Keeping it Safe – the importance of passwords

Keeping it Safe – the importance of passwords

Introduction

Currently, it seems as if rarely a week goes by without there being a report in the legal or general news of a business being hacked, its data stolen and its customers or clients put at risk.  Cybercrime is an increasing threat for everyone, not just those in business, and especially for those such as lawyers whose business is handling other people’s information.

In its 2014 Information Security Breaches Survey[i], the Department for Business Innovation and Skills revealed that 81% of large businesses and 61% of small businesses had experienced a security breach during 2014, with each small business experiencing an average of 6 such breaches during that year.  The average cost to small businesses of those security breaches has gone up from the previous year to between £65,000 and £115,000.

Cybercrime has become the most prevalent threat, the Office for National Statistics has revealed[ii]. Having included online offences for the first time in 2015 they have now estimated that there were an estimated 5.1m online fraud incidents and 2.5m cybercrime offences for the year to June 2015.  More worryingly, perhaps, the police do not seem able to cope.  Adrian Leppard, the City of London police commissioner revealed in a Panorama report in November 2015 that the police do not have the resources to deal with the full extent of cybercrime and the new wave of proficient cyber-criminals.

The difficulty that all firms, large or small, have is that increasingly there is a pressure to ensure that business and information is handled electronically.  Clients demand new and improved ways of communicating with their legal representatives and often the sheer amount of data and information which firms must process means that they are forced to do so electronically.

Add to this the fact that the issues surrounding cybersecurity are complex and the solutions sometimes expensive, and it can be seen that the average cash-strapped law firm is going to struggle to take any meaningful, technological steps to protect themselves. This probably explains the fact that increasingly law firms are becoming the cybercriminals target of choice.  As Jennifer Smith stated, writing in the Wall Street Journal, lawyers have become “soft targets in the hunt for insider scoops on mergers, patents and other deals.”[iii]

You are the weakest link – goodbye

Increasingly, therefore, law firms are finding themselves the preferred target for cybersecurity threats, with hackers increasingly aware that they are the easiest way of getting to sensitive and confidential client data.  However secure a client’s data storage and handling may be, they may only be as good as the weakest link in the chain of holding that information.  In many cases that weakest link will be the law firm.

Hackers, many of whom are working within sophisticated criminal gangs, will target the weakest most unprotected part of an information chain in the hope of finding data or information that might enable them to attack the more secure parts or, in the case of lawyers, simply to access the data that the lawyer holds about the client – data which may be extremely sensitive.

Not that it is only firms with commercial clients who are the target for the cybercriminal.  Reports abound of firms who have been targeted in connection with domestic conveyancing completions or who have had large sums removed from client accounts following litigation settlements.  The Daily Telegraph reported in May of this year[iv] a case where fraudsters had hacked into email accounts and managed to steal  £340,000.  Two days before the completion date the solicitor emailed his client asking for bank details so that sale proceeds could be paid. The clients reply, containing bank details, was intercepted by hackers, who then sent a further email to the firm, with the email appearing to have come from the client, changing the bank details to their own.  A mere two weeks later the Telegraph reported on a similar case where a couple almost lost £270,000 in a similar scam.[v]

The potential damage

It goes without saying that a security breach at a law firm could have serious repercussions, both for the firm and for the client.

In terms of “information value”, law firms often hold and regularly handle a huge volume of confidential client data about mergers, patents, business deals, employment issues, strategic plans and much more.  They may have access to a client’s own computer systems – thus storing passwords and user names – or hold credit and debit card details and confidential data about managers and owners of the businesses.  The consequence for the client from a breach in the firms security could be extensive with the potential for identity theft, financial losses and bankruptcy not being outside of the arena of possibility.

For the hacked law firm, the consequences can be equally as grave.  Clients who have been prejudiced may bring actions for negligence against the firm.  There is likely to be a loss of clients and reputation by the firm.  There is even the potential for legal and regulatory sanctions against the firm and the possibility of the firm being intervened in if the Solicitors Regulation Authority (SRA) believe that other clients are likely to be at risk.

