Sometimes, while cleaning out filing cabinets and drawers of attorney business-owners, I come across funky time-saving devices like a dictaphone… yes, a dictaphone and I am reminded of the newness of technology and the sheer volume of efficiency that has resulted from its advances. While some lament at the ease of foot pedals that rewind and play verbal notes for paralegals to type and that talk-to-text doesn’t ever get it right, they also realize that Siri doesn’t have a salary and the edge that technology provides is worth the hassle.
As we enter this brave new world of Amazon cart items showing up in our Facebook feed and unprompted morning reminders regarding the length of time it will take to get to work, it is easy to be intimidated and logical to fear that someone, not named us, has too much of a window into our daily life and business.
A quote that I often use when discussing technology is “If it’s free, you’re the product.” We are all aware that some sort of trade-off in privacy and security occurs for the convenience and efficiency we experience. We are trusting social media companies with our most intimate details because it provides closeness to friends or family that we would not have otherwise; we are assuming that companies care so much about their image and reviews that they will do what is right; and we are outsourcing entire aspects of our life and business to others, whether personally known to us or not. What I find and fear more though is that we don’t always know what that trade-off is. Moreover, for every advancement in our efficiency through technology there is an increased opportunity for someone, who may or may not even know us, to steal from us or harm us.
As a law-firm service provider, I am constantly seeking current information that will further our desires and duties to not only provide legal services in the most efficient way possible but also to keep our information and the information of our clients safe. Below I have put together a quick list of current technological threats and what you can do to protect against them:
The folks at Merriam-Webster must be busy as they continue to add definitions for computer-related words such as this one, defined as “a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly”. Most of us are aware of and know not to respond to an email or call from suspicious sources asking for additional account information or requesting money in order to avoid penalties but what if that email came from our boss or looked exactly like an email from our bank? As our awareness of these types of attacks increases, so does their sophistication. I find it best to regularly seek information on current types of attacks and then ask a certain set of questions before giving out any important information.
Are they asking for personal or confidential information? Does this request look and sound like other requests for verification from the same source?
Can I contact this person within the agency they are representing? On the phone, I ask for a call back number. Email is a little tougher. Looking at the reply-to address, is the domain name correct? Is it a donotreply@ address or that of an actual person?
How does it feel? Look back at prior correspondence with this agency? Is the current message consistent with those you have received in the past?
Is there a sense of urgency, threat or imminent fortune? Most agencies, even the IRS, don’t simply send pay or else type of correspondence. Real people sending real messages are doing so within a set of guidelines that have been set by the applicable company. If the message seems overly harsh or too good to be true, it probably is.
Stay vigilant and do your research. If you are suspicious of a message you receive, don’t open it, try to contact the sender directly and if all else fails, Google it.
Malware and Ransomware
Until recently, hacking and malware attacks have seemed like a problem for big businesses and financial agencies with important data, not something for the mom-and-pop shop down the street to be concerned about. Unfortunately, the culmination of data as a currency and algorithms that troll means even the little guy has to worry about getting hacked.
Consider this: You’re typing away at your latest proposal or reconciling last months financials when your screen goes blank except for a message that says your entire hard drive has been taken over and you have a number of hours to wire money to the attacker before they delete everything on your computer. This attacker has no interest in your information, except possibly selling it on the dark web for about $50, and they don’t care about who you are or what you do because “they” are an algorithm. The person who set this virtual criminal loose to infect your property does know that your information has value to you. This is what we call Ransomware.
The first thing that comes to mind in this case should be “when did I last back up?” if you have a current back up you are in a much better position to maneuver this attack successfully. Without a back up, you are at the mercy of your bandit algorithm and its creator to do the right thing whether you decide to pay them or not.
Make sure you’re covered on the antivirus front. This is something to discuss with your IT person. If you don’t have one in-house, you can bring someone in on a consulting basis to review your set up and keep you secure.
Educate yourself and your employees. Again, if you have an IT person or contract with one, you can ask if they will do educational meetings with your staff to keep you appraised of current risks. Subscribing to a newsletter or podcast on the subject is another way to stay informed.
Change default passwords on new devices and make sure that you are running your business behind appropriate firewalls.
Back up. Back up. Back up. Do this early and often and you will sleep better knowing that you have somewhere to turn if your computer or its hard drive suddenly disappears.
This is a tricky one. I think we are all guilty of using the same password across platforms and sometimes sharing passwords with trusted others. In a team setting, this is almost necessary since multiple people may need to access one account and, lets face it, you have to trust someone right? While there are external attackers that can infect you with key-stroke tracking and steal your passwords, the risk of password theft really is in these convenience trade-offs. Each of us has weighed the risks of password theft with the ability to remember one password instead of 100 and have established our comfort level in sharing them with others.
Utilize a password management program to remember all of your passwords or for shared accounts. These programs are usually an application that is installed in your browser to track and automatically fill passwords. There are programs designed for teams which will track and update passwords across devices to prevent sharing them through less secure email, messaging or spreadsheet.
Differentiate between what I will call high-risk and low-risk accounts. It may make sense to use the same password across all of your social media platforms so you can share it with your online marketing person because these accounts are relatively low-risk (i.e. they’re not housing sensitive information or access to your financial systems). Now, if you also use that password for your email or bank account, you could be opening yourself up to some risk here.
Be aware of who you share your password with and remember they are probably aware that most people use the same or similar passwords for multiple platforms. This is where the differentiation between low-risk and high-risk accounts becomes important.
We discussed the concept of trust above with regard to password sharing but that is not the only area where your trust in someone, especially a team member, can open you up to security issues. There are many ways that a team member can take advantage of their position or unknowingly open you up to information-related risks.
Again, the first line of defense is to educate yourself and your employees. The more aware and vigilant each of us is, the better protected we are.
Consider installing mobile-device-manager type software or at least enabling the function in each of your mobile devices that allows you to remotely wipe the information on that device. Be advised regarding the risk of allowing employees or team members to house sensitive data on their mobile devices and implement a policy ahead of time to avoid push-back on your decision to wipe their mobile device in the event it is lost or stolen.
Implement checks and balances, especially in your financial systems, to prevent mistakes and dissuade potential thieves or fraudsters. Something as simple as reviewing your bank statements every month with copies of checks can protect against internal theft.
Stay informed and plan ahead.
As computers become the prevailing method of doing business and information becomes it’s own type of currency this area of theft and deception will only grow. If you don’t have an IT person on staff or at least on call, consider getting one. Always back up and invest in a plan for the unfortunate but likely scenarios of sustaining a digital attack.