Who Goes There?

Password security is vital security

Last month’s huge data breach at the Panamanian law firm of Mossack Fonseca – to give you an idea of its size, it was hundreds of times bigger than the material released by Wikileaks in 2010 – is an example of just how much damage a data security leak can cause. The private affairs of the firm’s clients became public property overnight, allowing the press to trace money across continents and into tax havens. 

Although the leak uncovered some pretty questionable, and possibly illegal, behaviour on the part of some of the firm’s clients, many other clients who were not doing anything wrong had their most private financial affairs opened up for the world to see. 

Most people would prefer not to have their case files made public, and it’s a reminder that law firms hold extremely sensitive information on individuals, about which they have to take very great care. Mossack Fonseca had a particular reputation for discretion and privacy; that reputation has now been critically damaged, if not destroyed.

The cause of the Mossack Fonseca leak is not known yet; it could have been a sophisticated hacking operation, or it could have been a whistle-blower. Law firms can’t do very much about whistle-blowers, but we can all use this opportunity to review data security – and data security starts with the secretarial team. 

The saying goes that no chain can be stronger than its weakest link, and in data security the weakest link is always passwords and password management. This is a particular concern for secretaries, because when a password is compromised, the first response of management is often to look to the secretaries for blame. Hackers are out there, waiting to exploit loose password security, and you should certainly not make their job easier for them.

First things first: restrict access to your computer. Don’t leave yourself open to opportunist data thieves. We tend to have an image of hackers as Mafia-funded technogeeks motivated only by money. Remember that there are also plenty of hacks which are simply malicious: an aggrieved client may want to damage the firm’s reputation or publish business details about a rival. 

Although it seems surprising in this day and age, there are still apparently a lot of computer users who do not use a lock screen program to prevent the computer being used by anyone but themselves. Lock screens will also require a password to be entered if the computer is left for more than a specified amount of time, thus blocking the opportunist data thief.

If you are in any area to which the public have access, even if it is just walking through the office on their way to a meeting room, your computer is vulnerable to a hack. If you use a laptop or tablet to log in from outside the office, even if it is only occasionally, a screen lock is absolutely essential. A password-protected screen lock is generally easy to set up, although if you are on one of the more advanced operating systems, you may need some IT support.

Most law firms nowadays operate a legal case management software package, and all employees will have their own individual password which will give them access to specific areas of information, including in some cases clients’ bank account details. It is obvious good sense to ensure that your password (or better still, pass phrase) is something that you can remember off the top of your head, not something you have to write down. Never write down passwords, and in particular never store them ‘just in case’ on your mobile phone; the hackers got wise to that one long ago, and mobile phones are still far less secure than computers. 

Apparently the number one pet peeve of IT consultants is that we tend to use the same password over and over again, and that makes things even easier for hackers, who may find their way into your work files via your personal files. Make sure that your work password is unique and that you do not use it anywhere else. 

It is also obvious good sense not to share your password with anybody else, but this principle tends to come into conflict with everyday office life. Someone is off on holiday and you need to get into their documents folder urgently; a temp needs quick access to a document which has to be finished by the end of the day. These are just two of the occasions when the pressure of the situation means that a password gets disclosed and shared – often at the boss’s insistence! – when it really shouldn’t have been. Once it is out there, it is essentially useless, even if you passed it to someone you know well. 

If you do have to disclose a password in the pressure of the moment, or if one is disclosed to you, make sure that your firm’s IT staff know about it straight away and ask them to take remedial action. The shared password is obviously now of no use and will have to be changed. 

The dangers are particularly severe if a temp has had access to a valid password, because by the nature of things temps are strangers to the firm and have not been fully checked for security. They probably aren’t hackers, but they might be, or they might know someone who is. If you have an IT department in your firm, it will ensure that any passwords given to temps are strictly controlled and time-limited. If you don’t have an IT department, make sure there is an office policy about passwords for temps and that all such passwords are deleted once there is no longer any use for them.

These are the basics – what you might call Passwords 101. However, because they are the basics, they are easy to overlook, so don’t get caught out.