Ed.
note:
This
is
the
latest
in
the
article
series,
Cybersecurity:
Tips
From
the
Trenches,
by
our
friends
at
Sensei
Enterprises,
a
boutique
provider
of
IT,
cybersecurity,
and
digital
forensics
services.
As
November
begins,
it’s
a
great
time
for
lawyers
to
spend
a
few
moments
reflecting
on
tips
and
lessons
learned
during
the
annual
Cybersecurity
Awareness
Month
that
just
concluded.
There
have
been
vast
changes
in
the
cybersecurity
realm
over
the
past
year,
including
the
dominance
of
Artificial
Intelligence
(AI)
and
its
effect
on
cybersecurity,
both
the
good
and
bad,
and
the
persistence
of
phishing
attacks.
With
each
passing
day,
month,
and
year,
cybersecurity
challenges
continue
to
grow
for
lawyers.
Microsoft
has
released
its
rundown
on
the
year
in
review,
offering
simplified
advice
and
cybersecurity
steps
to
help
protect
your
data
and
systems.
Lawyers
love
it
when
complex
technical
jargon
is
broken
down
into
easy-to-understand
concepts
with
steps
to
implement,
especially
when
the
information
is
free.
Use
Strong
Passwords
and
a
Password
Manager
Microsoft
now
recommends
that
passwords
never
expire.
Yes,
you
read
that
correctly.
You
can
increase
your
firm’s
Secure
Score
(a
percentage
value
of
your
Microsoft
365
environment
security
settings
compared
to
firms
of
similar
size
and
industry)
by
setting
up
your
users
with
passwords
that
do
not
expire.
That
seems
contradictory
to
the
last
20
years
of
password
policies.
By
using
a
complex
password
of
14
characters
or
more,
in
coordination
with
a
password
manager,
users
no
longer
must
change
their
passwords
every
30,
60,
or
90
days
–
in
many
cases,
users
by
habit
will
just
increase
the
number
at
the
end
of
the
password
or
write
the
password
down
on
paper
(or
keep
it
in
a
Word
file)
if
too
complex.
Users
should
be
using
a
password
manager,
so
they
don’t
have
to
remember
strong,
complex
passwords
–
let
the
software
do
it
for
you!
This
also
can
eliminate
password
reuse
between
different
accounts
–
another
big
cybersecurity
no-no.
There
are
many
different
password
managers
out
there,
including
the
Microsoft
Authenticator
app
–
which
you
probably
are
already
using
for
MFA
(and
it’s
free).
Here
is
a
gentle
reminder
for
all
lawyers.
Do
not
save
your
passwords
within
your
browser.
It
doesn’t
matter
which
browser
you
use,
Chrome,
Firefox,
Edge,
or
Safari,
do
not
do
it.
Close
out
of
the
prompt
or
select
the
Never
option
when
the
browser
prompts
you.
If
your
computer
were
to
be
compromised,
attackers
would
have
quick
access
to
all
the
keys
to
your
firm’s
kingdom.
Turn
on
Multifactor
Authentication
There’s
not
much
to
expand
on
here
and
we
are
well
beyond
the
complaining
about
the
“inconvenience
to
users”
phase
of
this
foundation
for
a
strong
cybersecurity
posture.
If
MFA
is
offered
by
your
service
provider,
which
it
probably
is
these
days,
turn
it
on.
Only
MFA
can
prevent
up
to
99.99%
of
business
account
takeover
attacks
and
keep
the
attackers
out
of
your
mailbox
and
bank
accounts.
Learn
to
Recognize
and
Report
Phishing
Phishing
attacks
remain
the
number
one
concern
of
IT
and
cybersecurity
departments
and
continue
to
cause
long,
sleepless
nights
for
firm
management.
The
primary
way
for
users
to
get
better
at
detecting
a
phishing
email
and
not
falling
victim
to
it
is
through
training.
Mandatory
cybersecurity
awareness
training
with
phishing
simulations
is
the
best
way
to
educate
your
users
and
increase
their
ability
to
detect.
When
a
user
doesn’t
pass
the
simulation
test,
they
can
be
presented
with
short,
educational
videos
to
help
reinforce
detection
concepts.
Training,
in
coordination
with
a
strong
email
protection
solution,
can
help
keep
those
persistent
phishing
attempts
out
of
your
inbox.
Phishing
emails
are
getting
harder
and
harder
to
recognize
with
the
use
of
AI
to
generate
the
content
for
them.
And
yes,
users
should
never
provide
credentials
when
clicking
on
a
link
from
an
unrecognized
sender,
let
alone
enter
their
MFA
code.
Instead,
users
should
report
the
phishing
attempt
to
IT
support,
and
shift-delete
the
email
out
of
the
mailbox.
Keep
Your
Software
Updated
Vulnerabilities
should
never
be
overlooked
or
forgotten.
Zero-day
exploits
and
critical
security
patches
and
updates
to
fix
them
are
released
frequently
throughout
the
year,
by
most
vendors.
Keeping
your
systems
and
software
updated
continues
to
remain
a
priority
in
a
good,
well-established
cybersecurity
plan.
Taking
users
out
of
the
equation
is
the
best
course
of
action.
Automating
both
operating
system
updates
and
third-party
software
updates
is
key
to
patches
being
applied
rather
than
put
off
by
users
–
a
common
reaction
to
the
pesky
Windows
prompts
that
updates
are
ready
to
be
installed
and
the
computer
restarted.
If
your
firm
is
using
Microsoft
Intune
for
device
management,
you
can
create
a
policy
to
apply
to
your
devices
to
automate
this
process
at
no
added
cost.
If
your
firm
is
working
with
a
managed
IT
services
provider,
ask
them
about
automating
the
process
for
you,
since
they
probably
have
Remote
Monitoring
and
Management
(RMM)
software
installed
on
your
endpoints.
For
mobile
devices,
users
should
download
and
install
the
updates
when
they’re
prompted.
See,
that
wasn’t
too
bad.
These
four
simple
steps
can
be
quickly
implemented
by
lawyers
at
no
or
little
additional
cost.
One
day
firm
management
may
be
able
to
sleep
well
at
night,
but
not
anytime
soon.
Especially
if
you
haven’t
started
to
take
the
most
basic
cybersecurity
steps
to
protect
your
accounts
and
client
data.
Sharon
D.
Nelson
([email protected])
is
a
practicing
attorney
and
the
president
of
Sensei
Enterprises,
Inc.
She
is
a
past
president
of
the
Virginia
State
Bar,
the
Fairfax
Bar
Association,
and
the
Fairfax
Law
Foundation.
She
is
a
co-author
of
18
books
published
by
the
ABA.
John
W.
Simek
([email protected])
is
vice
president
of
Sensei
Enterprises,
Inc.
He
is
a
Certified
Information
Systems
Security
Professional
(CISSP),
Certified
Ethical
Hacker
(CEH),
and
a
nationally
known
expert
in
the
area
of
digital
forensics.
He
and
Sharon
provide
legal
technology,
cybersecurity,
and
digital
forensics
services
from
their
Fairfax,
Virginia
firm.
Michael
C.
Maschke
([email protected])
is
the
CEO/Director
of
Cybersecurity
and
Digital
Forensics
of
Sensei
Enterprises,
Inc.
He
is
an
EnCase
Certified
Examiner,
a
Certified
Computer
Examiner
(CCE
#744),
a
Certified
Ethical
Hacker,
and
an
AccessData
Certified
Examiner.
He
is
also
a
Certified
Information
Systems
Security
Professional.