The bad news first. An estimated 3.5 million cybersecurity positions will be unfilled globally by 2021.* Leaving data security entirely up to the professionals isn’t a viable option. Like it or not we’re all on the information security team now.
The good news is there are simple things everyone can do to help. The key is making data security a priority. This post gives three steps anyone can take to develop a security-first mindset.
If you’ve already incorporated security practices into your daily routine, consider sharing these tips with colleagues and clients. Cybersecurity in legal needs more advocates.
1. Embrace (minor) inconvenience in your digital life.
The standard security recommendations for individual users are hardly secret. On the contrary, basic security practices like these are well known:
- Password-protect everything;
- Use a strong, unique password for each login;
- Install updates promptly;
- Enable auto-lock on inactivity;
- Keep devices in hand or locked in the trunk when out of office;
- Never connect to open wifi networks;
- Don’t link accounts, including social media; and,
- Make regular backups.
These practices cost little or nothing to follow. They’re also easy to do even for the technology-averse. However, there is a trade-off. Following security best practices does take more time and attention than ignoring security.
The first step is to embrace inconvenience where necessary for security. It’s a small price to pay to safeguard confidential information.
2. Don’t be afraid to speak up – especially when you don’t have all the answers.
The second step is to take ownership of security by speaking up.
The most important time to speak up is when you see – or suspect – a security incident or violation of security procedures. Be alert to problems from propped open doors to malware attacks, and report them immediately. Early detection can be the difference between a minor fix and a major breach.
Next most important is when you have a question. (For example, do you know who and how to raise the alert about a possible security incident?) If you don’t know something, you can be certain you’re not alone. You’ll help others in the same situation by asking the question and sharing the answer.
3. Approach email with extreme caution.
Most security incidents originate from email. Phishing continues to be a huge problem across industries (phishing emails purport to be from a trusted sender and seek to induce the recipient to disclose personal information or open a malware-infected attachment or link). Spear-phishing (personalized, targeted phishing) and whaling (spear-phishing against high-value targets like top management) is more sophisticated by the day. Law firm websites and legal professionals’ LinkedIn profiles are a phishing data mine for bad actors.
The third step is to approach email with extreme caution. Especially a) if the request involves money or personal information or b) the message contains an attachment or link. Ask yourself:
- Do I know the sender?
- Am I expecting this email?
- Does it have the right signature block?
- Does this person normally send files or attachments by email?
- Does the content match the sender’s identity and role?
- Are there spelling errors or grammatical mistakes?
- Is the “voice” right?
- Have there been any emails or other communications leading up to this message?
- Are there other recipients on the message?
- Does the request violate my organization’s procedures?
If an email might be legitimate but you have even the smallest doubt, verify first. Ask IT or contact the purported sender by a different medium (phone call, text, etc.).
In short, make skepticism your default attitude to both work and personal email.
Confidential client information is the lifeblood of the law. Moreover, as eDiscovery professionals we’re squarely in the data business. We owe it to our clients, our employers and ourselves to adopt a security-first mindset.
*Cybersecurity Ventures’ prediction based on 2019/2020 Official Annual Cybersecurity Jobs Report sponsored by Herjavec Group