On Balance hosts JoAnn and Tish welcome back David Ries for part 2 of their discussion regarding economical cybersecurity practices for legal professionals. In last month’s episode, David stressed the importance of a comprehensive approach to cybersecurity for your law firm. This time, David offers practical tips to help you move from the big picture down to the specific safeguards needed to protect essential technology (devices, networks, servers, and more) in use at your legal practice.
David Ries is of counsel in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the areas of environmental, technology, and data protection law and litigation.
State Bar of Michigan: On Balance Podcast
Cybersecurity Practices That Won’t Bust Your Budget – Some Practical Tips
Intro: Welcome to State Bar of Michigan’s On Balance Podcast where we talk about practice management and lawyer wellness for a thriving law practice. With your hosts JoAnn Hathaway and Tish Vincent here on Legal Talk Network. Take it away, ladies.
Tish Vincent: Hello, and welcome to another edition of the State Bar of Michigan’s On Balance Podcast on Legal Talk Network. I am Tish Vincent.
JoAnn Hathaway: And I am JoAnn Hathaway. We are very pleased to have Dave Ries of Counsel Attorney with the Law Firm of Clark Hill in Pittsburgh, Pennsylvania. Join us today as our podcast guest for the second part of this two-part podcast series to talk about Cybersecurity Practices That Won’t Bust Your Budget – Some Practical Tips. Dave was also our September podcast guest when he spoke about Cybersecurity Practices That Won’t Bust Your Budget – Security Basics. If you didn’t have an opportunity to listen to that podcast, we invite you to do so. So Dave, would you share some information about yourself with our listeners to include your background in cybersecurity?
David Ries: Sure. I practiced with Clark Hill’s Cybersecurity and Privacy Team. I got my first computer in the early 1980s. It was the first year that PCs were available, so I kind of got in on the ground floor on using technology in the practice of law. For a number of years, I was one of very few attorneys who are actually using computers for practice. Over the years, I’ve tried to strongly encourage attorneys to embrace technology and to do it in an appropriate and secure ways, because we all know, technology can be dangerous. Since the mid-1990s I’ve increasingly focused my practice on cybersecurity and privacy. So I’ve been in the practice area, kind of sense, the ground floor.
Tish Vincent: In the first session, you discussed threats and attorney’s duties to safeguard confidential data in a comprehensive approach to cybersecurity. What are the next steps?
David Ries: All right. In the first session, I explain kind of the macro of cybersecurity, the need to develop a comprehensive risk-based cybersecurity program appropriately scaled to the size of the law firm and the sensitivity of the information. So that’s kind of the umbrella and security won’t work without that umbrella. It’s important to put everything together as a program, not just to pick ad hoc security practices and adopt them on a one by one basis. So in this session, I’m going to review some of the specifics, the practical tips of how you move from the macro to the micro, the specific things that we should be doing to protect the different technology, devices, networks, et cetera that we’re using. So this session is going to be practical safeguards.
JoAnn Hathaway: What should the attorneys do to protect desktops, laptops, smartphones and all the other portable devices they might have?
David Ries: Well, there’s a checklist that I use for this that I’m going to work through and we’ll make it available to you. Just a quick aside. I’m a big fan of the book ‘The Checklist Manifesto’ I think using checklist works very well for cybersecurity and privacy. It also works well for a number of other things in the practice of law. So I encourage everyone to you know, use checklist, put things in writing not to just do things on a different basis every time you deal with it. So number one is to follow the setup instructions and that includes for desktops and laptops the instructions from Microsoft for Windows and the instructions from the device manufacturer. For smartphones, the instructions all come from the hints at manufacturers or the tablet manufacturers. They’re better now on telling you what to do for security. In the early years of some of these devices, you had to jump to appendices or other places to find them.
So number one, follow the manufacturer’s setup instructions for security. Second, setup administrator and standard user accounts. You don’t have them on smartphones and tablets, but you do on desktops and laptops. There are two different kinds of user accounts. One is standard, the other is administrator.