Indeed, from the legal and regulatory perspective alone, there are a raft of provisions which the firm might find that it has breached, including:

  • the Computer Misuse Act 1990,
  • the Data Protection Act 1998,
  • the Companies Act 2006,
  • the Legal Services Act 2007,
  • Principles 4, 8 and 10 of the SRA Handbook, and
  • Chapter 4 of the SRA Code of Conduct 2011

to name but a few.

It may not be long before clients, especially commercial ones, start to insist on security audits before instructing a firm.

Keeping Data Safe

Whilst larger businesses can usually afford the costs associated with a sophisticated cybersecurity plan, smaller firms – especially small law firms whose finances are likely to be tight already – cannot do so.  This means that increasingly, unless steps can be taken, they will become less attractive to clients of all types.

However, whilst clearly there are threats that can only be addressed with technological resources, the good news is that not all cybersecurity precautions need to involve cost.  Many of the threats to security that law firms face come not from technological breaches but from human error – they are down to ignorance, sloppiness and failure on the part of people.

A further problem for many firms is that of ignorance – simply not knowing what could happen or the likelihood of it happening. For this reason it is vital that firms address cybersecurity at the highest level and take steps to ensure that everyone within the firm – including the cleaner who has access to the burglar alarm code – knows what the risks are and what they should be doing to prevent those risks from becoming a reality.

There are many potential threats to firms from a range of sources including denial of service attacks, phishing, viruses and Trojans, breach of networks and social engineering, to name but a few.  Covering all of these, in even the most basic way, would be a major task. However, there is one risk – and it is possibly one of the biggest risks – that firms can start to tackle in a meaningful way with very limited resources and that is the risk posed by passwords.

The importance of passwords

Passwords are at the heart of data security and have become such a ubiquitous part of IT use today that the importance of them is often overlooked and they are often treated more as an inconvenience than a sound security benefit.

Passwords are used extensively in home and business life – from logging in to email accounts, bank accounts, online forums and social networking sites, to accessing computer networks in the work place, opening secure documents – even simply getting in to the building.

The problem with passwords, however, is that in many cases they are invented by people whose primary aim is not security so much as ease of remembering.  For that reason, many people stick to the familiar – such as names, nicknames, dates of birth, maiden names, and other obvious and predictable information – and will often use the same password for many different accounts and purposes – with many people using the same password for everything.

Passwords are the first and most important key to security for the vast majority of matters – and rather than being something which is dealt with as simplistically as possible should in fact be something over which a great deal of thought is given. Where work-based passwords are concerned there is a strong argument, in fact, for taking the responsibility for their creation out of the hands of the users altogether.

Passwords to avoid

Faced with the task of creating a password most people will choose a something they can remember.  This might be by using the same password for all accounts or it might be by selecting something memorable and possibly – although not always – adding a number either at the beginning or the end.

There are, of course, a number of passwords that should never be used because they are so blindingly obvious that they might as well not be there.  Splashdata, who produce password management applications, publish a list annually of the 25 most commonly used passwords[vi].  This reveals that the top ten passwords (and therefore the ones most to be avoided) are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football

With other stalwarts such as “letmein” at number 13, “access” at number 17, “superman” at number 21 and “batman” at number 24.

Also to be avoided are passwords which could easily be guessed or found out following a short internet search.  These include:

  • the user’s name or nickname – or part of that name whether or not followed by a number,
  • addresses – even former addresses as these can often be found from sites such as Companies House, Companycheck or other sites which record addresses
  • pets’ names – these are often to be found in Facebook profiles,
  • employers – a LinkedIn entry can provide this information,
  • hobbies, cars, children or partner’s name – again readily to be found on social networking sites – not even your own social network page,
  • current media figures, films, pop groups and sports personalities – most hackers will have a comprehensive list of these.

