The VBA Journal is the official publication of The Virginia Bar Association.
Issue link: http://vba.epubxp.com/i/815343
SPRING 2017 • 29 knew because the drives contained a trackable link that emailed them when they were used. Even IT workers were among the 34 users. Likewise, if you know that another employee is engag- ing in insecure behavior, you should inform a supervisor. "If you see something, say something" doesn't apply just to possible terrorism, but also to cybersecurity. ENCRYPTION Encryption provides a way to protect confidential data. It should be used on all devices as well as email. Encryption today is cheap, simple, and easy. More and more ethicists state that lawyers should use encryption "where appropriate," which is basically wherever data that ethically must be protected exists. DATA SECURITY Do you know what 2FA is? Two in five employees sur- veyed by the Computer Technology Industry Association said the phrase meant nothing to them. 2FA is two-factor authentication, a more secure way to protect data than using a password alone. An additional avenue of protection comes from en- crypted password managers to hold the various secret phrases that protect data. e cardinal rule of online security is not reusing passwords everywhere. If the same password unlocks your work network, email accounts, social media profiles, and shopping sites, then one breach that compromises your security, and that of the law firm, often leads to breaches in many places. And speaking of passwords, the strongest ones should protect log-in, screen saver, and financial credentials. New Carnegie Mellon studies find that password length is more important than complexity. at's good news since it is easier to remember a lengthy passphrase than a complex password. PHISHING As we said before, phishing is the easiest way into law firms. Even good enterprise anti-malware software doesn't catch everything — and there are plenty of "zero day" (no known defense) exploits sold on the Dark Web every day. Lots of studies have shown that roughly 20 percent of phishing emails will be opened. e worst threat comes from targeted phishing attacks, where the hackers specifically target your law firm. Law firms are at a disadvantage here — so much legal data is public. A hacker may know what cases you are involved with, who the attorneys are, which courts that cases are in, etc. And they can spoof the email address of an attorney or a court. How many folks can resist opening something that appears to come from a court? Law firms are also at a disadvantage because they are "honey pots," meaning that they hold the data of so many clients. Hackers may do a little research on the firm's website or on an attorney's LinkedIn page and pick up personal information they can insert into a targeted phishing email. Employees should pause, think, inspect, and report before clicking on any attachment or links in an email. There are obvious phishing clues to pass on to employees: • You don't know the sender • You do know the sender but if you look closely, the address is one letter off (this one happens a lot) • Nothing in the note seems personal to you • You weren't expecting the email • Reference is made to a bank/product/service you don't use • Words are misspelled • e grammar is poor • e email doesn't address you by name • e message asks for personal information • ere is an attachment that seems suspicious in conjunction with other factors, or a link to a website (and no, hovering over the link doesn't necessarily ensure that if you click you will go to the address shown) e list goes on. You should advise your employees Law firms are at a disadvantage … so much legal data is public. A hacker may know what cases you are involved with, who the attorneys are, which courts that cases are in.