For installing software, for making certain changes to the device in the operating system, you have to be an administrator account. If you set them both up and you use the standard user account most of the time some malware can’t take over the computer. It’s not total protection, but it is strong protection. Number three is to use a strong password or passphrase. I recommend using a passphrase like ilovetechshow2019 with an exclamation point at the end. It’s long, complex and easy to remember. Also, there are password lockers, like one pass, last password that do it for you. I recommend using them. Next, set up auto lock after X minutes of inactivity so you can set up a computer that it will log off after 5, 10, 20 minutes of activity. That way if you walk away from your computer, or your phone or other device, someone can’t pick it up and use it because it will be locked. Also setting up a lock after a specified number of incorrect logon attempts, that protects it if it’s lost or stolen from someone using an automated method to try to guess the password. The strength of that protection is evidenced by the battle between Apple and the FBI on decrypting iPhones after they’ve locked.
Enabling encryption. So on modern android phones and iPhones, when you put in a passcode or password, they’re automatically encrypted so it’s turned on. On laptops and desktops, whether their Windows or Mac, you have to turn encryption. The manufacturers have instructions for it. The consumer versions of Windows do not have encryption built in. Professional and Enterprise does. Turn on the firewall, that’s turning on a software tool, install software security and have auto-update enabled, secure the internet browser. There are privacy settings in them and set them to medium or above because those are both for privacy and security and then turn off on needed services. Whatever you have on your desktop, laptop or other device, if you don’t need it, it can present a risk. So turning it off can present that. And finally, to follow up on the business versions of Windows. Even though it cost some money, I suggest using business-grade laptops rather than consumer ones. They cost more but they are more durable though, it usually lasts longer than consumer-grade ones, and they have better security capability.
One important thing for encryption is a TPM chip. That’s a trusted platform module chip that business grade laptops have and consumer ones don’t. You can encrypt it without them, but it’s more difficult. And again, in Windows. the professional and enterprise have built-in encryption called BitLocker. The less expensive ones don’t.
Tish Vincent: What should attorneys do to protect servers in networks?
David Ries: All right. So we’ve talked about what are called the endpoints, those are the desktops, the laptops, smartphones, portable devices. So next, we want to look at the network, what they’re connecting to. A small Law Firm may not even have a network and servers. But if they do, even a small one, it’s important to take steps to protect them. And I should mention that most attorneys will need some professional help in setting up network security on the portable devices, laptops, desktops. A lot of attorneys if they are willing to spend the time and follow the directions, it’s not difficult to set them up securely. Networks are, and unless an attorney is pretty astute in technology, who are willing to spend the time to learn it, it’s better to get some professional help.
The first step is having strong authentication and access control. That’s to get into the network when you log on to the network. It should be a strong password or passphrase just like on the individual devices. In a network setting, it can be set up with single sign-on so that when you log onto the desktop or laptop, it also logs you into the network, so that will avoid you having to enter the same password twice or having to have separate passwords for the two.
Another important step is closing unneeded ports. So you have a closed network within the law firm and generally, you’ll have some type of external access. So that will be for people to get into the network or for the network to connect to various servers, providers and things of that nature. The connections are usually through like doors in the network. They’re called ports, so they’re like doors or switches. Make sure that you close all the ones that you’re not using. Next, having an automatic log off just like you do on the individual devices. When someone connects into the law firm particularly if it’s remotely, having an automatic log off from network connection so that they have to enter their credentials again.
Next is segmentation, and that just means dividing the information up. The larger the law firm, the more that segmentation is necessary. A lot of law firms will take their financial and personal information and segment it so only people who need to access it can access it, but they don’t do enough segmentation of client data. So sometimes it’s helpful for everyone to be able to get access to everything. But particularly with highly sensitive information, it’s better to divide the network and limit access to what people need to do their work.
Another important step with networks is enabling and retaining network lagging. So lags are automated records of what goes on within a network. If there’s a data breach or intrusion or oftentimes just with network problems or glitches, the lags are the keys to understanding what happened. For an example, in a data breach, if you have an intrusion with good lagging, you may be able to find out that someone got into your network but didn’t access any confidential information. So it then does not become a breach where you have to give legal notice and things of that nature. Lags are often the key to being able to determine whether or not there was a breach when there’s an intrusion.
Then finally. setting up a standard network and physical security, again, there’s some written materials on that and we don’t have time to go through all of it in this presentation. But that’s an overview of what’s necessary to secure servers and networks. And one additional point before we move on is that it is particularly important to have security for wireless networks. So within a law firm, if you have wireless, you want to make sure that it is locked down and protected. If attorneys are using home networks, you should make sure that they are secure. That’s particularly important in the work at home environment that we have today. This is technical but there are different wireless security standards. The two current ones are WPA2 and WPA3.