Bear in mind that adding a two or three digit number to the end of a password that is normally not good does not in itself make that password substantially any more secure.  Also be aware that incorporating any personal information into a password – for example adding an ATM pin number to the end of a word – is never a good idea as it means that anyone who gets hold of the password also has access to information which could be used for other things.

Even a word that is not linked to the user in any way is not the answer to a secure password.  A common way in which hackers get access to accounts is to carry out a dictionary attack – an attack where using powerful computers the hacker systematically enters every word in a dictionary into the password field.  Moreover, the dictionaries in question are not just standard dictionaries but include dictionaries of place names, song titles, lyrics, films, film stars, sports personalities, children’s names and much more.  The power of the computers used can mean that hackers are able, in a relatively short space of time, to enter all of the names in both upper and lowercase combinations.

The final password to be avoided is simply that which you have used anywhere else.  The rule should be one password/one account.  If there were to be a security breach of a service to which you had passworded access then the likelihood is that the passwords obtained will be sold amongst the cybercriminals who seek to access accounts.  If you use the same password for more than one service then the simple fact is that you have given away the security of other services to which you subscribe.  Although keeping tens, if not hundreds, of different passwords is not easy it is something which must be done, and as we shall see shortly, there are ways for managing this.

What makes a good password?

So if you cannot use names and common words on their own, what does make a good password?

Ideally passwords should be as complex and as long as possible.  Bear in mind that even an 8 letter password which is not a real word could potentially be cracked by a powerful hackers computer in a matter of seconds despite there being over 200 billion possible letter combinations.

The ideal password, therefore should be a mixture of upper and lower case letters, numbers and symbols and should, as a rule of thumb be at least 14 characters long – e.g. TfD$38&hEs41£9.

If you find that too difficult, try mixing together a number of unrelated words, possibly with random capital letters – for example horseBox_undertakeR_Saturn_pomeGranate .  However, make sure that the words would not normally be found together or do not relate to you – e.g. red_hot_chilli_pepper or Millwall_Football_Ford_Lawyer

Remember, however, you must use a different password for each account that you have.

Enforcing Passwords

Within the firm environment, you might like to consider enforcing complex passwords on staff.  This can be done in a number of ways:

  • some networks and document management / processing systems have in place a protocol which requires that users have strong or very strong passwords
  • you could create the passwords for users and require them to use those passwords
  • you could require users to use a password strength checker.

However, a word of warning about password strength checkers – they are not only not always accurate but they could be being used to collect passwords of those testing them. For that reason you should only ever try out a password of a similar length and complexity and then use something different but equally as complex.  Use the Kaspersky password checker[vii] to see how quickly even apparently complex passwords can be cracked.

In addition to requiring complex passwords, firms should insist that users change their passwords on a regular basis – and not simply by increasing a number associated with the password, however complicated.  If R3$y&89$dsUt7 was hacked last month and became insecure  R3$y&89$dsUt8 is not going to be any safer.

Storing passwords

Firms should be very careful how and where they store passwords.  Passwords should never be stored simply as plain text and should always have encryption applied to them.  A common method for this is known as hashing where an algorithm is applied to the password which creates a different value from that which is entered by the user.  Most hashes work so that it is difficult for a hacker to work out what the password is from its hash.  However, it is not unknown for this to happen and for this reason secure environments often “salt” a password with a random value before it is hashed thus greatly increasing its complexity.

Transmitting passwords

Just as passwords should never be stored as plain text, similarly they should never be transmitted in the form.  For this reason, encryption should always be used between the users terminal and the data being accessed.  A common form for that encryption is the SSL (or Secure Sockets Layer) which is the standard security technology for establishing an encrypted link between a web server and a browser and which you may have seen on web sites that begin “https” as opposed to the more usual “http”. The encryption used ensures that all data passed between the web server and browsers remain private.

