A few months ago, I went to an MCLE seminar on cybersecurity. The 90-minute presentation hit topics such as public wifi, cloud computing, thumb drives, and password strength. The goal of the presentation was of course to scare everyone into being more vigilant in their firm policies regarding cybersecurity. The recommendations included:
- Never use cloud computing. Always store your data on onsite servers.
- Don’t use thumb drives on company computers.
- Never use any mobile devices to store firm information (including emails).
After the presentation, we ate dinner, and everyone and my table came to the same conclusion: “Screw that. We are going to use thumb drives while checking our business email on our phones while client files upload to Dropbox.” That’s because some things are just too convenient to give up. As a solo, I might not want a server that I have to maintain. And I like getting my emails on my phone and on my watch because it makes my life easier.
Now, I don’t want to make light of cybersecurity because it is a very serious issue. But, the fact remains that if your data exists in a tangible form, people can steal it and it is vulnerable….
For people who say never store documents in the cloud, I tell them about the time my co-counsel’s office was broken into and his server and office computer stolen. For people who say that the best policy is to keep only hard copies of documents, I tell them about the time I was working at a firm and the pipes above the file room broke and flooded all of the office’s files and we had to fly the documents out to Texas to be flash frozen and have the ice brushed off each document. There is no practical place on Earth to store all of your data and not have it be vulnerable.
California has an ethics opinion about whether you can store your documents in the cloud. In short, you can, but you need to take steps to make sure that you are providing maximum security to your clients’ files. I’m sure less important states have similar ethics opinions as well.
So, here are some really simple, practical things you can do — in 10 minutes — to increase your security.
Enable two-step verification for everything that you can. Two-step verification means that after you enter your password, you have to enter another code that is usually either texted to you or provided with an app, such as Google Authenticator.
Now, if someone in China cracks your password, they would need to also have your cellphone to enter the second code and access your account. A lot of banks are adding this to their online banking. Dropbox has it. Google has it. Microsoft has it. So, if you use Dropbox, Google Docs, or OneDrive, you can add this added layer of protection.
Encrypt Your Flash Drives/Portable Hard Drives
I have a couple of Western Digital portable hard drives and a LaCie USB key. Both of these products come with encryption software that password protect your files. The Western Digital software prompts you for a password when you plug in your drive. The LaCie software lets you create a public and a private partition on your drive and people won’t even know that the private partition is there until they run the software to unlock it. Both are free programs and can be installed in about a minute.
Don’t Use A Super Strong Password
I have no problem with strong passwords. A strong password with numbers and upper and lower case and maybe a special character or 2 is better than just “password” (or “p455w0rd” if you are a lazy IT person). But, if you’ve got a password that is 15 characters of random special characters and case sensitive letters, you are never going to remember it and you are going to have to write it down, and keep it handy, which defeats the security purpose of having a strong password. I’m not alone in this theory.
Go here and find out how secure your password is. It tells you how long it would take to crack your password. Choose the strongest password that you can remember.
Jeff Bennion is a solo practitioner from San Diego. When not handling his own cases, he’s consulting lawyers on how to use technology to not be boring in trial or managing e-discovery projects in mass torts/complex litigation cases. If you want to be disappointed in a lack of posts, you can follow him on twitter or on Facebook. If you have any ideas of things you want him to cover, email Jeff at firstname.lastname@example.org.