A great place to begin is with a free and easy security measure: Encryption! Not only is it easy, but it is also one of the best steps you can take to keep things secure. Use it anywhere you might have sensitive or confidential data: computers, laptops, tablets, mobile phones, removable media such as USB drives, etc. That way if your device is lost or stolen, it will not be possible for someone to access the contents without your password. Windows 10 has a built-in tool, BitLocker, and Mac OS has FileVault – you just have to turn it on!
Taking this a step further would be to use encrypted email for sending confidential information. If you use a file-sharing service, be sure your data is encrypted both at rest (stored on the system) and in transit (when sending, receiving, uploading, downloading, etc.). Those two solutions are usually not free, but the cost is typically very low for the protection it affords. Different providers you may encounter include: Citrix ShareFile, ZixCorp, Box, SharePoint, GSuite, and many more.
If you want to read for extra credit, take a glance at the NC State Bar’s ethics opinion 2011 FEO 6, the ABA’s formal opinion 477R, and the Texas State Bar’s ethics opinion 648 (with a shout out to the NSA!). These provide some guidance in selecting providers, using encryption, and factors to consider in implementing security measures.
Next, consider your network. Exclusive clubs and venues have “lists” you must be on to get in – why should your office be any less special? But you do not need to go out and hire a bouncer! Simply enable MAC address filtering on your network. In essence, it means that only your office’s official devices can connect to the local area network when you plug into the wall in your office. If an unknown device connects to your data lines, it will not be given an IP address by your system and will not be able to access your network. This prevents someone from plugging an unknown device to your network and either infecting it with a virus or malware or accessing confidential information.
Create similar exclusivity around your Wi-Fi as well. Consider two networks: an office network and a guest network. The office network should only be for your office’s official devices that require Wi-Fi access, the password should not be generally known, and the SSID (the name of the network) can even be hidden if you like so it is not generally able to be seen by the public. The guest Wi-Fi can then have a password that is available to clients, visiting attorneys, guests, and employee’s personal devices. Most importantly, these networks should be separated so someone on the guest network cannot access your office’s files and devices.
Then consider the Principle of Lease Privilege. What is this, you ask? Why, thanks for your interest! This is a concept that instead of giving access to everything and then restricting people from information they should not see, the access given should only be that which is needed to do this job. So, what do your employees need to do their job? Areas to consider include:
File access (physical and electronic). Consider what people are allowed to access – and keep in mind that a source of data breaches is employees accessing information out of curiosity, not a business need. Removing the temptation may be the best option!
Removable Media Drives (CD, DVD, USB, SD card, memory sticks, etc.). Who really needs access to those? Removable media is a very effective way to have your data walk out the door, or to have malware (including ransomware) and viruses walk in. Think of those devices like a toothbrush you found – if you do not know where it has been and what it has touched, do not put it in your mouth (or computer)!
Administrative rights on computers. It is hard to install malicious software if most users do not have the access rights to install programs on their machines. Controlling what is allowed will help you to better ensure the safety of your network and the information stored in your systems.
Great job! You have encrypted your computers and phones, you have set strong passwords/ passphrases, you have restricted access – but then you walk around the office and see computers logged on with no employees in sight. All those protections are for naught if the electronic doors are left wide open. The solution: automatic screen lock settings! That way if someone forgets to log off, the computer will lock itself after a period of inactivity (maybe start with 10 minutes).
I know. This is a lot to take in all at once. But you have the whole month of October to increase your cybersecurity awareness! Do not try to do everything at once – instead, take it one step at a time and you will quickly be on a path to greater security!
About the Author
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or email@example.com.