14 min read
ALPS In Brief — Episode 65: Cybersecurity Services for Solo and Small Law Firms
In this episode of ALPS In Brief, Mark and the founders of Sensei Enterprises discuss cybersecurity options and support for solo and small law...
We've crafted solutions tailored to your firm
The world of insurance for law firms can be confusing, and difficult to navigate. We've created this glossary because these common insurance terms should be easy to understand.
15 min read
Mark Bassingthwaighte, Risk Manager : May 25, 2021 12:00:00 AM
As the world re-opens and you begin to stretch your legs, ALPS Risk Manager Mark B tells some true tales and offers some tips for safeguarding your client data and maintaining your firm’s cybersecurity from your phone, Airbnb, or the wide open road.
Transcript:
Mark Bassingthwaighte:
Hello, I’m Mark Bassingthwaighte, the risk manager with ALPS, and welcome to another episode of ALPS in Brief, the podcast that comes to you from the historic Florence building in beautiful downtown Missoula, Montana. It is a pleasure to have the opportunity to visit again via podcast. Before I get into the topic of this podcast, I’d like to share story and some information about what’s going on and in my life as a way to set up where we’re going to go.
Let’s start with a call that I took earlier this week, and it came from an attorney who really wanted to understand if what he was doing in terms of security with his system was sufficient, if there was other things that he could do. What prompted the call is he went through an experience somewhat similar to what happened to my wife and I a number of years ago, he was the victim of identity theft. Had a tax return filed, fraudulently filed, obviously, in his name, and some other things had occurred. One of the mistakes he made, however, was using a complex password. Now, that was not the mistake, that’s a great thing, but he used it on multiple accounts. And as a result of getting his personal information, they were also able to get into his work computer. Some email was being sent out from his computer under his name, trying to scam clients and some businesses he works with out of funds. And so, that was a bit of a mess.
The other situation that’s going on in terms of my own life is, and this is all good, but my wife and I are currently in transition. We are going through something I think a lot of people are going through in these crazy times, and it has to do with moving. Long story short again, the timing of moving out of one home, which has been sold, and into a new home, which is currently still under construction, did not line up as close as we might have liked, so we are currently in transition, living in a temporary apartment until things settle down and get finished. You know, it’s quite a change. Most of our belongings are sitting in storage. We kid around that at some point when we finally get settled, and the truck unloaded and start unpacking, it’ll be like Christmas. We’ll say, “Hey, I had no idea we had this stuff.” So it’s got to be fun.
But I began to realize, although I’ve been telecommuting for many, many years, and will continue to do so, this transition into a corporate apartment, and by that, I simply just mean it’s a small furnished apartment, sort of struck me as I’m going through an experience similar to what I think a lot of people did when they had to rapidly transition from the office to working from home in the early days of the pandemic. There were some things here, that as I started to set up and figure out what was going on, I realized, “Oof, wait, there are some security issues that really need to be addressed.” I thought it’s worth talking about some of this. The lawyer that called, it was about best practices. You know, “What am I doing wrong? What am I doing right? Is there anything else I could be doing?”
And we had a good discussion, and it turns out there were a few things she could do to further secure what he was doing. And again, I sit and think, “Okay, boy, I didn’t realize, just wasn’t thinking about how much I take for granted given my old situation and then transitioning.” So let’s talk about what we can do as individuals to make our systems as secure as we can to help protect the competences, the property, the identities of our clients, and of course our own personal information. This discussion is not about everything that we can do to secure an office network. It’s more focusing on the day-to-day basics, the day-to-day things we should all be thinking about that can help. IT, at our firm, keep us secure as a firm, and keep our information and the information of our clients private and confidential.
That’s look at this, and I want to start with just the basics, and then we’ll kind of explore some other things. But the basics, it is extremely important that we keep the operating system and the applications that we’re running on all these devices current in terms of security patches. Now, when I talk about devices, I’m talking about the laptops or PCs that we have at home, but even the mobile devices we travel with for vacation or for work trips. You know, smart phones, tablets, all of these things we need to keep current. Sometimes we may even need to go out and look for patches. I have to do that occasionally on applications on our cell phones. But these patches are being issued for a reason, and they are often bringing additional security features or updates to close vulnerabilities that have been discovered in prior versions, so absolutely essential.
Now, one of the things that a lot of people do, and we all spend all kinds of money nowadays on these smartphones, and there’s some crazy awesome phones out there, but we treat them as phones. We’re not always thinking about the fact that this is a pretty robust computer. So we need to make sure that every mobile device and every device in our home that we are using for work has a internet security suite running, and it too should be kept current with all patches. One side note here, do not rely on free security programs or free VPNs. There’s lots of free stuff out there, even in the security space, and you get what you pay for, which is very little when it comes to security. Now I’m not suggesting that the security software, these free VPNs, don’t do what they say they’re going to do. A free VPN will certainly encrypt your data stream so that anybody that tries to intercept this data stream won’t see it.
