How secure is your personal information? What steps do you take to protect your privacy? Do you know what sort of threats could affect you and what tools or strategies are most helpful to defeat them?
It’s easy to find a lot of alarming information about privacy and data security online. Building security into your personal habits and being conscious of your risks is key to maintaining your ethical responsibilities to protect client data as well as your personal financial security and privacy.
For example, the journalist below hired “white hat” hackers to see how much information they could gather about him: they gained access to his computer, his files, and much much more:
Don’t want to watch a video? You can read his story online here.
At the ABA Tech Show last year, I heard more than one session talk about the way law firms were sometimes viewed as easier targets for data breaches for corporate espionage or competitive intelligence for clients’ intellectual property or political and personal information with dissidents. There’s also a very strong financial risk if ransomware that gets into an internal network, sometimes even infecting backup files and encrypting all data so it will be lost without payment to the hackers.
Debbie Ginsberg recapped much of that discussion in this blog post last year.
Social Engineering
However secure your own accounts, privacy settings, and passwords may be, most of us may still be vulnerable through the companies that manage our services or the friends and family that we share our content with who may not use the same care.
From celebrity photo leaks to spammers to identity theft, a lot of information can be quickly grabbed by people who look for a vulnerable point of entry.
Security Strategies:
- Consider before sharing directly with anyone who shouldn’t be able to control access to your files. Are there services you can use that let you control how others can see or download files?
- Work with your service providers to set up 2-factor authentication (password plus text notification code) or an additional PIN to reset passwords or access sensitive data.
- Check if access to one account would let someone easily reset passwords on other accounts (can you reset your amazon or iTunes account from your email alone?) – lock down your master accounts as securely as possible.
- Keep personal and professional content completely separate. This will help you protect financial data, client information, and personal documents like health care files.
Example:
Spear Phishing
Emails that masquerade as legitimate messages but include dangerous links or malicious attachments that can infect a network are very dangerous to businesses as well as individuals.
This type of account can often lead to a malware attack that encrypts personal files until a ransom is paid, a technique that may have no technical solution but to pay (and may require special payment plans too).
How does this specifically apply to lawyers and law firms? That’s explained here in a quick recap from the ABA TechShow 2016 featuring Reid Trautz shows:
Security Strategies:
- Know which personal accounts have each email address. If you receive a message from a service that shouldn’t have your professional email, for instance, that should raise a red flag.
- Know what security settings are installed on your email and how to report suspicious messages for review.
- Scan file attachments you download with security software before opening them if your email does not automatically include this option.
- Set up your browser to preview links that you hover over and remember to check that they’re going to an address you would expect.
Example:
This recent article looks like a valid news source but the url is slightly off – it’s a cleverly designed “parody” news account:
- http://abcnews.com.co/united-states-revokes-scientologys-tax-exempt-status/
Clone phishing
Sometimes completely valid emails or accounts are duplicated, then tweaked slightly to redirect users to the wrong location. This can occur with email blasts or even social networking accounts with lower privacy settings.
Other times people hack into an email or social media account and use a legitimate email to reach out to the person’s contacts with a plea for help.
Security Strategies:
- Pay attention to the link locations as mentioned above.
- Be carefuly about typos when you enter urls: sometimes they have been set up not to redirect you back to the accurate site but to steal your login information.
- Is someone you think you know sending a message that seems out of character? Verify with them through another medium that they sent the message before responding
- Report suspect accounts whenever possible to protect other users
Whale phishing
This is the “big fish” version of spear phishing. This approach relies on careful individual research and leverages personal data to seek access to more sensitive information.
Hackers may use personal connections or information about where the target lives, was educated, family members, etc. to craft a convincing message that gives them an opportunity to start a correspondence and gain access.
Security Strategies:
- For this type, fortunately most of us are protected through obscurity: we aren’t valuable enough targets to put this level of effort into hacking our content. But that doesn’t mean your clients might not be a bigger target, so learning more about file encryption can be key.
- Review your privacy settings on social sites carefully and make sure you remove or hide details like your birth year from any other accounts seeing them. Check to see what friends can discover and what is visible to anyone on the web.
- Think carefully about how you answer “security questions” on accounts. Have you ever answered a silly survey online that asks those same questions? Has a family member published your family tree online? Using faked answers that you can easily remember is one way to avoid the danger of accurate details of your life being used against you.
