When it comes to protecting your online data, assuming the worst may not be going far enough. Just ask anyone whose computer was caught up in the ransomware attack that struck about 150 countries earlier this month.
“A data breach could potentially ruin an entire firm. It could be the end of your practice,” said Brent Hoeft, one of the first attorneys in Wisconsin to practice almost exclusively online and a frequent speaker at the State Bar of Wisconsin and other seminars about online security.
New State Bar requirements have also changed attorneys’ ethical obligations regarding digital security.
“As of January it’s become more explicit,” Hoeft said. “It’s not just what’s risky about it but also the benefits — and that’s part of our responsibility. Now there’s a duty to understand that you, at least, have to get someone who knows what they’re doing to guide you through that to protect yourself in the event of a data breach.”
With so much at stake, the mere act of thinking about how to minimize your exposure can be paralyzing. That’s why Hoeft suggests doing a security-risk assessment — a step also endorsed by the American Bar Association.
“A data risk assessment generally starts by identifying an organization’s cyber security weaknesses,” according to the ABA’s executive report, “Best Practices in the Cyber World.”
Finding weak spots is one way to start. But, Hoeft said, smaller firms and solo practitioners, especially time-strapped solos, can probably learn just as much simply by looking at what they already do.
“Phones, laptops, if you guard that stuff already, you’re taking a big step forward,” Hoeft said. “Once you have your phone encrypted, which is literally a couple of steps for iPhones and Androids — you have a password and your phone is encrypted, that’s going to take a lot of effort to get into your phone. And then you take another step and do a remote wipe; if you lose your phone or it’s stolen, you can log in and wipe the data.”
For those looking for something closer to having a checklist of steps to take for cyber security, Hoeft said, the Internet is a good place to start.
“There’s a lot of free information out there,” Hoeft said. “The American Bar Association has a really good section on best practices for e-lawyering and protecting digital information.”
The National Institute of Standards and Technology also offers security policies, also known as NIST protocols, for businesses of every size. These include sample risk-assessment reports and templates for cyber-security plans.
“And, of course, good old Google,” Hoeft said. “There are podcasts out there where attorneys give their top-10 lists. But it’s a time thing. If I have some time, do I put more time into developing my practice or learning about security? If you can’t take the time, then you, at least, have to spend the money. That may be the first step for a lot of people.”
It’s why some lawyers hire cyber security consultants to analyze their online vulnerability. But a step like this can sometimes introduce more difficulties than it eliminates.
“You have to be careful who you bring in, just as you would with any third-party vendor, like a cleaning vendor,” Hoeft said.
Non-disclosure agreements can protect confidentiality. But, to be truly useful, vendors also have to understand how lawyers practice.
“Use companies that are geared toward law firms,” Hoeft said. “I use MyCase and all they do is make software for lawyers. So whatever question you’re going to ask them, they have heard before. They understand the confidentiality issue. They understand access and keeping stuff safe is crucial to your livelihood.”
For those who would rather do a security assessment themselves, Hoeft suggested starting by looking at what they do with the devices they use most, like smartphones.
“Put a password on it; stop swiping to unlock,” Hoeft said. “I see this all the time at State Bar conferences. Attorneys who have smartphones — and most do — but don’t have a lock. All I see them do is swipe to open, but that little bit of inconvenience is access versus security in a nutshell. How long would it take to enter a four-to-six-digit code and add that layer of security. It’s lazy behavior. But how long would it really take?”
Of course, not all passwords are created equal. What was the top password of 2016? The easily cracked 123456. Strong passwords, in contrast, require a minimum of 12 characters, and often must consist of a combination of upper- and lower-case letters, numbers and symbols.
“And this changes every year,” Hoeft said. “Before it was six, then it was eight, because there’s computer software that can crack these passwords. So the longer the password and the more gobbledy gook in there — no real words, like your dog’s name — the harder they are to crack.”
For those who don’t trust themselves to come up with strong passwords, there’s always two-step authentication. Available on free apps like Google Authenticator, this sort of authentication requires not only a user’s password and log-in but also another computer-generated six-digit code, which can be sent to a phone in a text message.
“It’s that extra layer,” Hoeft said. “It takes a little bit of access away; it’s not just putting in a password. But the amount of security it provides versus the access is worth it.”
Whatever means of setting up a password lawyers choose, Hoeft said, no two of their devices should be able to be accessed in the same away. Of course, it all sounds simple at first; then you try to remember all those passwords.
“Then the question is: How the heck can I do that?” said Hoeft, who is quick to tell attorneys what not to do.
“Don’t put it on a Post-It on your computer,” he said. “Don’t put it in your wallet. I’ve had attorneys tell me they carry it around in their briefcases. So what do you do?”
Consider a password manager.
“They have their own issues,” Hoeft admitted. “There’s a big conversation in the security industry. Most people rely on them on the grounds of it’s better to use a system, even with the little potential danger of those systems getting hacked. But those systems are encrypted — encrypted while at rest, encrypted while in transit. If it’s hacked, it may give IP addresses but it won’t give them usable information.”
For lawyers who are already using passwords, Hoeft suggested adding systems that will prevent a device from being asked unless a user can show he has the right fingerprint or thumbprint. This technology is sometimes used in combination with a passcode or password.
“I recommend both,” Hoeft said. “There have been several cases across the country of police being able to force you to scan your fingerprint to open your phone without a warrant, but they can’t force you to divulge your password. And the courts that have upheld that have said a thumbprint is like identification, you proving you are who you say you are. But the password — that’s a piece of information in your head that cannot be compelled.”
Once attorneys have taken precautions meant to lock other people out of their devices, they should consider how they might still be unintentionally inviting thieves and hackers into their networks.
“Don’t use public WiFi,” Hoeft said.
A free VPN, or virtual private network, is a good way to go, he said. There’s also the option of a personal hotspot, which basically turns a smartphone into a secure WiFi access point.
“Most providers, it’s $20, $30 to use your phone to create your own hotspots or use a device to create a hotspot,” Hoeft said. “For the price, $20 or $30 a month, to make sure an average to below average thief can’t steal stuff — that’s cheap.”
Bottom line, Hoeft said, cyber security does not have to be complicated or expensive.
“Look at what you’re putting out there, the reasons why you’re putting it out there,” Hoeft said. “There are very easy first steps to take that aren’t that difficult to figure out, that cumbersome to implement and greatly increase security.
“Just don’t be your own worst enemy here. We can be our own greatest risk with how we handle our data. We all want access to clients’ information and our information on the go. But you have to understand that access and security are inversely related; the more access you have, the more security you need. You can have the best security. Remove your hard drive every night. Never go on the Internet. But, then, good luck practicing law.”
After hearing all that, Hoeft said, some people will still be convinced they have no time for cyber security or lack the knowledge needed to properly assess their systems.
Believing that, he said, would be a mistake.
“You buy the insurance,” he said. “You pay for advertising. You do all these other things to make sure your business is viable. This is just like that. It’s all related to the practice of law. Otherwise you run the risk of your livelihood, and that’s not a good thing.”