- As cyber criminals capitalise on the chaos caused by mass workplace closures and the increase in staff accessing business networks remotely, it is especially important to ensure your clients’ and your firm’s data remains protected.
- This article offers some helpul tips for the legal profession to promote cyber health while working remotely.
Experts are warning of the likelihood of a new wave of cyber attacks targeting people working remotely due to coronavirus.
Over the past few months, we have been inundated with headlines such as “Hackers are using corona virus concerns to trick you” (Marketwatch) and “We weren’t ready for a pandemic, but we better be ready for a cyberattack” (Washington Post). The Australian Cyber Security Centre has also issued a series of alerts about the increase in phishing emails, new COVID-19 inspired scams and the added security risks associated with video conferencing. The Centre has also issued some tips for people working remotely from home, see: www.cyber.gov.au/advice/covid-19-cyber-security-tips-when-working-home.
Law firms should be aware of the possibility of, and start planning for an increase in, cyberattacks as cyber criminals capitalise on the chaos caused by mass workplace closures and the increase in staff accessing business information systems and networks remotely. During this time, it is especially important to ensure that your clients’ and your firm’s data remains protected. The following tips are geared toward cyber health for the legal profession but are general in nature and should not be construed as a one-size-fits-all approach to ensuring cyber security. You may need to seek external professional advice about how to translate cyber security guidance into practical processes.
Understand your firm’s remote working policy
Most law firms have a remote working protocol, so the first step is to know and understand what your firm expects you to do and what restrictions they are placing on the way you access and use company information systems and data.
The policy should contain details about what applications or programs you should use for video conferencing, conference calls and file sharing. If a VPN is required, you should be given directions on how to access and use it.
Implement Multi-factor Authentication for accessing work systems
Use best practice password management and use strong multi factor authentication to log into company networks and information systems and emails. Make sure you never use personal passwords as business passwords.
Be cautious and SLOW DOWN when communicating
Given that social engineering attacks prey on a sense of urgency and time constraints for users working to time limits, it is important to:
- take the time to read emails carefully;
- take care not to open unknown links;
- be suspicious and look out for poor grammar, unusual wording, strange subject lines or ambiguities;
- be particularly wary of phishing emails and texts and do not open or download emails from an unknown and unexpected source, particularly if they claim to contain COVID-19 updates.
Check facts and confirm information requests
Check payment details and confirm account numbers before making any payments. Understand your firm policy on issuing invoices (especially remotely) and be careful with any communications containing bank account details. Not only are cyberattacks more likely right now, but so is the risk of cyber security-related fraud.
Keep systems updated and implement patches
Make sure virus software and firewalls are up to date. A vulnerability in an information system is the easiest way for hackers to gain access to your systems. Hackers monitor when software updates and patches are issued, and prey on systems that don’t implement these updates. Turn on auto-update on your devices for operating systems and apps. This is equally important for work systems and remote devices accessing those systems.
Do not download sensitive data on mobile devices
View and amend this data in viewer mode without downloading it onto your personal devices.
Check the security of any websites accessed
Hover over the URL to check it is secure and legitimate. Many internet websites store passwords and these can be used to guess work email logins and passwords. Change your passwords to unique and difficult to guess symbols, letters and numbers.
Physical security is important
Do not leave devices unlocked or in public places. Treat any device that has accessed your work systems with the same degree of care and safety as your wallet or passport.
Do not assume an email sender is legitimate
Email hijacking and whaling social engineering attacks have never been more prevalent. Be suspicious and look out for red flags. Be particularly cautious if a senior partner or member of the executive team send you an email with attachments or links that are unexpected. Never open attachments or links without ensuring the email is legitimate.
Review email alerts and forwarding rules and check these on your mail application.
Back up every day
In the same way that work systems need to be backed up, so do remote devices. You can back up externally to a disconnected hard drive, to a USB or to the Cloud. Ensure that any hard drives or USB sticks used are encrypted. An automatic back up can be set on your systems – the backup will happen automatically without human intervention.
Exercise best practice video conferencing
If you have an in-house IT team, make sure they are involved in your firm’s discussions about what technology and software you might wish to use. You should always make sure you understand how new technology or software might affect your practice, as well as the security and safety of your client and firm’s data. Any free technology should always be thoroughly considered and analysed, including in relation to privacy implications, as you might be trading something in exchange for free use. There are cyber security risks associated with remote access, video conferencing and collaboration tools. You should ensure that you are only using collaboration tools, chat sites and video conferencing facilities approved by your firm for discussing and sharing information and documents. You should only send invitations and details through a secure method, remain aware of your surroundings and the confidentiality of the information being discussed, and only allow invited participants into the virtual room. For online meetings, include a password in the meeting invitation and do not share more information than necessary.
For more, see the Australian Cyber Security Centre’s guidance on web conferencing security, at: www.cyber.gov.au/publications/web-conferencing-security.
While there may be challenges in working safely and effectively from home, implementing these basic tips may help ensure that data remotely accessed is protected.