If you have an older wireless system that has an older wireless technology, replace it. Also, when you’re connecting in from outside, we are going to talk about that a little more in the next segment. But have a virtual private network, a VPN, which gives you an encrypted tunnel over the Internet. Be very careful of public wireless networks. Most security professionals recommend that public wireless networks not be used for sensitive information, which would include most of what we do as attorneys. So be very careful and certainly don’t use a public wireless network unless you’ve had a security professional set up your computer or whatever device you’re using in a way that it will be secure.
The Department of Homeland Security even recommends the consumers don’t use public networks for banking. So what does that say about what we should be doing as attorneys. So that’s an overview of servers and networks.
JoAnn Hathaway: What are the security considerations for remote access and working from home?
David Ries: All right. So we obviously are in the middle of a vast expansion of remote access and work at home. I’m still working at home except for one day a week that I only go into the office for part of a day. And many law firms and businesses earlier this spring with the shutdown for the pandemic moved very quickly into a work-at-home environment. Some had been prepared for because they had a lot of it in the past, others were just moving into it. But I wrote a client advisory about a month ago that was dealing with the topic. All right, now that we’re settled in the new work-at-home environment, go back and do a security audit, check and make sure that you’re doing everything in a secure way to make sure you didn’t miss anything in the rush in the beginning and to make sure that you haven’t learned anything that causes you to change the way that you’ve been doing it.
So I use a chart to illustrate this, which of course we’re not using in a podcast, but there are three different areas. First, there’s the remote user, so that’s someone at home or at another remote location that’s connecting into the law firm. Second, there’s the internet. there’s the path of communication from wherever the remote user is. And for many of us, it’s at home now and into the law firm network. So what we’re really putting together here is the kind of steps that we looked at earlier for securing the endpoint devices and for securing networks. So at the remote end for most of us at home, you have to make sure that the laptop, desktop or tablet that you’re using is secure. And we went through the steps for securing now, so they’re important in this context.
Second, securing the home network, and I mentioned that at the end of the last question, it’s making sure that you have an up-to-date wireless access point. And today, it’s really important to make sure that the firmware or software on it is up to date. They’ve been finding vulnerabilities in even newer wireless access points and they have to be updated. So just like your computer where you add the Microsoft patches and things of that nature to update and eliminate security vulnerabilities. You now have to do that on your wireless router. One thing that I recommend if you’re going to be working at home a lot, if you have other people at home that are using the wireless, that you set it up with two different wireless networks are two different wireless clouds. So one is more secure, the other one can be one that you know, the kids are on doing your gaming and going to the kind of sites that they do. Because it can really be a security risk if you have everything on one wireless network, even if it is securely configured.
Next, having a secure internet connection. That’s generally going to be using a virtual private network as I mentioned before or another type of secure connection so the data can’t be intercepted. Now, a few more things to look at it home, having printer security. Making sure that whatever is on the computer that you print, that you securely deleted, make sure it’s not stored if it’s highly sensitive. Might not be necessary for everything, but making sure that a wireless connection to a printer is secure and being careful of what that or maybe left on it. Next is paper security. Most of us have gotten into the habit of shredding confidential documents in the office when we are discarding them. What about at home? If you’re printing confidential client information at home, you need a shredder. You can’t just put it out in the trash.
Next is physical security, if you have confidential paper information or law firm technology at home, making sure the best you can that it is physically secure. Then the last point on work at home is the danger of bring your own device and home computers. Sometimes attorneys have to do that at home, but it is a real security risk particularly if other family members and kids can use the computers. It’s much safer to have a dedicated computer for law firm work or attorney work rather than a shared home computer.
