there right now who are figuring out ways to get around your current firewall,” he warned.

8) Watch out for wireless.

“At this time, I cannot tell anybody that they should go to a wireless network,” Sherwood told the group.

It is too easy for someone else to intercept information gathered or sent using a wireless network. In particular, wireless hotspots for Internet connection should
never be used for business purposes, he said.

	Related Article Firms must actively pursue security

“I tell people ‘Do not use those Internet sites at the airport.’ If I were a bad guy, I would collect that information,” Sherwood said. “Those networks are there for convenience and that’s all they should be used for – convenience, not business. There are too many security issues.”

9) Stay on guard.

Recognize that there are many online scams and hoaxes circulating, which requires Internet users to remain on their guard, Sherwood said. He related one virus hoax telling people to look for a particular file on their computer as proof that they had been infected. The file was actually a part of the computer’s operating system, which the hoax encouraged them to delete. Check with reliable sources before acting upon unsolicited messages.

It also is important to be aware of telephone scams where a con artist calls posing as an Internet security person. The caller might indicate that there is a problem with the recipient’s account and he needs the password to resolve the problem. That goes back to the issue of managing passwords and not providing them to unknown sources or people who do not legitimately need them.

10) Partner with a professional.

Finally, Sherwood said, working with someone who specializes in security can uncover potential problems and solutions to those problems that might not have occurred to the lawyer.

“Who here would ever advise a client to represent themselves in court? Who here fixes their own automobile? You leave that in the hands of skilled professionals,” he said.

Tony Anderson can be reached by email.