Six Simple Steps to Better Data Security
The recent wave of high-profile ransomware attacks provides a good incentive to revisit your own data security. ADR Notable is here to help you improve your data security in 6 simple steps. The media coverage of the largest ransomware attacks makes it seem as though only large companies are targets, but reports suggest about 62% of ransomware victims are small to medium-sized businesses, with professional services as the largest single segment.
There are a handful of basic steps that anyone can take that will help protect you from becoming a victim of the tactics hackers use. A little preparation can help you avoid suffering critical loss or exposure of data and liability for claims arising from unauthorized access to your clients’ information.
Data Protection Checklist
We at ADR Notable like checklists. They make your life easy by remembering things for you and giving you a way to track the tasks you need to accomplish. So here is your basic data protection checklist:
1. Store only what you need to keep
The most basic risk mitigation strategy for data protection is not to have sensitive information stored in the first place. Many mediators delete all of their notes and any materials received from the parties at the conclusion of a case to support the obligation of confidentiality. Sensitive information cannot be disclosed, whether by court order or data breach, if it no longer exists. ADR Notable makes this step easy with its Secure Delete feature that helps you clean house when a matter is completed.
2. Practice good password management
You have heard it before:
- Use complex passwords with lots of mixed numbers, letters and other characters.
- Do not reuse the same password across different applications.
- Change them often, and
- Do not write your passwords down.
But then how in the world do you remember them all? The great thing is, you don’t have to. Use a password manager. There are free or cheap programs widely available for this – just search “password manager” and see. Set up an account and load the password manager software on each of your devices. The software allows you to use your existing passwords or the application can create a different, wildly complex passwords. The software remembers and applies them when needed.
3. Be sensitive to phishing.
The biggest risk to data security is allowing malware inside the firewalls inadvertently. The majority of ransomware attacks happen this way. Phishing refers to the use of email messages to fool someone into loading malicious code inside a protected system. Once there, it can begin to delete, expose or lock up information by encrypting it until a ransom is paid.
Employee education, training and testing are the best ways to address the risk of phishing. Be very wary of any message that includes a link or a document to be downloaded. If it doesn’t look right, delete it from your inbox and your trash. You can also contact the sender another way to verify it before proceeding to click on it. Avoid using links to websites embedded in an email. For example, if an email looks like it’s from your bank, offering some deal of interest, use your browser to go to the bank’s website and then search for the deal. Don’t use the link – it may be taking you somewhere on the internet you don’t want to go.
4. Store data securely.
When you put aside a professionally-maintained internal firm system, a separate hard drive that does not connect to the internet is the most secure. They operate like a digital filing cabinet and connect like a USB stick. Just be sure you do not keep the connection between it and your computer open all the time. Isolation from the internet is part of the security.
For most of us, keeping files in a cloud storage system is likely to be the most practical answer. This is how ADR Notable operates. Files stored in Amazon Web Services, iCloud, Microsoft Azure (the system we use) or other cloud systems benefit from high quality physical security. The servers are inaccessible to unauthorized personnel, typically have redundant power and network connections in case one fails, maintain backups that might be useful in data breach situations, and use constantly updated security software, such as firewalls and virus definitions, to detect, block and otherwise defend against intrusions.
If you choose to store all of your confidential information on your own computer, you must keep it physically secure and your security software up to date. This means setting your computer to ‘time-out’ if not in use, and requiring a complex password to resume. In addition, using a reputable antivirus software package like Norton, McAfee and keeping it updated will help prevent the most common widespread tactics used by hackers and help identify messages with malicious code attached. Also, keep your operating system up to date. Windows and IOS are “patched” periodically when a vulnerability is detected. In most cases, and depending on the right settings, just turning your computer all the way off – not just ‘sleep’ mode – and restarting it regularly will trigger these updates. You’ve probably seen the message while shutting down before.
5. Data security in communications.
Practical solutions for this are a little harder, in part because when you send or receive something, there is someone on the other end whose security you cannot control. Email is not perfectly secure, but most systems do encrypt messages in transit. Think of this as putting the content in a sealed envelope while it is enroute, but the addresses are still visible. Plus, you don’t know whether the recipient’s system maintains the message in the sealed envelope when it is received. Major email systems allow you to fully encrypt your messages. This now means the message is unreadable by “sniffers” – a type of tampering with messages while traveling across the internet.
Try it out on your own system. Go to the help function on your email program and search for “encryption.” You’ll likely find a help article telling you how to find and use it. In Outlook though, it is 3 layers down in the menu. Once you find it, encrypting emails works pretty seamlessly for the recipient if they use the same system you do. When an encrypted message goes between different systems, the recipient receives an email that they have received an encrypted message and explains how to go read it (a message which, ironically, looks suspicious itself!). So maybe you choose to encrypt when sending truly sensitive information, but not when sending more innocuous messages.
Text messages also have some security issues, and some systems are better than others. iMessages sent and received by iPhone users get end-to-end encryption. Other systems using just the basic technology, called SMS, probably are not. Again, you can choose messaging systems with greater security. WhatsApp, made popular in international messaging for instance, has greater security.
6. Check your insurance.
Dispute resolution professionals receive sensitive information that is ancillary to the work they do. They are not in the business of storing, transmitting or processing such information. This should affect the cost of insurance, along with the size of the company and amount of coverage you seek. Currently, average cyber insurance or data breach insurance pricing is likely to be around $1,500/year for $1 million in coverage with a $10,000 deductible. For less coverage of $250,000, you would pay a lower premium around $740/year. Some data on the average costs caused by a data breach can also be found online to help you gauge how much insurance to buy.
ADR Notable strives to offer practical solutions for the basic elements of operating a dispute resolution practice. This list provides six easy, non-technical steps anyone can take to protect their clients’ information several of which are built in to ADR Notable in its case and practice management platform. Click here to check out another post we’ve shared on data security and how it pertains to mediation.