Unfortunately, you will have seen some very significant data breaches involving Optus and Medibank Private in recent weeks. The extent and scope of the data compromised in these attacks is very troubling. Sadly, data breaches happen on a regular basis and most cybersecurity professionals believe that it is not going to get better any time soon – there's just too much money to be made by cybercriminals. So, a few people, knowing my ongoing cybersecurity studies, asked me to put together a list of some data security recommendations. Note: I consider these recommendations to be the bare minimum risk mitigation steps that can be implemented by non-techy people. Your IT professional will have even more recommendations.
1. Use Unique Passwords
It is well known that many people use the same password on multiple sites and services. This is a bad habit. A data breach on anyone of those services means an attacker can then use that login information on other sites. Stolen login credentials are frequently sold on the dark web and there are several readily available hacking tools which can very (very) quickly use this information to facilitate attacks. To reduce your risk, always use unique and long (at least 16 characters) passwords on all websites and services you use. Better still, make your life easier and use a password manager such as Lastpass, 1Password or Dashlane to easily create and not forget these passwords. Tools like 1Password also have the benefit of monitoring for password breaches and alerting you when a password should be changed. If you haven't changed your passwords for your email, banking and other apps to be unique, it is recommended you do so now. You should also check to see whether your credentials have been compromised as part of recent data breaches by checking here: https://haveibeenpwned.com/.
2. Use Multi-Factor Authentication
Passwords on their own are considered a weak form of security. Cybersecurity professionals recommend that your login to online services should be based on at least two of the following:
- Something you know (your password)
- Something you have (your phone, a key fob)
- Something you are (biometrics)
For most people, the use of your password plus a second authentication method such as an authenticator app on your phone provides a sufficient level of security for controlling access to most of your online accounts. If you have MFA set up, it becomes exponentially more difficult for someone to compromise your online account through a credentials breach. Note, however, that whilst it is better than nothing, SMS authentication is considered weak and relatively easy to hack (some of the big Twitter hacks have occurred this way). If you haven’t done so already, you should encourage your clients to use MFA when accessing the MM Portal. For instructions on how to do this, please see: https://mmcpd.link/ug8.
3. Remove unused extensions and apps
Think of how often you have given an app permission to do something like access your contacts, connect to your email account, know your location or monitor your web usage. Many of us simply do not realise just how much information these apps and extensions have access to and what they do with that data. You should periodically review your phone, web browser and email accounts to check which apps have been given access to your data and remove any which you no longer use and look to restrict those you choose to keep. For those apps you keep, check to see if they are still being updated and maintained by the original author. Apps are often sold to big data collection organisations and as a result your data may now be used for more than you originally intended. And the one thing to know about data security – the more places your data exists, the greater the likelihood it will be (and probably has been) compromised.
4. Stop using email to request information or money
Many of the recent attacks against Lawyers and Migration Agents have involved the attacker breaching an email account (see the earlier point about passwords and MFA) and then impersonating the email address of that professional to then request that the client make a large deposit of funds into an unauthorised bank account. Only when the funds are actually required do the parties then realise the scam has taken place and the recriminations begin. Law Societies and insurers now actively advocate against the use of email as a means of collecting information or for requesting money. Continuing to do so is at your own peril! To be fair to email, when it was designed all those (many) years ago it was not created as a means of secure communication, and unless you and your client are prepared to use encrypted email (and most aren't because it's not easy), you will be using an inherently insecure means of communication. It is therefore recommended that you use an encrypted portal or 1 to 1 secure messaging system to communicate with your clients. Also, it is recommended that if you are going to request money, that you let your client know that you will only ever ask for it via a secure method and that you will confirm the request via a secondary method such as by SMS or a phone call. You should also educate your clients that you won’t change your bank account details by email and that they should be on the lookout for fraud.
5. Minimise the Data you retain and who has access to it
One of the big concerns highlighted in the recent Optus and Medibank Private data breaches is the amount of data held about people, including those who were no longer clients of those organisations. In the Migration and legal professions, you are required to collect and handle a lot of highly sensitive personal data for your clients. Furthermore, there are rules and regulations requiring you to keep copies of your client files for several years after completion of work on a matter. However, within this requirement, you should carefully consider what data needs to be kept and the way it is kept. In a world where data persistence and access is often non-expiring, it has become particularly important to ensure that staff, apps and service providers have access to the least amount of data possible. Within your work environment, you should take steps to ensure that staff only have access to the data that they need to perform their work, and when they no longer need that access, you should proceed to restrict it. When you close a file, consider whether you need to retain information such as passport numbers, copies of identity documents etc. If you do need to retain access to those documents and information, consider storing them in a location that is separate from your active files. However, don't forget your ongoing obligation to ensure that you do not act for someone where there is a conflict of interest pertaining to your involvement with a previous client or matter. Your fiduciary duties go well beyond your file retention obligations, so you always need to keep sufficient information about who you have previously done work for, to enable you to perform conflict checks. To this end, when using Migration Manager, we recommend the following:
- Set up user permissions to limit user access to client data
- When closing a file, review the file to consider what sensitive data you need to keep and then delete the information no longer required – eg delete passport and identity numbers, change given names to initials etc.
