In the last year or so there have been reports of very major data breaches in some of the largest chain stores: Home Depot, Target, Walmart, Anthem health care (78 million). Now comes the breach of some 32 million records of the apparently egregiously incompetent Office of Personnel Management, including documents used for conducting background checks for security clearances. The usual truisms apply: When you leave your house unlocked and the door open or if you leave your car unlocked and the keys in the ignition you are hardly in a position to complain when somebody steals something or takes off in your car.
So there has been a big push on security for large sites. I can’t go into details here, but that is a much different issue from security to small and medium law firms, or individual users. Smaller firms are generally not specifically targeted, with the possible exception of those involved with high profile or big dollar cases (M&A; big divorce cases, etc.) I am mainly concerned with individual users here.
If you live with a cellphone implanted in your hip, then two-factor authentication can be the best way to go: you enter a password; the program texts your phone with a second password; you enter the second password and you have access. Very secure. Of course, it does take an extra 30 seconds or so to access your data.
Failing that, use a serious password and/or a password manager. Statistics show that the most common password is “Password” or “Password123.” No birthdays, spouses or pets names, and so on. Even there, one of the most popular password managers, LastPass, recently also got hacked.
However, this process highlights the problem with security: the better security you have, the more complex gaining access to a program or just doing day to day work will be. Many people, especially attorneys, find that this is “too much work” (that extra 30 seconds is a killer). But even the most basic risk analysis would show that the benefits far outweigh the risks of being hacked. this is not a topic people tend to approach with a rational analysis.
However, when all is said and done, the main way in which data is stolen or your accounts compromised is not from hackers, but through social engineering, where a user is lead to believe they are getting a “deal” or have to log in to a given site to “fix” a problem. In fact, this leads to their password, personal information, etc. being compromised. The classic example of how to hack in to a major corporation, for example, is to sprinkle a dozen or so USB drives in various areas of the parking lot. People pick them up and plug them into their machines: bingo! virus, trojan horse, whatever.
The “Nigerian scam” and its variants is another classic. Somebody offers you a lot of money from an “estate” if you will only... For example, recently I have gotten dozens of “offers” from Walmart, Target, Amazon, etc. offering a gift certificate of between $50 and $500 if only — I will spend the money in the next 24 hours. I occasionally get phone calls purporting to be from Microsoft and saying that my computer has been compromised and if only I would let them have access, they will “fix” the problem. Sure. Scams.
I have had a couple of clients hit by the recent spate of Ransomware – a malware program encrypts your documents and you are supposed to pay to get the password. In once case, we were able to trace the introduction of the malware to a specific user’s PC. He had obviously opened something they shouldn’t and whammo - malware.
A psychiatrist friend of mine used to say that his favorite patients were the paranoids because they had a firm grasp on reality: they thought the government was out to get them. It isn’t paranoia when they really ARE out to get you!