If you have a shared home computer, it’s really important to make sure that all the patches are applied to the software just like on the law firm computer that you have security software that’s up to date. I would even suggest setting up a separate user account. Just like you can have an administrator account and a standard user account, you can also set out multiple standard user accounts, so that would be another protective step. I already discussed the importance of a secure Internet connection, so I’m not going to go over that again. Then at the site that you’re logging in to, that’s often going to be the law firm. But other times, it will be a cloud service provider. I’m going to talk about them a little bit later in this session, but it’s really important to have a secure connection there and using the multifactor authentication. We’re seeing them on consumer sites now with banks on shopping sites, but that’s where you need an addition to a username and password, some type of security code. It sometimes comes by text message. The easiest way is using the security app like Duo or Google Authenticator, where you just have to hit an OK button rather than entering in a code. But that’s one of the most important steps for remote access either to the law firm or to cloud services.
Then the other steps that I talked about in network security, it’s particularly important to have them with remote access, particularly closing off ports that aren’t used to limit external access to the law firm, to the channels that you want to actually use and are actually authorized. So that’s an overview of the remote access and work at home just takes the issues that we have in a network and moves them outside the secure network and so it adds additional levels of security that need to be addressed.
Tish Vincent: Can you say a little bit more about the security that is proper for cloud services?
David Ries: Sure. If you go back 20 years ago or so, there was a lot of debate about whether or not it’s safe for attorneys to use cloud services. That debate I think is well behind us and it’s pretty clear now that a lot of cloud service providers can actually provide stronger security than many law firms or attorneys can provide on their own. But it includes some due diligence, making sure you’re dealing with a reputable cloud service provider, including understanding their terms of service. There are a number of ethics opinions on attorney using cloud services. The ABA Legal Technology Resource Center has actually published a web page that has a list with links to all of them, and there’s at least a dozen. I think probably more than that. But they basically all say that attorneys may use cloud service providers consistent with the ethical duty of confidentiality, but it’s important to do it in a way that you go through the due diligence, that you understand what confidentiality and security that they have, that there’d be some legal requirement to a contract or otherwise, htat they will provide the security that they say they will, those kinds of considerations.
Services like Microsoft 365, Google G Suite, a lot of the practice Management Service providers, cloud back up can actually provide stronger security than many law firms can buy themselves like I just mentioned. But they often require secure configuration by the end user. We’ve seen a lot of issues where some of the commercial cloud service providers have suffered data breaches, but they’re not because of the structure they provide, it’s because the individual account holders who set up their accounts don’t set up secure configuration. An example of that is multifactor authentication. A lot of the cloud service providers have it available, but the users have to enable it. So those are the kinds of things to look at.
I want to talk a little bit about encryption before we finish. The strongest way to protect data that’s in the cloud is if the end user, in this case the attorney or the law firm has the decryption key. So the data is encrypted when it leaves the law firm, it stays encrypted in the cloud and it can only be decrypted by the end user.
That’s the strongest and for cloud storage is sensitive information and things. It’s something that can practically be done. If you’re using a service provider where you’re actually processing information on their site, like practice management sites, e-discovery sites, even if you’re using the online Office 365 or the online G Suite instead of processing on your computer, it has to be decrypted in the cloud for the data to be able to be processed. But if there’s a choice for stored data, it’s better to have the encryption at the end users end rather than in the cloud. So that’s an overview of the practical tips for security. So with the two sessions together, we have the micro in this one, the macro in the early one. And if you combine them, you have a roadmap for providing reasonable security.
JoAnn Hathaway: That’s great information, Dave. It looks like we’ve come to the end of our show. We’d like to thank our guest today, Dave Ries for a wonderful program.
Tish Vincent: Dave, if our guests would like to follow up with you, how can they reach you?
David Ries: I’ll be glad to respond to emails. It’s [email protected].
Tish Vincent: Thank you, Dave. This has been another edition of the State Bar of Michigan on Balance Podcast.
JoAnn Hathaway: I’m JoAnn Hathaway.
Tish Vincent: And I am Tish Vincent. Until next time. Thank you for listening.
Outro: Thank you for listening to the State Bar of Michigan On Balance Podcast brought to you by the State Bar of Michigan and produced by the broadcast professionals at Legal Talk Network. If you’d like more information about today’s show, please visit legaltalknetwork.com. Subscribe via Apple Podcasts and RSS. Find the State Bar of Michigan and Legal Talk Network on Twitter, Facebook and LinkedIn or download Legal Talk Network’s free app in Google Play and iTunes. The views expressed by the participants of this program are their own, and do not represent the views of, nor are they endorsed by Legal Talk Network or the State Bar of Michigan, or their respective officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.