by Tracy L. Wilkison and Erin Burke

Lawyers handle sensitive client information across multiple devices on a daily basis, making them a prime target for cyber attacks. Threat actors see smartphones and laptops containing trade secrets, medical records, financial statements, and more as a veritable treasure chest of data and information for the taking. Fortunately, tightening personal cybersecurity can be accomplished through low-tech solutions and best practices that will protect information and mitigate cyber risks at home, at work, while traveling, and in public spaces. Here are five key personal cybersecurity considerations for lawyers.

1. Password Managers Are a Necessity
Password compromise and reuse remain the lowest hanging fruit in cybersecurity. However, it is nearly impossible to remember a unique, complex password for every account. Password managers, which are available as applications or browser-based extensions, allow for the automatic generation of strong, single-use passwords that are less susceptible to compromise, without needing to remember them; the user is only responsible for remembering a single master passphrase.¹ Organizations may have specific provider recommendations, or already offer password managers to employees. While it may seem unsafe to have every password stored in one place, it is much more likely that an easy password will be hacked than a credible password manager. Reliable password managers use an encryption process to protect information, and are usually built on a zero-knowledge architecture, so the provider is unable to see the information stored in the manager.²

In addition to using password managers, preferably one for work and a separate one for home, remember to never share passwords and to update them periodically. Password reset questions also provide an opportunity to make accounts more secure: answers do not need to be true, or even real words.

2. The Importance of Multifactor Authentication Cannot Be Overstated
Whenever possible, multifactor authenti­cation (MFA), or two-factor authentication (2FA), should be used as an extra layer of cybersecurity beyond a strong password. MFA is a security technology that verifies an individual’s identity using multiple forms of identification.³ Many MFA tools work by automatically sending a numeric code to a phone via SMS, or push notification through an app, when someone attempts to log into a password-protected account.⁴ Avoid using SMS-based MFA if possible; cyber criminals and other nefarious actors often target wireless provider accounts to obtain access to SMS messages.⁵ Instead, use a dedicated MFA app for personal accounts in addi­tion to corporate accounts. The majority of websites and services now offer MFA, including password managers, email accounts, social media accounts, and other applications. The option will sometimes be prompted during sign-up or may be available through account security settings.

3. All Devices Should be Updated Regularly
Keeping the operating systems (OS), browsers, anti-virus, and other critical software on your devices up to date is vital. Threat actors will often target known vulnerabilities that reside in older versions of software.⁶ Installing updates as soon as they are available provides devices with the latest security measures and fixes issues that may have been discovered in previous versions. This applies not only to laptop and mobile device OS, but also to computer and mobile device applications, as apps will also regularly update their cybersecurity features. Delete any unused apps, as they may be out of date and might be causing forgotten security risks, even if not in regular use. Consistently updating systems and apps will reduce risk with the simple click of a button. If an older device can no longer support an OS that receives security updates, it is time to invest in a new one.

4. Avoid Public Conveniences
While it is convenient to connect to a free public Wi-Fi network or use a public charging station at an airport, these are easy ways for threat actors to gain access to your systems. Public Wi-Fi is unsecure, and prone to hacking attempts that can allow a threat actor to intercept your sensitive communications and data. If working in a public space is necessary, always connect to a Virtual Private Network (VPN), available through most organizations, which provides a secure, private network through encryption. Similarly, public charging stations like those in airports, as well as USB charging ports in hotel rooms and other venues, can infect devices with malware and grant remote access to threat actors. Plugging devices into third party items could infect the device with malware, so always use personal charging cables and bricks.⁷

5. Stay Vigilant When Looking for Phishing Attempts
With recent developments in Artificial Intelligence (AI) tools, phishing emails and text messages appear increasingly realistic. These tools make it easy for threat actors to avoid obvious misspellings or poor grammar, which are often telltale signs of a phishing attempt.⁸ With phishing attempts appearing almost indistinguishable from legitimate communications, always pause before reflexively clicking on links and attachments as they may contain malware designed to attack a device. Reliable retailers and service providers typically do not send emails with attachments. Common signs of malicious links include URLs that appear familiar but use a variation in common spelling, like containing an extra letter, not having the designation “https” at the beginning of the address, and having a different domain suffix than normal (for example, .com instead of .net).⁹

Conclusion
Security and convenience have an inherently inverse relationship. Adhering to proper cybersecurity best practices may initially seem time-consuming and inconvenient, but these five simple tips will significantly decrease the risk of stolen personal and client information. Threat actors continue to evolve their tactics, requiring constant cybersecurity vigilance at work and at home. Spending a few extra minutes to connect to a VPN when working on the go, or immediately updating a device instead of selecting “remind me later,” can provide peace of mind and potentially save lawyers and their firms from the significant legal and financial ramifications of a cybersecurity incident.

ENDNOTES

1. Password Managers: Using Browsers and Apps to Safely Store Your Passwords, National Cyber Security Centre (Dec. 21, 2021), https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers.
2. Davis, Lee and Main, Kelly, Are Pass­word Managers Safe in 2023?, Forbes (April 26, 2023), https://www.forbes.com/advisor/business/are-password-managers-safe/.
3. Mary E. Shacklett, What is Multifactor Authentication and How Does it Work?, TechTarget (Nov. 2021), https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA.
4. Id.
5. David Dunn, Now’s the Time to Get Smart About Securing Your Smartphone, FTI Consulting (Oct. 14, 2020), https://www.fticonsulting.com/insights/fti-journal/nows-time-smart-securing-smartphone.
6. Id.
7. On the Internet: Be Cautious When Connected, Federal Bureau of Investigation, https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/on-the-internet.
8. Bob Violino, A.I. Is Helping Hackers Make Better Phishing Emails, CNBC (June 8, 2023), https://www.cnbc.com/2023/06/08/ai-is-helping-hackers-make-better-phishing-emails.html.
9. Edvardas Mikalauskas, How to Identify and Avoid Fake Websites, Cybernews (Feb. 6, 2023), https://cybernews.com/security/6-rules-you-should-follow-to-avoid-fake-websites/.

Tracy L. Wilkison and Erin Burke are consultants with FTI Consulting—an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk, and resolve disputes: financial, legal, operational, political and regulatory, reputational, and transactional. The views expressed herein are those of the authors and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
Tech Tip columns provide advice about how to incorporate technology into one’s practice.