- Learning Centre
- Lawyer Programs
- Key Resources
- Disaster Planning and Recovery
- Student Resources
- Public Resources
- Upcoming Events
- Media Room
- Latest from the Law Society
With COVID-19 creating unprecedented health risks around the globe, criminals are taking advantage of the disruption to phish, hack, steal and ransom their way into computer networks.
As staff and lawyers perform their jobs outside the office, with limited access to IT support, criminals have increased opportunities to disrupt a firm or organization’s operations.
In response to these risks, the Law Society is helping lawyers to:
- Prevent fraud and scams that could jeopardize clients’ interests;
- Recognize the security implications of working remotely;
- Implement measures to mitigate against potential security breaches; and
- Use legal technology to deliver legal services safely and securely.
Top Ten Tips
These are our top ten tips to protect client confidentiality and data security while working remotely:
- Use separate computers, email and online accounts for personal and work activities, if possible.
- Encrypt all devices and use strong passwords. No exceptions.
- Use two-factor authentication wherever possible.
- Be especially vigilant against phishing attacks. Cyber-criminals are actively looking for ways to access your computer and steal firm or client information.
- Always lock your computer screen when not working.
- Have a Plan B in case your Internet service goes down or you encounter technical problems.
- Backup your work often. Regularly test your ability to restore backup copies to ensure the system is working properly.
- Ensure that all devices have the latest operating systems and software updates.
- Never use public Wi-Fi for confidential client matters.
- Deactivate smart speakers when working from home.
In this time of uncertainty, there are many things to keep in mind, to keep your data safe from fraudsters and to protect the integrity of your clients’ information. For more suggestions and helpful tips, keep reading.
Fraudsters are a creative group. They may target you, your staff and your clients to deceive you with:
- Fake government programs, tax rebates or demands for payment of supposed back-taxes, to elicit your banking information.
- Fake safety and COVID-19 alerts, with attachments that log your keystrokes to learn your passwords.
- Fake charitable requests asking for donations.
Beware of these and other phishing attacks that could be targeting your firm. Fraudsters will go to extreme lengths to disguise their emails so you think they are coming from clients, opposing counsel or even a member of your own firm. Keep in mind, if there is value in the information being sought, and you are being directed to ignore normal procedures and take immediate action, you should exercise caution before taking any action.
If you receive any of these communications from an unsolicited source, proceed with extreme caution. Never open attachments or links, and never provide banking or other confidential information, unless you are certain about the source.
When in doubt, contact the sender using a different means of communication to confirm that the message is authentic. Do so before wiring money to a new bank account or sending funds by a different method than previously instructed. Never respond using the email address or phone number contained in the original message since you could simply be replying to the fraudster.
Every lawyer working remotely should take measures to minimize the chances of a security breach, including:
- Use a secure Wi-Fi network at home. A firewall and password will prevent strangers from accessing your system.
- Avoid sending or receiving confidential information on any public Wi-Fi network. Hackers are adept at making illegitimate public networks appear secure to learn your password or gain control of your device.
- Use a password manager program like 1Password, LastPass or Dashlane to improve the quality of your passwords and help you to remember them.
- Visit How Secure Is My Password? to learn how secure your password might be and how long it would take to be hacked.
- Set your computer to automatically go to sleep if left unattended.
- Use separate personal and work accounts for email, banking and social media. Remind employees to restrict their office email account to business-related matters.
- Ensure that paper records stored at home cannot be accessed by others. Use a locked room or filing cabinet if available.
- Work in a private area, especially if you plan to do a lot of video conferencing.
- Encrypt your mobile devices as well as your hard drives. MacOS (Disk Utility and File Vault) and Windows (Bitlocker) come with free built-in encryption software.
- Turn on the settings for mobile devices (iOS, Android) that let you erase them remotely if you lose them.
- Use two-factor authentication wherever possible (iOS, Android). Two-factor authentication is an extra layer of security that you can turn on to make it harder for attackers to gain access to your devices or online accounts. This alone will significantly reduce the chances of being hacked.
- Use Virtual Private Networks (VPNs) or other secure systems to access to your office computers from home. Your IT department or consultant can help you do this.
