Fixing poor cybersecurity habits

Remote work makes us more vulnerable, making good computer hygiene more important, says Kevin Cheung

Kevin Cheung

With so many employees working remotely to adjust for COVID-19 restrictions and employers adjusting to dramatically changing circumstances on the fly, businesses have let their guard down when it comes to cybersecurity. Law firms have been just as vulnerable as investment firms, large and small businesses, among others. This reveals an absence of employee familiarity and entrenched bad habits with respect to online security.

Having employees work remotely has resulted in more vulnerable targets for cybercriminals. This is in part due to not having convenient access to colleagues and in-house resources with whom to discuss and vet online security threats. Many are also accessing company data on unsecured networks, and may not be up to speed on best practices for protecting personal and company data. 

One of the easiest ways for cybercriminals to infiltrate a company network and access data is by email.  The restrictions brought on by COVID-19 have increased email and online exchanges of data, and cyberattacks by email have similarly increased. Once cybercriminals have access to the data they can hold it hostage and demand payment for the release of the data. Unfortunately, there is no guarantee that the data will be released once payment has been made. This type of malware that threatens to publish a victim's data or perpetually block access to it is known as ransomware and several law firms and businesses have recently fallen prey to these attacks.

Even more concerning than ransomware, some cybercriminals have successfully facilitated the transfer of money out of businesses. This is usually done by convincing an unsuspecting employee to hand over usernames and passwords.

The difficulty with these cyberattacks is that they are cleverly disguised and can deceive even the most cautious of us. The employee will open an email, click a link, and by virtue of those simple actions grant the hacker access to the company’s data.  Even those familiar with cybersecurity practices can fall victim when they are in a rush and not filtering the email through a thought process to vet its safety. It is imperative that we take the time to develop best practices to protect against online fraud and deception.

Some general guidelines to protect law firms and our clients are:

Virtual private networks

Use a virtual private network (VPN) when accessing firm data remotely. Online activity, particularly from unsecured networks (e.g., in coffee shops, hotels, airports and libraries), allows anybody eavesdropping on that network to have access to any data you are sending through that network. 

A VPN encrypts your connection so that even if the data is intercepted it is still encrypted. A VPN also hides your internet protocol address so that your actions cannot be traced. This allows you to conduct your online activities securely. 

There is no excuse for not using a VPN, as they are simple to use and there are many free or inexpensive options available.

Enhance email security awareness

Approach emails from unknown or unexpected sources cautiously. Contact the sender of the email if there are concerns about it, and to confirm the sender did in fact send it. This also applies to internal emails sent from somebody you know but with unusual instructions. We have all likely received a malicious email from an unwitting known source. Law firms and, more recently, investment firms, have fallen victim to these internal email hacks, resulting in the transfer of funds to the hackers. Ideally, one would not even open a suspicious email as that action is communicated to the cybercriminal, making the recipient a target for further email attacks.  

Hover over hyperlinks 

If the email invites you to click a link, move your cursor over the link without clicking it. The internet address of where it would take you if clicked should appear somewhere on the screen. If the address is unfamiliar or strange, then do not click it. Clicking these links could result in dangerous software being downloaded onto your computer and the network it is connected to.

Update software

As annoying at it may be to update software frequently, many of these updates address security threats and vulnerabilities. You may recall the security breach of Equifax in 2017; that occurred because out-of-date software was running on a computer. Make it easy for yourself and simply turn on automatic updates.

Strong passwords

Use strong passwords. This tip has been repeated ad nauseum but for good reason. Consider a password management application to make is easier to employ good passwords across your various accounts and network access points.

Multifactor authentication

Multifactor authentication goes hand in hand with strong passwords, making it more difficult for cybercriminals to access accounts. Consider turning this feature on for all your online accounts.

While these may be considered commonsense tips for online security, the frequency of successful attacks by cybercriminals suggests that many are still unfamiliar with them.  Spend some time to implement good online security habits, and you and your employees can minimize the potential for unwanted intrusions into your business.