But the company that gives you this free product, there’s an exchange, and the exchange is they get to monetize and monitor all your doing, and so you are what they are making money off of. That’s not acceptable. And for a lawyer who is practicing law in terms of using these devices in the further and the practice of the law, because that information, just no. So you need to spend the few bucks that it’s going to cost and be a bit more secure about it all.
Turn on full disk encryption. You know, in this day and age, when it’s one setting on a phone or a laptop, turn this stuff on. I consider it unethical, I truly consider it incompetent, not to take the time to turn this stuff on. Full disk encryption is typically once you turn your device off and somebody tries to turn it back on, if it’s lost or stolen, if they don’t have the password to decrypt, your data is protected and your client confidences are protected. So turn that on.
Set up the ability to do remote wipes if a device is ever lost or stolen. I mean, doesn’t that seem like a no-brainer? Take the time to do that. Again, it’s so simple and easy to do. Use strong passwords, long pins, and never use the same password or pin on different devices or accounts. The story I just shared with the lawyer who called me, that was the mistake. He was using a very complex password, which was great, but he was using that same password on multiple accounts. You know, if they get one, they have now access to everything. That that makes no sense.
Now, what is a complex password? Well, best practices would say 16 characters. We’re rapidly approaching 20, a number of people that I work with and know in the security space really are saying 20. I routinely am using 20 to 24 on a number of accounts if the device or the application will accept that. And when we say complex, so in my case, we have 20 characters on some of this stuff. It’s upper, lower case letters. It’s symbols. It’s numbers. And it’s going to be very, very hard to guess. You know, there’s no dictionary words here that that would be easy for a hacker to try to figure out. A lot of pushback that I get on this is, “How can I remember all of this stuff? Good Lord.” You know? “I have trouble remembering what I had for breakfast yesterday, Mark.”
Well, I am not kidding you when I say that my wife and I probably manage between 200, 250 complex passwords and different usernames. I never repeat. I never use them on multiple counts, this kind of thing. What have I done differently? I use a password manager. Personally, I use RoboForm. There are a number out there that are quite good. Dashlane would be another example. But these programs store and manage all these complex passwords for us. And if I need to change a password, it will even do that for me and randomly generate a new complex password, and memorize it for me. So all of my wife and I need to do is remember a very complex, and this is a long one, but a very complex passphrase, and that’s the keys to the kingdom. It’s not written down anywhere. We remember it. There’s no stickies, it’s all easy. But we have the ability now to use complex passwords in every aspect of our life, on any account and device that it’ll work with.
Turn on or utilize two factor authentication on all accounts. Don’t make it easy. Two factor authentication, we’re talking about authenticator apps or sending a pin as you try to log in your bank account. You get the code, a six digit code, typically, on a text message. You don’t want to make it easy. If somebody happens to figure out what the password is on, heaven forbid your IOLTA account, and they’re trying to steal some money out of them, well, when they’re logging in, if they don’t have your phone, the text message isn’t coming to them. It’s just one extra level of protection. And I’m telling you. Now, TFA, you can hack it. Using that doesn’t mean you’re 100% secure, but you are exponentially more secure than not using TFA, so absolutely use that on every work personal account that you can in terms of if it’s available: email accounts, financial accounts, in terms of investment, bank accounts, those kinds of things, are obvious key places where you would want to do that.
Install a VPN. A VPN, and that stands for virtual private network, and it is a software program that will encrypt your data stream so that if you are, well, I’m going to talk about this a bit more in terms of wifi momentarily, but it just makes sure that the sessions, when we are on the internet, that the data stream is encrypted. Again, we’re trying to make it ever more complex.
Those are some basic things to think about. But now I want to shift gears a little bit and explore. You know, as lawyers, we do take vacations and we travel for business, and there’s some exposures that come up here as well. It could be staying in an Airbnb, in a hotel. The list goes on. So a couple of quick behavioral comments, things that we can do. Never use a public computer. I’m thinking about the business center at the resort in Cabo, or at the hotel in DC, whatever it might be, or even local libraries. There’s all sorts of places where public computers are available. Absolutely not acceptable in terms of practicing law, communicating with clients. These things are very, very difficult to keep secure. Anybody can come in and do all kinds of stuff, so I would just not use them at all.
