Ideally, many of the vulnerabilities identified in this guide should be fixed by an IT professional, however anyone with basic IT competence should be able to do most of the tasks listed. We suggest:
- choosing a time when you can afford a delay in getting something working again;
- having an IT professional available by phone to troubleshoot;
- having a five minute chat with your IT support person before you start, outlining what you intend to do and getting some advice about your particular environment.
They may ask you to gather some information first (or photograph basic settings screens) before you change anything. They may also be able to remotely access your machine to help with some of the later tasks, but this access should be turned off when you are done (see below for instructions.).
This guide provides some generic third-party links outlining how to do the basic tasks required. These links deal with common equipment, but the procedure for your exact device may be slightly different. As a general approach, finding the manual (and associated YouTube video) for your own model is suggested.
Before we start:
The best way to avoid client data compromise from an insecure home network is not to use it in the first place.
The QLS recommends that – as much as possible – employees should not use their own devices or accounts to move, store or work on firm data. The firm should supply a phone, laptop and means to connect them to the internet, to bypass the employee’s home network environment completely.
Information provisioned to privately owned devices should be remotely managed and stay within cloud accounts controlled by the firm.
However, this is not always realistic, and even if you are only using your own equipment occasionally you must ensure it is safe. Malware injected into documents on a home machine can be carried back into the workplace.
Key point: work-supplied equipment and devices will usually be safer, but if that is not an option, some simple measures can improve the safety of a domestic network.
The problem with domestic networks:
Domestic equipment may:
- not be updated as regularly, and may use out of date software and operating systems;
- have malware on it. Malware can hide on laptops, phones, printers, routers or connected “smart” devices;
- be exposed to attack because of activity on another device in the household eg: a teenager’s laptop;
- connect to the internet using a router / modem that has not been properly set up;
- have data that is not be encrypted (especially on removable storage)
- not connect to the work systems across an encrypted channel.
Domestic networks are also outside the ring of protection that many workplaces have set up to prevent and identify intrusion. It is important to note that while the laptop or phone accessing the data is the main issue, other parts of the network such as routers and printers can also be paths to infection.
Passwords
If you use weak or compromised passwords, criminals do not have to break into your network. They can simply log into your online accounts and steal everything that way. This remains the single most common way law firms lose data.
There are three things to consider:
- ensure staff are using unique, high quality passwords (see the QLS template password policy);
- multi factor authentication (See the QLS Implementation guide); and
- anti-phishing training.
Step 1: check software is still current and updated
Key point: updating software is part of the basic maintenance regime for electronic devices. Failing to do so could be regarded as negligent if a third party suffers loss.
Updating generally.
Complexity: easy to moderate
Benefit: high
Updating is very important. Most vulnerabilities exploited by criminals have already been identified and fixed (“patched”) by software companies. These patches or updates are released periodically, however your machine remains vulnerable until the update is applied. Most software can be set to update automatically but this option is sometimes disabled.
Other software may need to be told to update, or require hardware to do so.[1]
Vulnerable software may leave a hole in your defences even if you don’t use it. A free photo editing app (for example), downloaded years ago and forgotten may be a vulnerability every time your device is powered on. As a general rule – the less software and the fewer apps on your device, the safer it will be overall.
Run through the list of installed programs and decide what needs to be updated (see Annexure 1). This is an excellent opportunity to delete old programs or apps you don’t use.
Only use current software.
Companies eventually stop supporting a particular version of their software and no longer release updates. The software will still work but is no longer safe to use and should be replaced as soon as possible. An important recent example is the Windows 7 & 8 operating systems. All windows computers should now be using Windows 10 or 11.
This kind of support is expensive to provide, and smaller software companies and app developers might not have the resources to do it. As a rule, stick to brand name providers.
Less is more
Less software on a device means less maintenance and fewer potential vulnerabilities. Anything that is not used regularly should be considered for removal. Keep in mind that a program may leave malware behind when uninstalled, so best practice is to avoid unknown software and apps to begin with.
If you are dusting off a laptop that has been around for a while or that has a history of infection, consider a “factory reset”. Depending on options selected, this deletes everything and brings the computer back to the same state it was in when it came out of the box. Doing this has many advantages but you need to ensure you will still have the software needed to run afterwards. Printers, Wi-Fi and cloud accounts will need to be set up again so make sure you have all the passwords.
Do I need to check absolutely everything?
Ideally, yes. However - broadly speaking - criminals concentrate on weaponising the most common software so if you don’t have time to do the whole job start with that. Operating systems, browsers and “toolbox” programs like Adobe Flash are found on many computers and are therefore the first things you should check.
