De-risking email

Email remains the most popular communication method for solicitors – for receiving and responding to instructions, for sending documents, exchanging drafts, and issuing invoices.

Its convenience has trumped many of the security concerns – and the question has to be, how can it be used more securely.

Tip 1: Choose a strong, unique password

Don’t simply reuse a strong password you use on other accounts (e.g. your internet banking, your personal email, or Facebook account). Don’t make it so complex that you can never remember it, but complex enough that it will take hackers longer to break. Do not include any part of your name, including maiden name, your school, first pet, home address or other personal information, as these things are remarkably easy for serious criminals to find out and guess. You can, if you like, use a reputable password manager (a bit of software that, via a single secure password, then creates and remembers constantly changing random passwords) – as long as you keep that one password very secure.

Kaspersky have created a really useful tool that helps to educate you on what makes a strong password. You can find it at https://password.kaspersky.com/. But please do not test out any current passwords on it – that would NOT be good security practice!

We have more practical advice for law firm managers regarding implementing good password security on our website (www.locktonlaw.scot).

Tip 2: Add a second layer of protection

This is called “two-factor authentication”, and is available on almost all modern email systems that you would want to be using. All it does is add a second type of identity verification to your account. You may have experienced this when making a Paypal transaction or using your internet banking, for example where you have been asked to quote a code sent to your phone. This could be activated, for an email account, when you want to change your password, for example.

Tip 3: Avoid sending emails to the wrong person

Statistics from the Information Commissioner indicate that there are more information security breaches reported as a result of emails being mis-sent than any other single cause. We have all done it at one time or another – and it is particularly easy to do if you either have “auto-complete” enabled on your email account, or are accustomed to “replying to all”.

There are some simple things you can do to help reduce the risk. Train yourself always to read down the whole email chain before sending – that can help reduce the risk of unintended information being sent to the wrong party. The best advice is never to use “reply to all”, no matter how temptingly convenient it can be. But perhaps the most useful risk reduction tool is an email add-on that helps prevent emails being sent to the wrong party. Tools such as SendGuard for Outlook are designed to deal with exactly this problem issue. They will prompt you to check the details of the person you have selected to email, and can also prevent accidental replies to all.

Tip 4: Keep wise to phishing emails

Don’t click on suspicious links or attachments (there has been a significant increase in viruses and malware embedded within MS Word or PDF attachments). Check the sender email address carefully and the naming of any attachments. Don’t log in to other accounts from your email. Beware of spam – and remember some of it is becoming much more sophisticated. If in doubt, telephone if it is from a known sender, or forward the email to your IT team to check.

Look out for our guidance on spotting phishing which will go live on our website in April.

Tip 5: Beware of public wi-fi

It may be free, and convenient, but it is not very secure. The data you’re viewing, including passwords being entered, could well be accessed by hackers. If you must use it, avoid accessing sensitive material or logging into business accounts, unless you access your work network remotely via a secure, encrypted “virtual desktop” which minimises the risks. If in doubt about this, check with your IT team.

Tip 6: Encrypt sensitive data, or don’t send it by email

Email is not a secure form of communication. The simplest way of protecting information is to place relevant files into a “zip” folder before sending, or even password protecting a document. These offer a limited additional degree of security. The problem with better encryption is its impracticality. Security software company Sophos have an excellent blog, including a post on the practicalities of email encryption, which you may find a helpful source of further advice.