Cybersecurity for Lawyers: Steps to Ensure Your Information is Protected
John Giantsidis, JD, M.Eng. | 2021 – 2024 Member, The Florida Bar’s Standing Committee on Technology
Just like fastening your seatbelt before driving, you should take these steps to be more secure.
Action -> Update Your Device
Updating your software is like getting your car serviced. It improves your device’s performance and makes it more secure. Cybercriminals are always finding new ways to hack into devices. Setting up your device to automatically install updates can fix any weaknesses in your software and keep hackers at bay.
Action -> Turn On Multi-Factor Authentication
Multi-factor authentication (MFA) on your account is what a security system is to your home. It protects you from criminals who are trying to break in. With multi-factor authentication activated, you need to give multiple pieces of information to gain access to your account. For example, you may need to enter your password and a text message code to log in to your social media profile. The multiple layers make it harder for cybercriminals to hack in. They might manage to work out one part, like your password, but they will still need to obtain other pieces of the puzzle to access your account.
Action -> Back Up Your Device
Performing a ‘backup’ is when you make a copy of your important files and put them somewhere secure. It’s like copying precious photos to keep in a safe in case you lose the originals. When you back up your computer, phone or tablet, copies of your files are saved online or to a separate device. Having a backup of your important files and cherished photos will provide you peace of mind. If something goes wrong with your device or you get hacked by cybercriminals, you can easily restore your files from your backups.
Action -> Use a Strong Password or Passphrase
If a password puts a padlock on your account, a passphrase gives its own security system! They’re stronger and more secure versions of passwords. When you can’t turn on MFA, use a passphrase to secure your account. Passphrases use four or more random words as your password. This makes them hard for cybercriminals to guess but easy for you to remember. When you create a passphrase, make it:
- Long. The longer, the better. Aim for at least 14 characters in length. Four or more random words that you will remember is great. For example, ‘Il!kepineapPlepizZa”.
- Unpredictable. The less predictable your passphrase, the better.
- Unique. Don’t recycle your passphrases. Use different passphrases for different accounts.
Action -> Be Ready
- Dedicated devices to be used solely for work-related activities when outside the office or travelling.
- Apply tamper seals to key areas of electronic devices, such as hard drive bays, removable media slots and other external interfaces in addition to inspecting to detect any attempted tampering.
- Record details of electronic devices such as product type, serial number and International Mobile Equipment Identity (IMEI) in an inventory of electronic devices being taken.
- Ensure electronic devices are running a vendor supported OS that is fully patched and securely configured with all non-essential accounts, information and functionality removed.
- Configure remote location and wipe capabilities of electronic devices and ensure they are encrypted, including when locked if possible, and using pre-boot authentication.
Action -> Be Alert
- Report any loss, suspected compromised or unusual behavior (including the type, date, and time) for electronic devices, including multi-factor authentication tokens, to your organization’s designated security personnel as soon as possible.
- Assume any electronic devices that have been lost or stolen and later found or returned, to be compromised.
- Never lend electronic devices to untrusted people, even if only briefly (e.g. to check the weather or sports results).
- Never allow untrusted people to charge their electronic device using your electronic device (e.g. charge their phone using your laptop).
- Never use chargers supplied by third parties or charge electronic devices at designated charging stations or USB charging outlets. Only use genuine chargers supplied with electronic devices.
- Never place electronic devices, including MFA tokens, in check-in luggage. Further, never leave electronic devices, including MFA tokens, or luggage containing such items, unattended, even in hotel safes.
- Store authentication credentials (e.g. passwords and/or multi-factor authentication tokens) separately to electronic devices they are used to authenticate to.
- Avoid connecting electronic devices to any open or untrusted Wi-Fi networks. Regardless, use a Virtual Private Network (VPN) connection to encrypt all internet traffic. Alternatively, use per-application VPNs for all web browsing, email, and instant messaging applications.
- Use encrypted Voice over IP (VoIP) applications for making calls instead of calls.
- Disable any communication capability for electronic devices when not in use (e.g. cellular data, Wi-Fi, Bluetooth and Near Field Communication (NFC)).
- In locations where sensitive conversations take place, power-down electronic devices and remove them from close proximity to the sensitive conversations.
- Avoid re-using removable media after connecting it to other organization’s electronic devices as they may not provide the same level of security as your organization, or their electronic devices could be compromised.
- Ensure removable media provided by other organizations for data transfers are appropriately checked prior to being connected to your electronic devices noting some malware residing on removable media may not be detectable.
- Never use any gifted or found electronic devices, especially removable media.
John Giantsidis, JD, M.Eng is the President of CyberActa, a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their regulatory, cybersecurity, privacy, data, and commercialization endeavors. With deep regulatory and technology background, a broad range of experience over a 27-year career, and a sharp focus on tackling emerging risks, John affords his clients with strategic yet pragmatic perspectives on addressing critical risks in a business-focused and impactful manner. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire School of Law, and a Master of Engineering in Cybersecurity Policy and Compliance from The George Washington University.
This LegalFuel publication is intended for educational purposes only and does not replace professional judgment. Statements of fact and opinions expressed are those of the author individually and, unless expressly stated to the contrary, are not the opinion of The Florida Bar or its committees. The Florida Bar does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information published. Any feedback should be provided to the author.