Literally, if I had my own firm and was in charge of things here, I would have one warning, and do it twice you’re fired if somebody, anybody, were using a public computer for work. It’s that high risk. No public wifi. No open. You know, I’m talking about the airport, I’m talking about the signal at the hotel, I’m talking about Starbucks, those kinds of things. We absolutely cannot use this if any alternative exists. And there are alternatives. I won’t get into what all the risks are, but it’s very, very insecure and very high risk.
So what’s an alternative? Well, when I travel, a lot of times what I will do is connect my laptop to my smartphone. I’m using my smartphone then as a hotspot, and so the data stream will be sent using the carrier signal, AT&T, Verizon, whatever carrier you have. Far more secure than the local wifi hotspot.
If however, and I can appreciate at times there are some circumstances where it may not be an option and you really must use wifi, there are some interesting ethics opinions out there that talk about this, but it is an acceptable risk with certain conditions. The two big wins are this, make sure that you know what the legitimate signal is. If you’re at an airport and you’re turning it on, you’re trying, and it says, “Oh, here’s Free Jet Blue wifi.” “Oh, I love Jet Blue.” Jet Blue has never made wifi available. Okay? But that signal has been out there. People will just create names that they think people will log into. If you’re at a Hilton Hotel and you see Free Hilton, it’s not Hilton. That’s not what they call their network. Make sure you know. Ask the barista, ask the person at the front desk at the hotel. “What is the name of the network that you have set up that’s the legitimate one for me to use?” So now which one to connect to.
Then the other thing is, and this is not optional, as soon as you log into the network, initiate, use the VPN. Encrypt your signal. Is this risk-free? Absolutely nothing is risk-free. But this is going to be a little bit more risky than using the carrier signal, but you’re taking reasonable precautions to do what you can in light of the circumstances to be as secure as you can. Those are two key things to think about.
Some other things, don’t leave devices on and accessible if you step away, and you have a conversation with somebody, if you’re outside working around a pool on vacation, trying to just get a little sun. Don’t leave your laptop on at some table unwatched. Have it automatically timeout and log off, or in 10 minutes, or whatever it might be. If you want to run down to dinner in your hotel room, again, log out, or better yet just turn the thing off until you get back up there. But take some steps. Again, it’s all about making sure. We don’t want to make it easy for others to get into our systems. So there’s a couple of things to think about in terms of vacations and travel.
Next, I’m thinking about the move here, and stepping in. My big concern, and I’m using this as a parallel or a corollary to the work from home struggles and that transition. My immediate concern was the router. You know? I have the instructions here. The username is admin. Okay, that’s the default. A lot of them are named admin. The password that they had set up was easy to guess and just, you know. You look and say, “Okay, I don’t know what they’ve done with the settings.” That’s completely unacceptable. I cannot and would not put myself at risk using that signal, let alone ALPS.
Now, I may be a little crazy at times, I don’t know, but I kept my new router, my personal router, I had that with me. Now, I don’t travel with a router all the time, although if I’m going to start traveling and I may stay put for a couple of weeks somewhere, I actually might start doing that. I’m very sincere in saying that. But I’m able to trust the signal and be far more secure. I’m not suggesting now, again, that you take routers with you on your travel, but I am suggesting, hey, in your home, if you’ve not thought about this and taken steps to secure your router, now is the time. There are all kinds of exposures that can come into play here. The purpose of this talk is not to really explore all that, but it’s just to say you need to do something. Let me go through, I have a short list here of things from an article I wrote about this, but I want to talk about some of the basics.
You need to understand that the usernames and passwords, the default ones, are available on the internet, they’re often standards, and that they need to be changed. So again, think about the complex password. That’s have a very complex password for the router, and that’s change the username from admin to something that is a bit more unique to you. Change the network SSID. Again, the name of the network. Every router comes with a default name. That has to be changed or something that’s unique to you, but don’t make it something that’s obvious as to who you are. You know, Mark at 2022 Front Street. The neighbors all know, “Hey, that signal’s Mark. And you know, no. You want to make it, “I don’t know who this is,” kind of. Okay?
Set up a guest network in your home, with its own network name and your unique password, so that guests have access to a network. I trust our kids. They’re all good kids. They’re all adults. We’re empty nesters. But when they come home, none of them are allowed on the home network, because it’s used for work, and there’s a lot of, you know. It’s personal information. I don’t want to expose my stuff to there, and vice versa. But you know, if they’re doing something they shouldn’t be doing on the network, it’s separate. I just strongly encourage you to do that. Because when kids come into the home, and friends of your kids come into the home, and they’re gaming, and doing all kinds of things, if they’re on your network that your work computer, and your personal devices, and everything’s on, you’re risking. They bring this new level of exposure that we’re not necessarily thinking about. So block that. Set up a separate network.