- Limit the access that users have to different parts of your computer network and types of information (accounting, HR, client files, etc.). Avoid giving them unlimited ‘administrator’ status unless they need access throughout your system or need to install software.
- If possible, use a work-issued laptop. The security measures you take for granted at the office may not exist on your home computer.
- Keep all systems and programs current. Download security updates when they become available to close loopholes that would otherwise leave you exposed. Install anti-virus software on all devices.
- Backup client files and accounting records regularly to an offsite location. To make sure it is working, test the system regularly by trying to recover a document from the backup.
- Develop an ‘offline’ way to contact employees in case your computer system is compromised and unworkable. Exchange landline and cell numbers with each other. Create a group account for key personnel on a secure texting app.
- Do not discuss sensitive information near smart speakers (Amazon Echo, Google Nest, etc.). Better yet, turn them off when working from home. Hackers can use smart speakers to access your private conversations and meetings.
While staff work remotely, your firm may already be using a cloud-based service provider, or you may be considering a full transition to cloud computing at this time. Please see The Basics of Cloud Computing for a discussion on the benefits and risks of cloud computing, and links to other resources.
When the pandemic forced lawyers to practise from home, there was a rush to use video conferencing to keep files moving and maintain contact with staff and clients.
The technology is easy to use and inexpensive, but, like any technology, it needs to be used correctly to preserve confidentiality. Some tips for this include:
- Never reuse passwords or login information from previous video calls, and never post them online where cyber-criminals can use them to disrupt or eavesdrop on your calls.
- Familiarize yourself with video settings that control guest access and usage. Most video conferencing software lets you direct guests to a holding area until you let them into the main conversation. You can prevent participants from recording the conversation and from sharing their screens without permission. Check your settings to ensure all these features are turned on.
- Take a moment to confirm who is there and that you have the correct participants at the start of every video call. Pay particular attention to anyone whose webcam is turned off, making it harder to confirm their identity.
- Quit the conversation immediately if an uninvited guest joins your video call. Reconnect with the intended participants on a new call with new login credentials.
- Consider the impact if a video conference is hacked. The more sensitive the topic of conversation and the information being exchanged, the more caution is required.
Another secret to protecting yourself against security breaches is to develop simple routines that everyone knows and can follow. Examples of these routines are:
- Assign a specific person to be responsible for overseeing your firm’s computer security system. If possible, have them examine all devices to be sure they are safe.
- Train staff about who to contact and what to do if they encounter suspicious email.
- Develop clear reporting lines for handling money and require dual signatures for all bank withdrawals. Limit who has access to online bank accounts.
- Regularly review banking and financial information. For example, when and how you review monthly bank reconciliations if prepared by someone else.
- Record your decisions and your reasons for them.
Before you are confronted with an emergency situation, train your staff on how to prevent and properly respond to a cyber-attack. Help them to:
- Create and use secure passwords.
- Recognize scams.
- Develop safe email practices, including not opening links or attachments from unfamiliar sources.
- Securely store and dispose of confidential paper and electronic records.
- Understand the risks of discussing confidential matters outside the office where they may be overheard.
- Become familiar with your emergency response plan.
If you and your colleagues are working remotely, consider how your firm will function if you lose access to your computers or networks.
This may happen because your computers are frozen by ransomware, your passwords have been hacked or your office is physically compromised by a fire or flooding.
Have a plan for what you will do in the event of a cyber-attack. Include:
- Reporting instructions in the event of a possible breach.
- Instructions for staff on what to do, and not to do, until someone in authority gives the ‘all clear’ signal.
See Disaster Planning and Recovery for more things you can do to prepare for a disaster.
Check whether your email address has already been compromised by visiting the Have I Been Pwned? website.
Simply type in your email address and the site will tell you whether and which breaches have affected you. If you discover you have been the subject of a breach, immediately change your password.
If you fall victim to a scam, stop the bleeding by terminating access rights and securing documents. Then immediately contact:
- Your IT provider for directions about what to do next.
- Your bank so they can freeze your account and prevent unauthorized withdrawals.
- The Law Society of Alberta’s Trust Safety department for guidance and assistance with your trust account.
- Your insurance broker to determine what you need to preserve or access any cyber insurance coverage you have available.
Written by: Len Polsky, Manager, Practice Management