You ARE the Weakest Link

Remember that turn of the century game show where weaker players were summarily dismissed from the game by a snarling game show host?  Wrong answer, off the game the player was ordered, as the weakest link – no second chance.  Only the strongest, most strategic players were left standing at the end to compete for the prize.

When it comes to computer security, YOU are that weakest link.  If you lose, you might not only be sent home in humiliation, you may take your entire office and your clients’ confidentiality with you.  Losing the computer security game is not a chance you want to take.

How do you avoid this fate?  By first implementing basic security steps:

  1. Keep all software patches up-to-date.  Microsoft releases security patches the 2nd Tuesday of each month (Patch Tuesday) and these must be kept current.  Be aware of out of band patches for serious zero-day security threats.  Other software requires regular patching too: Acrobat, Java, Flash, MSOffice.
  2. Run Anti-virus and Anti-malware software on all servers and workstations, keep both the software version and the virus definitions current.  Check reports daily and take immediate action if infections are indicated
  3. Use a strong anti-spam solution to filter out the worst the malicious email.
  4. Keep all workstation privileges at their lowest possible level.  If software does not require local administrative privileges, don’t grant it.  Unfortunately some software, such as Dragon Dictate, doesn’t give you a choice.
  5. Use strong passwords and never, ever give it to anyone.  Of course, you already know to never write it down and stick it under your keyboard…  Never use your network login outside your office network.
  6. Always ‘lock’ your computer when stepping away from it (not all threats are external).  On Windows workstations, that’s as simple as a ‘Win Key’ ‘L’ keyboard comb.

(I’ve only scratched the surface here – for an in-depth treatment, see Practice Pro’s Managing the Security and Privacy of electronic data in a law office)

All the security software and best security practices in the world still won’t stop you from being the weakest link in the security chain.  Worse, they may provide a false sense of security:  You may think you can rely only on them to keep you safe when taking inherently unsafe actions, but you can’t.  No security solution, however well implemented, can catch every threat. They never have and they never will – not only are some attacks ‘zero day’ (too new to be known), but no security solution has ever tested 100% effective against all threats.  You must never forget that best security practices strengthen the security chain, but one foolish action on your part can shatter it.

You no longer have a choice to disconnect from the danger that the internet poses.  This means you must strengthen your defenses by strengthening your own response to possible attacks, by remaining vigilant, skeptical, suspicious of every link in every email; on every web page you visit and any software you are tempted to download.  Everyone is already aware of the obvious stuff: There is no Nigerian prince wanting to share a fortune with you; your best friend’s sister’s husband is not stranded in Paris after being mugged, needing an immediate $2,500.00 wire transfer to get back home.

It’s the less obvious threats you must remain on guard against:  Just because an email purports to be from a courier company, or your bank, doesn’t mean it is, and the probability is that it isn’t.  Stop and think about it for a minute – have you ever given the courier company your email address?  Highly unlikely.  Your bank, or any other legitimate online service, will NEVER send you an email asking you to click on a link and provide your login credentials.  Always hover your mouse over any links (without clicking) and look at the pop-up showing you the ‘real’ underlying web address.  This pop-up will tell you where that link really wants to take you (no matter what the text says), and it will most likely be somewhere you don’t want to go.

The risks you and your practice run are just too severe not remain on high alert all times.  It’s bad enough if your own workstation gets infected – maybe that just means you’re down for the day while your computer is sanitized – an inconvenient, annoying time-waster.  But what if that infection leads to hacking and theft of confidential client information?  A wiped-out trust account?  That’s not a possibility to leave solely to security software protection, because that protection is never, ever certain.  Now take that possibility of a security breach and multiply it by every person working at your firm – every person is a weak link in the security chain.  Every person is equally capable of an action that could cause a security breach.  (An informal study indicates that approximately 15% of people will click on  bad links). It only takes one hacked computer to infiltrate a network; one network-aware virus to bring down an entire law firm.

How to mitigate the human factor in security weakness? Through regular security training and refresher training, along with clear, written, enforced, signed security policies

The power to strengthen the security chain is in your hands.  Don’t be, and don’t let anyone else in your firm be, the weakest link.