ATOM featured in NH Bar Assoc. News
CYBERSECURITY SUPPLEMENT TO BAR NEWS
By Jason Sgro
In today’s world, cybersecurity isn’t just the practice of protecting your client’s confidentiality, it’s also about protecting your name, your future, and your firm. The client relationship is one based on trust — and not just any trust — trust with some of the most sensitive discussions of your client’s lives. The work we do at ATOM protects our clients as well as the public trust in the technology we use to keep us safe and get our jobs done. Cybersecurity isn’t just about technical implementation, though; it’s about organizational behavior. It’s about striking a balance between convenience and responsibility, between productivity and risk.
At ATOM, www.theatomgroup.com, located in Portsmouth, NH, we believe in helping leaders build a future we can trust. For our legal and law firm clients, that future is most jeopardized by data sharing and storage. Today, we’d like to take a moment to discuss how to share data internally and externally, protect data while you’re on the go, and understand how our clients are most often breached.
First, we need to talk about email. It’s very common for documents of a sensitive nature to be shared via email with clients, colleagues, and third parties. This is not a good practice because email has a few major flaws. The first flaw is that it isn’t traceable. You send an email with a sensitive attachment and you don’t really know where it went. Yes, it goes to the mailbox of the recipient — but is that mailbox accessed on a laptop, a cellphone, a public computer? What if the cellphone is lost? The data is lost with it.
Remember, too, it’s not just the recipient’s mailbox. It’s your mailbox, too. Your sent items are on your laptop, cellphone, and tablet as well. If your devices are lost, copies of those sensitive emails are lost. too. The second issue with email I’d like to discuss is more fundamental: it’s a lack of encryption. Normal email is not encrypted, which means it can be intercepted by a third party and read. Emails are not inherently protected during transmission or during storage. Think about sending your physical mail items in clear see through mailers. Not ideal, right? You have no way of knowing who saw it when it was on its way to the recipient.
At ATOM, we recommend the following actions be taken as a best practice when sending or receiving sensitive data.
1. Don’t use email to send sensitive data. Use an application designed for it. We use a Citrix product called Sharefile (www.sharefile.com). It’s not expensive and provides encrypted transport and storage of files so you can easily reference them and use them without having them in your insecure email.
2. Keep a strong password on your email account (generally 10 characters or more) with one number, one capital letter, and one special character. We often recommend using a longer password (like a sentence — space characters are allowed!) so it is easy to remember but also very secure. Length beats complexity when it comes to security.
3. Turn on encryption on your laptop drive. If you have a PC or a Mac, most have built-in encryption technologies. Windows 10 has an application called Bitlocker (https://support.microsoft. com/en-us/help/4028713/windows10-turn-on-device-encryption) and Mac OS X has an application called Filevault (https://support.apple.com/ en-us/HT204837). They are both free, built-in encryption programs that encrypt all of the data on your laptop so that if you lose it, nobody can read the data.
4. Keep as little data on your cellphone and tablet as possible. Most email clients and applications will allow you to download only the last two weeks’ worth of email and data on those devices. This is convenient for current communications, but you will have to go to your laptop or desktop for full history. Storing massive historical data on your easy-to-lose cellphone is not a best practice. In fact, cellphones are the number one method of breach of sensitive data for ATOM legal clients between 2018 and 2019.
5. Safely archive old files. Having all of your working data accessible to you is important, but having all the data from years past is a risk. We highly recommend moving archived data to offline storage, and, at the very least, doing a monthly cleanup of your computer and cellphone to remove any unneeded files. Data hygiene is a great way to protect client confidentiality.
6. Perform a data risk assessment and external penetration test every year. These two assessments help you identify gaps in your security and make remediations on an ongoing basis. While these are just a few of the recommended controls we help clients put into place, we hope you have found these tips useful. If you have any questions about cybersecurity or specific behaviors in your organization, we’re always happy to discuss.
Jason Sgro is a Sr. Partner at ATOM and Sr. Advisor to the NH State Legislature. With over 20 years in startups to fortune 500 companies, he has dedicated his career to helping leaders in healthcare, legal, financial, and emerging technologies build a future we can trust.
Originally posted here.