Password managers

We have already alluded to the fact that passwords need to be as long and as complex as possible.  However, given the number of different accounts that many people need to access, having many different complex passwords can create a logistical nightmare.  Since writing passwords down or keeping them in a file on your computer (or worse still on a post-it note stuck to the screen) is not a safe thing to do, how is the normal person to remember dozens of different random 14 character passwords?

The answer is a password manager.

A password manager can be set up on your computer, mobile phone, tablet, etc. and can automatically enter the right password into the right account.  Moreover, because it is capable of “remembering” an almost infinite number of unfeasibly long passwords it can make sure that each account has a different, complex password.

Of course, the downside is what if a hacker gets access to the password manager.  The way around this is to make sure that you have a very long and complex single password to enter the manager.  Whilst still not necessarily easy to remember, at least there is only one of them.

There are many password managers available.  However, PC Magazine recently carried out a review of the best[viii] in which Dashlane and Lastpass came out top.

Phishing and social engineering

One final point to bear in mind is that a password is only of value if it is confidential and secure.  If you tell someone your password then you have lost control of it.  This is something particularly to be borne in mind when looking through emails or when you are asked to give a password out over the phone.

Most cybercriminals know that people are the weakest link in any secure system and that the way to exploit that weakest link is to find the one who is either trusting, gullible or simply stupid.

It is rare in the extreme that any provider of any service will ask you for your password – whether it be over the phone or in an email.  The probability is that it is a cybercriminal “phishing” for information to allow them to access a database, a bank account or a network.

For that reason NEVER disclose your password in either an email or a telephone conversation – especially where the other party claims to be a bank or a network manager. Likewise, be careful what other personal information you disclose if you think this could be used in a harmful way.

Summary

To summarise, therefore, cyber attacks are on the increase and if client, firm, financial and personal data is to be kept secure then steps must be taken by firms to protect that data.  Failure to do so could result in confidential information being leaked, clients being damaged, the firm’s reputation being reduced and ultimately the firm could go out of business.

It is the duty of everyone within the firm to be vigilant at all times to report anything suspicious and not to do anything which could compromise the firms security.

Whilst some cybersecurity solutions can be expensive to implement , and as a result out of the reach of smaller law firms, nevertheless there are steps which all firms can take.  One of those steps is to ensure that everyone in the firm practices secure password management.

 

[i] http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf

[ii] http://www.ons.gov.uk/ons/rel/crime-stats/crime-statistics/year-ending-june-2015/sty-fraud.html

[iii] http://blogs.wsj.com/law/2012/06/25/dont-click-on-that-link-client-secrets-at-risk-as-hackers-target-law-firms/

[iv] http://www.telegraph.co.uk/finance/personalfinance/borrowing/mortgages/11605010/Fraudsters-hacked-emails-to-my-solicitor-and-stole-340000-from-my-property-sale.html

[v] http://www.telegraph.co.uk/finance/personalfinance/borrowing/mortgages/11632304/Email-hacking-another-home-seller-robbed-of-270000.html

[vi] http://splashdata.com/blog/

[vii] https://blog.kaspersky.co.uk/password-check/

[viii] http://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-for-2015

Terms and Conditions | Site Map | Privacy and Cookies

Copyright © 2017 Richard Nelson LLP and Murdochs. All rights reserved.
The Lawyers Defence Group is operated by Richard Nelson LLP, a Limited Liability Partnership authorised and regulated by the Solicitors Regulation Authority and whose partnership number is OC357136 and Murdochs Solicitors, who are also authorised and regulated by the Solicitors Regulation Authority, and whose SRA number is 52683.
Please note that all advice, guidance, representation and assistance, legal or otherwise, is provided either by those firms or by appropriate referral to other suitably qualified persons. No advice, guidance, assistance, representation or other support is provided by or in the name of the Lawyers Defence Group.
For further details please refer to the terms and conditions for use of this web site and to the terms and conditions of the firms involved.
The professional rules governing our lawyers can be found at rules.sra.org.uk