Bad guys don’t take a break
Cybercrime peaks around holiday periods. Attackers know that we are all more vulnerable when out of routine and away from our usual office / home office environment. Extra risk arises because we are:
- Often relying on messages and email, unable to confirm information in real time;
- more likely to encounter insecure or fraudulent equipment such as Wi-Fi, chargers or printers;
- inclined to upload sensitive data to personally managed cloud storage or USB devices;
- tired, jetlagged and targeted by airport thieves;
- using personally owned or less secure equipment;
- unable to contact IT if something is odd or not working;
- exposed to more distractions, and possibly less careful than during standard work hours;
- at risk of inadvertently sharing the contents of your screen with the person behind you.
What can we do to about it?
Risk minimisation for holiday working is part focus, part preparation and part technology.
Policies need to be explained to and applied by everyone. Senior people are often the worst offenders for failing to follow IT policy, and of course are often the most valuable targets. If you are a sole practitioner you need self-discipline, and if you are a partnership, the partners collectively need to make sure that everyone knows and follows agreed procedures.
Phishing
Phishing attacks on phones via email and SMS are now a very common way for law firms to suffer a major data breach. This is not exclusive to being out of the office, but we are more vulnerable due to the smaller phone screen, and the fact that we often just quickly check messages during break periods.
A Phisher’s usual objective is getting someone to follow a link which either infects the device with malware, or asks you to enter your password to access a document.
Risk reduction for users:
- Don’t follow links in messages or email, even if you think the sender is trustworthy. Navigate directly to the website or use an app.
- Fake website log on pages can look identical to the real thing. Check the URL carefully, and never enter passwords if prompted by a link.
- Separate business from private email. Set up a “burner” email for use with online shopping and general web use, a secure personal email for more important communication and keep business for business.
Risk reduction for firms:
- Train staff to spot Phishing attacks, but don’t put total reliance on that as many attacks are almost undetectable.
- Consider mail screening services. Your email provider may offer this. If not, specialist providers can screen out some (but not all) fraudulent emails.
- Introduce two factor authentication for all email and document storage[1].
Free Wi-Fi & phone chargers are dangerous
Avoid plugging your device into any equipment you don’t own (such as a charging bar or printer) and avoid free Wi-Fi – especially in a public place such as an airport - but even your own hotel is a risk. If you must use one, use a “charge only” cable that does not allow data transfer. (The cable you get with most devices allows data transmission by default).
A fake Wi-Fi hotspot can be built for just a few dollars and placed in airports, conference centres, hotels or cafes. The log on screen looks the same as the real thing, and the Wi-Fi will work, but the attack device can copy everything (including passwords) accessed on it.
USB charging facilities can inject malware or copy data. Even legitimate hardware may be a threat from misconfiguration or if infected with malware.
Risk reduction for users:
- Don’t use public Wi-Fi. Either avoid hotel Wi-Fi altogether or be very careful to ensure that you know exactly what the SSID (Wi-Fi name) should look like (eg: CosyHotel may be legitimate, but Cosyhotel may not). For more tips see here[2].
- Don’t use charging stations or USB charging in public places. Only use your own charger plugged directly into a power socket.
Risk reduction for firms:
- Supply a VPN. These come in two types – a corporate VPN and domestic. For an explanation of the difference see here.[3]
- Supply a Wi-Fi option via dongle or extra data for staff to use with their mobile hotspot
- Follow QLS guides for mobile device security.
Accessing data
Remote access to a firm network can be achieved in a number of ways, some of which are extremely insecure. Configuring such access is best left to an IT professional.
Data in the cloud may be accessible irrespective of where the device is located (check prior to international travel. Blocking overseas access is a sound security practice in many cases, and you may need that feature temporarily disabled before you go.)
It is always better to avoid using a personal laptop to access firm data. It is a pain to take two laptops on holiday, but may be necessary. A tablet might be a good compromise.
Physical device security
A laptop bag can be easily lost or stolen at the airport. Ensure ALL data storage devices are encrypted with strong passwords. (Use either Bitlocker (supplied free with most Windows 10 licenses) or Vera Crypt.
Risk reduction for users and firms:
- DO NOT allow your phone to show “previews” of messages and email on the lock screen. This means attackers do not need access to your phone to read MFA codes required to approve bank transfers or reset passwords.
- Know and use the measures suggested in the QLS Guides for Android or Apple mobile devices, and the Data Storage Best Practice guides.
- At the very least, encrypt all data on a USB/storage drive and have a good password on your phone.
- Buy and use privacy screen-guards for laptops to make it harder for people behind you to read documents you are working on (the removable kind is best, as they do make screens slightly less readable for the user as well).
Enquiries:
David Bowles
Direct line: (07) 3842 5937
[1] Multi factor authentication is one of the best value for money steps an organization can take to protect confidential data. See the QLS Guide to Multifactor Authentication for more details.