If the firmware version of your router isn’t current update to the most current version available, it’s all about security patches. Routers need to be updated as well. If it’s an auto update option, check that to make sure. If you can’t tell or it looks like there’s been no update even released in the last 12 to 18 months, throw out that router and get a new one. And I’m not kidding around. These routers need to be able to be updated automatically, and the updates, a lot of routers, they stop … I had an older router and it was two years out of date before I finally realized, I’m going, “Well, that’s not good.” So get rid of it and get something current.
Confirm that the network authentication method, and what we’re talking about is in the encryption that the routers using, is set to WPA2 personal, or even better, WPA3 personal, excuse me, if that option is available, WPA3 is simply just more secure. If neither option, WPA2 or WPA3 is available on the router, it’s old, toss it, get a new one. Not kidding. And finally, turn off universal plug and play. That’s sort of the functionality that makes it very easy to connect new internet of thing devices and whatnot around the house. I know that it makes connecting new devices when you introduce them to the home a little less convenient, but leaving it on provides hackers easy access. That’s just not acceptable.
I mean, if you want to do that in your own life and nothing in your home is connected to the office network or you’re doing nothing for work, okay. Have at it, I guess. But when we are using devices, the network, for work, that’s got to be turned off. That access avenue, for lack of a better description, has been used even to insert programs like banking Trojans that try to capture your login credentials to your bank account or to your 401k. Not good. We need to address that.
Set up a defined work space. Part of this is a wellness thing for me, part of it is just establishing boundaries in a home, perhaps with children, but having a defined workspace that you can enter and exit from and others can learn to respect can be a huge difference. No device sharing. Absolutely no device sharing. Confidentiality is in play and there’s no pandemic exception. You know, if you are using devices: work computers, personal computers for work, smart everything. The kid’s, family, if they are not members of your firm, cannot and should not be on these devices.
And the final thing that I want to talk about is just behavior in general. There’s really been a couple of interesting studies of late looking at this, in terms of some security studies, looking at behavior. I find it absolutely fascinating. Part of it has occurred because of this massive work from home thing, but it’s true, this has been true pre-pandemic and it’s going to stay true post-pandemic and vacations. When we use our own devices, as opposed to a work-controlled device, a work-issued device, and when we are outside of a formal office setting, whether it’s vacation, at home, et cetera, we actually, in terms of just seems to be inherent to the human race, I guess, but we seem to be inherently less vigilant, less diligent. We just get far more casual. So we are more easily tricked, or you know, falling prey for a phishing attack or clicking on something we shouldn’t be clicking on, not just paying attention, not turning things off, sharing devices. We just get very, very casual.
We can’t. Stay sharp. Think before you click. Don’t get too comfortable with the casualness. Don’t get too comfortable with this new normal. I understand that for many of us, as an example, we had to transition very quickly to a work from home setting, and it was about making sure the tech works so that we keep moving forward as best we could. And little thought was given to the security of side of this. And then we get comfortable with it and we don’t even think about it. That’s what I’m trying to address, in part with this in terms of work from home with this, but I want you to think about it in all assets. It’s not just the pandemic, it’s not just working from home. It’s when we’re traveling, when we’re on vacation. We need to stay vigilant and we need to periodically just take a few minutes and sit down and think. “Wait, is this a responsible thing to do?” “Wait, have I taken all the steps that I should have taken earlier on or I should be taking now?”
I certainly haven’t covered everything that you can do, but these are key things, and important things, and basic things that I think we should all be thinking about, and that should be on your radar. So that’s it. I hope you found something of value out of this short discussion. I encourage you, if you have any concerns or questions, something that I might be able to help with, please don’t hesitate to reach out. My email address is mbass, M-B-A-S-S, @ALPSinsurance, one word, ALPSinsurance.com. So ALPSinsurance.com, mbass@ALPSinsurance.com. You do not need to be an option shored to visit with me if there’s something I can do. Hey, if someone reaches out and I’m able to do something that might prevent just one hack, one breach, that’s a great day.
That’s it folks. Hey, have a good one. God bless.
ALPS In Brief Podcast Intro/Outro Music: Walk In The Park by Audionautix is licensed under a Creative Commons Attribution 4.0 license. https://creativecommons.org/licenses/by/4.0/
Artist: http://audionautix.com/
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.
14 min read
In this episode of ALPS In Brief, Mark and the founders of Sensei Enterprises discuss cybersecurity options and support for solo and small law...
14 min read
As an organization or law firm of any size looking to build a cybersecurity plan, your first step should be training your staff — making everyone...
12 min read
Mark shares some stories of cancelled flights, employment emergencies, and more, to illustrate a timely point: When things go off the rails, being...