- Use the Archive function to move documents to a location outside of your main document storage system
6. Update Regularly
It is strongly recommended that you regularly check to see whether your devices and the apps on them need updating. By the time a bug is reported and, the appropriate fixes/patches developed and distributed, the vulnerability has potentially been known about in the hacking community for some time. There is a whole marketplace for the buying and selling of “zero-day” exploits, so time is of the essence. And if you have old devices or software which are no longer supported, you need to take steps to remove and replace them. An unpatched device is a target, and there are hacking/security tools like Shodan which can scan the internet looking for connected and vulnerable devices and that give hackers (but also security professionals) nearly everything they need to know to exploit that device. So, stay up to date.
7. Don't Mix Business and Pleasure
We already know that emails can be risky, but it is even worse when someone uses the same email account for both their business and their personal communications. If you use the same email account for communicating with clients as you do for your eBay purchases, it gets much harder to spot a potentially nefarious email. The same goes for mixed-use devices and having both your personal and business devices on the same network. The more they mix, the greater the risk, as a breach of one can quickly spread.
It is recommended:
- That you have a dedicated email address for communicating with clients that is not used for anything else, as well as a dedicated email address for communication with Departments and Courts. Having emails that are exclusively used for one purpose makes it easier to spot bogus communications if they come in via a different channel
- That you avoid using your work computer and work email for personal use
- When working from home, if you can, keep your work computer on a separate network (VLAN) to keep it separated from all the other personal devices on your network. Cyber security professionals will tell you that IoT devices (smart devices) present one of the greatest security risks to your network, so you need to take steps to isolate them from your business data. Your insurers aren't going to be happy if your unpatched smart light bulb resulted in a data breach of your business – yes, it's a thing.
8. Understand that Data Security is expensive
In a world where inflation in the tech sector is running at multiples of the high inflation levels of the wider economy, it is important to understand that data security is very expensive to implement and maintain. The cost of data storage and associated security provisions are increasing all the time – data centres consume huge amounts of electricity, and so the rise in the cost of energy has a big impact. You can see this with services such as Apple, YouTube (premium) etc. who have increased their prices by as much as 30% in Australia in the last few of weeks (in some countries it has been as much as 300%). Many predict that gone are the days when tech companies could launch a product at a super cheap subscription rate with the aim of rapid growth to enable an IPO or acquisition at a crazy share price. With investor funds drying up, and costs spiralling, unsustainable tech companies are hitting the wall (by way of example, the share price of Snapchat is down by 80% since the start of the year). Additionally, many companies have ignored or just paid lip service to data security - at the expense of implementing all the necessary systems, policies and procedures to keep data safe. However, new laws are imminent – laws that contain very significant financial penalties for lax data security. Companies can no longer afford to ignore data security and those that do run the very real risk of being put out of business overnight given the potentially huge fines. Accordingly, the financial equation is changing; the days of “cheap and cheerful” are over, meaning prices inevitably will either go up, or services will cease to exist.
So, with “cheap” being mutually exclusive to the concepts of secure and sustainable, if you are storing your data or documents in a low-cost product, you are (and probably always have been) taking a significant risk with that data. That cheap online storage you have been using could end up being very costly. It is therefore recommended that you review all the services you are using and take steps to move your data to sustainable businesses that value data security. At Migration Manager, we have for many years now spent a significant portion of our budget each year on security, including becoming ISO27001 certified, undertaking regular external audits and penetration tests, as well as ongoing staff education. It is by no means a guarantee, and it costs a LOT of money, but it is essential.
Your organisation's data security is only as good as the weakest link in your data handling chain. Quite often, that weak link is a staff member. It is no coincidence that most data breaches happen as a result of social engineering attacks. All the recommendations I have made can easily be undermined by someone who is either careless or who doesn't know what to do. Accordingly, it is essential that your staff receive ongoing education on how to securely handle data and what to do in the event of a breach. You should also create a culture of putting data security as one of your firm’s top priorities. At Migration Manager, we regularly send our staff on data security training days to get updated on the current risks as well as what to do in the event of an incident. In this regard, we can recommend the training courses provided by AusCERT.
Again, this is just an outline of some basic measures everyone should be doing to try and keep their data (and their clients' data) safe. There are many more things that you can and should do, and therefore it is strongly recommended that you speak to your IT or cybersecurity professional for advice.
Kelly Seal Lawyer, Lecturer, Cybersecurity Researcher
This article first appeared on LinkedIn on Nov 15, 2022.