Step 2: search and destroy existing infections
Complexity: easy
Benefit: high
Malware is hostile software that lurks on computers, phones and tablets, routers/modems - anything that has a computer chip in it (including printers and other connected devices such as “Smart” lightbulbs & IOT devices).
Choose your weapons
Use a comprehensive anti-malware suite. The two essential parts are anti-virus and a Firewall,[2] although other services (such as a password manager) can be useful. Layering different anti-virus products on top of each other often does not work very well, so it is best to choose one good platform and stick with that.
Which Malware suite is best? If you are running Windows 8 or 10/11 you already have “Windows Security” (Formerly Windows Defender). This is Microsoft’s anti-malware suite included with the operating system. It is (as at 2021) quite highly regarded, having improved significantly since it was first introduced. Just checking that this is operating and is updating may be enough. For instructions on how to do this, see: Microsoft’s user-help page with Defender Windows. If it was turned off, run a full virus scan as this can sometimes indicate an active infection.
Is Windows Security enough? Opinions differ.[3] Windows Security is limited in what it does,[4] and some of the features offered by the best alternatives are worth considering. A package that offers a number of licenses and covers phones as well as laptops is probably still an excellent investment.
For a list of good products to consider check: PC Mag or Tom's Guide. Stick to paid software from well-known companies obtained directly from that company’s website.
Search the undergrowth.
Once you have a decent anti-malware product available, scan all other computers and phones in use within the family. Like real viruses, computer malware spreads within houses. If your teenager’s phone or laptop is infected by movie downloads, this can allow access to your router and your work data once you connect to it.
Some of the better suites may allow you to search other devices on the home network, such as routers and printers. If that feature is available, do this now.
Step 3: toughening your device against future attacks
Complexity: moderate
Protection gained: high
It can be easy to accidentally click a link that downloads and runs malware. Even just visiting websites (including quite reputable ones) may permit hostile software bundled in advertising to run on your browser.
For Apple and Android devices, only software from the “official” app stores should be able to run[5] (for how to do that see here: Apple, Android).
Turn off remote access. Remote access is very useful for repair people who need to work on your machine in situ, however this access can be abused. Remote access should be turned off until needed. As an aside, never allow a remote access connection to your computer unless you know who you are giving it to. Solicitors have lost millions of dollars to scammers who offer to assist their IT problems remotely and then used the wide-open channel to access investment and trust accounts.
Step 4: beyond the DIY barrier
The following are worth considering but are not likely to be within the skill set of many solicitors.
Limit Macros. Macros permit automation of programs such as Word and Excel. This is useful (and essential for many practice management software systems and precedents) but can be used by sophisticated malware. In 2020, a macro virus was used to perform unauthorised transactions on a Queensland solicitor’s trust account.
Whitelisting. Whitelisting is strongly recommended by Australian cyber-defence authorities like the ACSC, but it is not easy to implement.
A whitelisted computer will only run limited software using limited tools. The list of permitted features is called a “whitelist”. Even for an IT Pro setting this up yet leaving the machine able to do the things you need it to do is fiddly.
Protocols / toolsets / privileges. Limit access protocols such as SMB, toolsets such as Powershell (which are similar to Macros) and user privileges.
Annexure 1
Updating priorities:
- Operating system (Windows / iOS / other).
- Browser(s)
- Primary software
- “Toolbox” software used by other programs, such as Java and Flash
- Anti-malware software.
Category | More information |
Operating system The most important single update. Fortunately one that is easily automated. | Windows 10 or Apple iOS (both can usually be set to update everything from that company) |
Browsers. Also important. Browsers are the gateway to most cloud based and banking systems. Criminals love hacking them. | Update the browser: Link to instructions for Chrome / I.E. / Firefox. Either don’t use add-ons (preferred) or keep them up to date as well. |
Word processing / document production |
|
Practice management | You will need to refer to your supplier for information. |
Toolboxes used by other programs |
|
[1] Some hardware such as printers and network devices may require complicated processes to “flash” them, but that is beyond the scope of this guide.
[2] A firewall is a filter that stops outside intrusion onto your network or device. Strictly, it is not really an anti-malware system but it is often bundled with that software.
[3] A quick Google search of this exact question will deliver diametrically opposed viewpoints from quality sources.
[4] “Enterprise” and more expensive versions of Windows will come with more comprehensive versions of Windows Security / Windows Defender.
[5] Both Google and Apple have processes to block hostile apps, but neither system is perfect. Discretion is still essential.