Security and Social Engineering

In the last year or so there have been reports of very major data breaches in some of the largest chain stores: Home Depot, Target, Walmart, Anthem health care (78 million). Now comes the breach of some 32 million records of the apparently egregiously incompetent Office of Personnel Management, including documents used for conducting background checks for security clearances. The usual truisms apply:  When you leave your house unlocked and the door open or if  you leave your car unlocked and the keys in the ignition you are hardly in a position to complain when somebody steals something or takes off in your car.

So there has been a big push on security for large sites. I can’t go into details here, but that is a much different issue from security to small and medium law firms, or individual users.  Smaller firms are generally not specifically targeted, with the possible exception of those involved with high profile or big dollar cases (M&A; big divorce cases, etc.) I am mainly concerned with individual users here.

If you live with a cellphone implanted in your hip, then two-factor authentication can be the best way to go: you enter a password; the program texts your phone with a second password; you enter the second password and you have access.  Very secure. Of course, it does take an extra 30 seconds or so to access your data.

Failing that, use a serious password and/or a password manager. Statistics show that the most common password is “Password” or “Password123.” No birthdays, spouses or pets names, and so on. Even there, one of the most popular password managers, LastPass, recently also got hacked.

However, this process highlights the problem with security: the better security you have, the more complex gaining access to a program or just doing day to day work will be. Many people, especially attorneys, find that this is “too much work” (that extra 30 seconds is a killer).  But even the most basic risk analysis would show that the benefits far outweigh the risks of being hacked. this is not a topic people tend to approach with a rational analysis.

However, when all is said and done, the main way in which data is stolen or your accounts compromised is not from hackers, but through social engineering, where a user is lead to believe they are getting a “deal” or have to log in to a given site to “fix” a problem. In fact, this leads to their password, personal information, etc. being compromised. The classic example of how to hack in to a major corporation, for example, is to sprinkle a dozen or so USB drives in various areas of the parking lot. People pick them up and plug them into their machines: bingo! virus, trojan horse, whatever.  

The “Nigerian scam” and its variants is another classic.  Somebody offers you a lot of money from an “estate” if you will only...  For example, recently I have gotten dozens of “offers” from Walmart, Target, Amazon, etc. offering a gift certificate of between $50 and $500 if only — I will spend the money in the next 24 hours. I occasionally get phone calls purporting to be from Microsoft and saying that my computer has been compromised and if only I would let them have access, they will “fix” the problem. Sure.  Scams.

I have had a couple of clients hit by the recent spate of Ransomware – a malware program encrypts your documents and you are supposed to pay to get the password.  In once case, we were able to trace the introduction of the malware to a specific user’s PC. He had obviously opened something they shouldn’t and whammo - malware.

A psychiatrist friend of mine used to say that his favorite patients were the paranoids because they had a firm grasp on reality: they thought the government was out to get them. It isn’t paranoia when they really ARE out to get you!

Using iPads with Worldox

As more and more people are using iPads for email, web browsing and even in some cases to do actual work, the question of integration with document management systems such as Worldox can become a pressing issue.

Worldox has an add-on module, WD Web Mobile which allows access to Worldox from iPads and Macs as well as any browser. While you would not want to use this system for full-scale production, it can be indispensable for getting a few documents that you need, emailing them to clients, working at home or at a vacation home.

With the iPad or browser client you have full search capabilities, can locate your Favorite Matters (in GX4) and otherwise have full control over your Worldox system.

If (that should really be “when”) you upgrade to Worldox GX4, you will be able to drag and drop emails from your iPhone/iPad directly to your Favorite Matters in Worldox.

There is a significant startup cost associated (although Heckman Consulting is offering 20% off from now through August 31) with Web Mobile (about $1,800 plus $15/user). However, if you only have one or two users with iPads, you can have Worldox host the connection on a subscription basis ($30/month/user or $300/year in advance). After 4-5 users, bringing the system in-house makes a lot of sense.

Moving Emails to Worldox from an iPhone/iPad

One of the problems people have always had in managing their emails via an iPad or iPhone is getting them back to the document management system. In essence, they have to do double work: deal with the email on the iPad and then deal with it again when they get back to the office.

Worldox makes it possible to move emails from your iPad/iPhone to Worldox under certain conditions and assuming you are running Outlook Exchange. The first condition is that you have to leave Outlook running on your desktop.

Using GX3, you first have to define email Quick Profiles in Outlook. You can only drag & drop (although maybe it should be called “tap & tap” with an iPad) emails to existing Quick Profiles, there is no client lookup.

To move an email once that is done, first tap on the little storage box. Then open up your email folder list, scroll down to the “Worldox” folder, and tap on the Quick Profile you want to move the email to. Note that this is a move function, there is no option to copy the email.

The process is similar in GX4. There is more setup involved, but the actual process uses the Favorite Matters function, which dynamically displays all the matters you have worked on in the last 30 days, so once it is set up, the process is more powerful and easy to use.

First, you have to create a default Quick Profile so that any necessary default fields are filled in (usually a DocType of “email”). Then, while in the office, you have to save one email to a given matter. You will get a confirmation screen asking you to verify that the email has been profiled correctly. Click the “Don’t show again” box at the bottom of the confirmation screen. If you do not do this, you will be asked to confirm the move every time, so that when you move emails from your iPhone and get back to the office, you could have dozens of confirmation dialogues.

Once that is done, emails can be moved to Worldox seamlessly, using the same procedure as GX3.

This process works well for relatively low-volume firms, where a given attorney works on a relatively limited number of matters in any given 30-day period. It will not work well for a high-volume firm where an attorney might touch a hundred or more matters in a 30-day period.