It’s possible to lose data or break compliance without getting hacked. Besides, antiviruses like Huntress do such a good job that it’s rarely worth trying anymore. Social engineering is one of the easiest ways to get onto a modern computer with modern protection, and sometimes it’s the only way.
So – what does this risk look like, and what steps can be taken to mitigate it?
Socially Engineering Access
Social engineering is a method of getting access via people, instead of going through software. If the firewall is too tough to get through, and the antivirus is preventing downloads airdropped to a device, maybe phishing will give a thief entry! Physical access to a space can also be used to grab data or introduce viruses.
Social engineering is tricky to fight or train for because it takes advantage of the human urge to get along. It’s polite to hold a door open – but if someone holds a door open for someone who was waiting for it to be unlocked, then they’ve just let someone without a key into the building.
It’s not polite to interrupt someone who’s busy – but if someone who looks busy is abusing this politeness to get into a school, then not interrupting them might pose a safety risk. The balance between maintaining harmony between coworkers and doing the right thing to keep everyone safe and secure is a very tough one to balance when data, a largely intangible thing that’s also scattered everywhere, enters the mix.
Getting Somewhere IRL
For example: someone comes in for a consultation and leaves an unlabeled USB behind, in a spot where it’s not noticed right away. Since nobody knows whose USB that is by the time it’s discovered, they might try to plug it in to their computer to see if there is any identifying information on it, at which point any executable programs (malware!) might launch and try to run. Whether it’s successful or not, a risk has been introduced to the system via that USB.
Other methods include ‘dressing the part’ – it’s a joke online that wearing a high-visibility vest while holding a clipboard will make most people assume you’re supposed to be wherever you are, wherever that is. Many people will also tend to assume if they didn’t know, that their higher-ups must have simply forgotten to notify them that work was going to be happening in the building. In short, they’re more likely to give the person in the vest the benefit of the doubt. In fact, the Louvre was just robbed by people dressed as workmen shortly before I began writing this article! (https://www.mirror.co.uk/news/world-news/louvre-robbery-criminal-gang-posed-36094518)
The Louvre has had quiet problems with over-filling and under-staffing the museum for years ahead of this incident, but this is truly the icing on the cake. There was not enough security to keep them from entering the building from a back door that didn’t have any screening, followed by a lack of personnel on the floor to intervene and ask them for ID or some sort of proof they were supposed to be touching the artifacts. They vanished into thin air, and the jewelry might already be destroyed or in someone’s private collection, never to see the light of day again until they die.
In a law office, this might look like dressing in formal wear, maybe attempting to look like another lawyer, in order to get further into a building than they strictly need to be. They may attempt to scam their way into picking up files they shouldn’t have, if they somehow gain insider information that X firm is sending a gopher to grab some stuff from Y firm by looking like that gopher.
Or, the high-visibility strategy again, where someone makes it obvious that they’re not a lawyer by attempting to impersonate someone a landlord might have sent. Calling to confirm may be awkward – but who would you rather be, the person who called a landlord about a ‘leak’ and caught someone out, or the people who let Napoleon’s jewelry disappear into the ether because they assumed all was fine?
The Computers
An opportunistic data thief might not enter a building intending to steal data. They may genuinely have business with a law firm when they enter, and in the process of sorting out a case or filing, realize they want something the lawyer has access to but cannot share with them, for any number of reasons. It’s better to prevent the temptation by encouraging good password hygiene (no sticky notes on desks!) and locking a screen behind a PIN or password when stepping away for a minute in a space that other people may have access to it.
For law especially, this can cause gigantic headaches considering laws surrounding evidence, and what counts as privileged information vs. what doesn’t. Alex Jones’ lawyer famously sent an entire copy of Alex Jones’ phone, and failed to respond in time when the opposition asked if they meant to do that. Imagine someone sending something to themselves from a work computer. Even catching it at that point would be a major annoyance at best and a serious problem at worst. The opposition will of course behave responsibly and professionally, but people in the middle may not. In cases of stalking or abuse, simply getting the information at all might put someone in danger.
This means a little bit more friction on the user’s side, yes. It does make it a little bit more annoying to get back into a computer after a bathroom or lunch break, yes. But the other option is potentially exposing information to a party that shouldn’t have access.
In this vein, it’s also a terrible idea to share passwords. Not only does it make it more likely that a password will be compromised (risking another person writing it down and losing it somewhere they thought was ‘safe’) but it also risks an unaccountable loss of data. If multiple people can access the same account, and it’s impossible to tell who did access it because multiple people could have, then holding the person who compromised that data becomes impossible.
It also creates an opportunity for a peeved employee to reset the account’s password with a random one they don’t remember, locking everyone out and making it very difficult to get back in!
Recommendations For Physical Security
The recommendations for HIPAA are some of the most stringent that ordinary, non-security-clearanced jobs will still encounter. It’s not a perfect analog – the recommendations assume someone is not going to have access to an area behind a counter, but in a law office setting, a computer may be at an ordinary desk, as one example – but the general ideas still apply.
Firstly, setting the lockscreen to either a PIN or password is ideal, and required by HIPAA. A PIN has fewer characters, and is easier to ‘crack’ as a result, so the recommendation there is twofold: use a variety of characters, and don’t leave clients or customers alone with a PIN-locked device for so long that they’d be able to crack it just by slapping at the keyboard. The screen that only requires a button push or a mouse click to unlock the device is insufficient and more there to prevent things like cats walking across the keyboard and flipping the screen to portrait mode.
Secondly, access to personally identifying information should be limited exclusively to the people who need it. This reduces the risk of accidental exposure, because if not every computer has access to every file on a server, it’s less likely someone who walked in could catch a device unattended, unlocked, and also snatch something important. This means that reception computers shouldn’t have more information than the receptionist needs to access for their job duties, and the screen should be oriented in such a way that people cannot lean over the desk and see information they shouldn’t have.
There are more layers to this: things like cameras, firewalls, et cetera. At a point, the trade between security and ease-of-use comes into play. How much are you willing to inconvenience employees, knowing that too much inconvenience will cause them to seek shortcuts? Security must be rigorous, but not so rigorous that it slows down the people trying to do their jobs.
Ideally, a password will be complicated – but not a completely random string of numbers and letters that they have to reset every time they come back on Monday. Ideally, they’ll have 2-Factor Authentication – and ideally, their phone will be enough, either by an authenticator app or a simple SMS message.
If you need help striking a balance, get in touch with us. Because 2FA is the single easiest way to stop bot attacks, we have a streamlined process for getting it set up, and we can help. We can also meet recommendations for compliance!
