Editor’s note: Sharon D. Nelson and John W. Simek of Sensei Enterprises Inc. make their living going into law offices and offering advice on technology and information security. They often encounter lawyers who are otherwise careful in their practice of law make sloppy mistakes when it comes to protecting their electronic data. Here is their list of the most common errors they encounter:
Wow. This could be an epic novel. No worries, we will restrain ourselves. Here are the things we see most often in our clients’ law offices that make us crazy.
1. There is no screen saver password and the computer is left on at night for remote access. This is fine if you’d like to invite the janitorial staff to load your network with pornography or otherwise browse your files.
2. They never turn their machine off. Computers, you have noticed, are imperfect. Processes don’t terminate the way they should, applications get tangled, and your own tendency to have 15 programs running at once tends to create collisions. As John puts it, “lots of stuff hangs around impeding the performance of your machine.” The fix is easy – either turn the machine off every night – or if you need it for remote access, turn it off when you go to lunch. Once a day is the rule. No exceptions.
3. Passwords need to be 12 characters long – there is no exception to this anymore either. Anyone with any IT sophistication can crack your eight character password, no matter what it is, in less than two hours. With twelve characters, it takes 17 years. Most bad guys can’t wait that long. Make it easy on yourself and create a passphrase: GoingonanAlaskancruisein2011! is perfect –and easy to remember.
4. Passwords are meant to be remembered but we are obviously pathetic when it comes to remembering. We find passwords on monitors, under keyboards, and in the top right hand drawer of the desk. That’s our field research. We would guess that the bad guys can figure those places out too.
5. Being penny wise and pound foolish is common – the installation of illegal software in law offices is horrifying. The Business Software Alliance is not amused by illegal software – and at $150,000 per copyright violation, you are unlikely to be amused if discovered. By the way, most of the BSA’s tips come from employees. Do all of your employees adore you?
6. Back-up media goes bad. Inevitably. No matter what kind of back-up you use (and shame on you if you’re not backing up), you must – absolutely must – do test restores of the data to ensure that all is well. That is true even if you are using an online back-up provider. We once saw a major online backup provider lose five years of law firm data – they had never done a test restore.
7. Autocomplete is your enemy. This is the Outlook function that helpfully suggests an e-mail address when you begin to type. In the last week, we have received three e-mails meant for other people. John turns his off. Sharon likes autocomplete, but she has a firm rule. When the e-mail is finished, her hands come off the keyboard until she has verified that the addresses on the e-mail are what she intended. Without this rule, she acknowledges she too would be among the hordes of lawyers who have, at the very least, embarrassed themselves. One lawyer meant to send a very important e-mail to co-counsel and ended up sending it to a New York Times reporter instead. Take your hands off the keyboard.
8. There is no PIN on your smartphone. Remember that rule about keeping client data confidential? How lazy can you get? If you don’t have a PIN on your smartphone, run, do not walk, and get one installed. We once found a SAIC phone lost at an airport. No PIN. The owner was lucky that we were honest folks and turned it over to security.
Funny how easy it was to come up with these eight. Maybe we’ll do a Part II.
– By Sharon D. Nelson, Esq. and John W. Simek
The authors are the President and Vice President of Sensei Enterprises, Inc., a computer forensics, legal technology and information security firm based in Fairfax.