I’ve been giving a few talks lately about ransomware and other security threats. I presented one for PLLIP-SIS which should appear here soon, as well as one for the 2020 AALL Virtual Annual Meeting.
During COVID, it’s been particularly challenging for us to keep our information and equipment safe while working at home. Here are some tips to help
What can you do?
Use your tools: passwords, VPN, backups, and antivirus software are all vital tools for protecting your data. Your skills and relationships are also important – stay vigilant, keep in touch with your IT, and train your staff and others in your organization.
In your toolbox
Do we change them every 6 months? Make them long and difficult to hack? There’s a great deal of debate about the best approach, but whatever your path, a password manager can help you stay on top of all of your passwords. I use LastPass because it works on all of my devices. When I change my password, LastPass can generate a random password that meets the criteria set by that service’s site (e.g. requires a special character or needs to be 8 characters long). LastPass will then use that new password on all of my devices, including my iPhone and iPad. I use 2-factor authentication- it would be difficult to break into my password list. The other solutions offer similar features – pick the one that best suits your needs.
VPN – Virtual Private Networks
VPNs, or Virtual Private Networks, protect you when you access networks and the internet. It keeps your information away from prying eyes. During COVID, it also lets us access resources – and even computers- on our work networks. Our home internet connections are not likely to be as secure as our work connections, so it’s important to use a VPN when you are working with sensitive data. VPNs can help prevent virus and malware attacks but are not full-proof.
Your organization likely has its own VPN already (Chicago-Kent uses CISCO). If they don’t, here are some suggestions – Best VPNs for lawyers: https://lawyerist.com/blog/best-vpns-lawyers/
If you are using your own device for work – phone, tablet, or computer – you should back it up every once in a while. You can back up your mobile devices to your computer, but what about the computer itself? You can buy a 1 TB drive for about $50 and use it for backups. Do not keep it connected to your computer at all times – just when you back up (this will help avoid infected backups).
If you can, swap out 2 or 3 drives to help keep your data safe from malware (you can’t restore from an infected back up). To be really safe, keep one back up off-site.
Antivirus software can’t protect you from all bad actors- they can create new variants of viruses faster than the protection can keep up. But they are an important shield to keep your equipment and data safe. Even Macs should be using antivirus software.
PC Mag picks for best antivirus: https://www.pcmag.com/picks/the-best-mac-antivirus-protection
While it’s important to use any tools available to you to keep your work safe, the tools alone are not enough.
One of the most common ways that bad actors infect computers today is through email that looks legitimate but is really a gateway to install bad software. When using your email, look for clues that something might be off. For example, I received a copy of the email mentioned in this warning not too long ago:
I thought it might be real at first (at the beginning of COVID, it felt like I was getting emails from everyone). But there were a few clues that let me know this was spam:
- Kirkpatrick was spelled wrong in the email address.
- This sender wouldn’t spell “favor” with a “u.”
- The message wasn’t very specific. What would the Provost want from me?
- The Provost wouldn’t contact me without cc’ing my boss.
Our school also now has a tool that marks external email “EXT” so that would have been an additional warning, but it wasn’t in place at that time. I heard that even business are using an email validation tool like the ones from a place like www.zerobounce.net to reach their clients and avoid things like this.
But what really let me know that this email was not legitimate? I asked IT, who knew this email wasn’t real.
Talk to IT
Know your IT’s policies, especially those in regards to working from home. Some of us may have a lot of leeway, while others have to follow strict protocols.
Educate – yourself and others
If you supervise any direct reports, make sure they know what security measures they are expected to take both in the office and when working from home. Depending on your organization, you may be providing security training for other staff in your office. But even if IT provides this training, you can emphasize security issues when hosting your own training. Talking about Westlaw? Mention password security. Demonstrating something on a local network? Bring up VPNs.
Librarians also make a great set of second eyes for others we work with. Encourage people you work with to ask you if they think something doesn’t work right (they can send you a screenshot, for example). And you, also, can reach out to others if you aren’t sure about something you’re seeing – a strange email, a website that doesn’t quite look right, or something different about your computer.
COVID has given us enough to worry about without having to deal with an infected computer, too. Use your security tools and skills to keep you and your organization safe both now and when we return.