If you’re reading this, there’s a good chance you have one or more work and online accounts where passwords are required. (Duh, right?)
A recent study revealed that the average person now has 30 passwords to remember. I think that is shockingly low. I have over 982 logins in my password manager. Given this, it’s no surprise people are tempted to use the same password for many different accounts.
In essence, passwords are a form of security used to identify people and secure their identities and data.
They’ve grown so popular; it’s difficult to imagine life without them. They’re everywhere—from computers to smartphones to bank accounts, video games, and social media—and they serve as the foundation for many other technologies.
Despite all the progress made in computer technology, employees remain the weakest link in the security chain. User blunders often negate any effective security policy. According to studies, the most prevalent means of stealing user accounts is compromised email.
Consider how crucial a firm’s strong password policy is to its success.
A close friend of mine, who also runs an IT company, recently shared a story his client experienced with me. His client called him, concerned about a possible email hack at their firm. On the closing day, one of their lawyers got an email from a client conducting a mortgage close. The email came from the customer’s correct electronic mail address and was correctly addressed to the attorney. It simply required that he wire the cash to their bank after completing the funding.
All the required information was included in the email, including the routing instructions and account information for their new bank.
As you probably guessed, the closing attorney transmitted $650,000 to the wrong bank.
Didn’t they have a procedure to double-check the bank account data that arrived by email? Yes, they did, but the attorney ignored the proper steps. (That’s a different lesson.) The money was stolen as a result. This is, unfortunately, all too typical of an occurrence.
How does this relate to password security, you might ask? The closing attorney’s email was not hacked. His client’s email account, on the other hand, was and is the topic of this lesson.
Law firms that follow best practices for password security often neglect them for personal accounts, particularly personal email accounts.
It was not his client’s email account that had not been hacked, but his client’s client. The more sophisticated hackers do not spam you or send hundreds of emails to everyone in the account’s contacts list. Nor do they leave any indications that they are reading your emails. They lurk, read, and wait for their chance. That is precisely what occurred in this example.
Don’t forget how convenient the indexing works in your email provider of choice. Whether 365 or G-Workspace, anyone in your account can run searches to get to the good stuff immediately:
- Routing number
- Bank info
- Social security number
Any clever criminal will have a list of the top 10 keyword searches to get them to the juiciest info stored within email accounts. Then they get to work.
Most of us don’t realize that our emails are potentially being read by skilled hackers every day. A seasoned hacker may get a comprehensive picture of your life if they gain access to your email. Or do the same for one of your team members. Someone spending a week reading through our email history would discover your banking, investing, childcare, business, and shopping habits, as well as private communications between colleagues, friends, and family members.
If this makes you uncomfortable, I’m relieved. Hopefully, it will push you to add preventative cybersecurity measures to protect your firm before a well-planned email message is received from your friendly neighborhood hacker!
Over the next few weeks, I’ll share more details on why password management is vital to your firm’s cybersecurity. If you want to take some proactive action before then, click here to download our security checklist. It provides actionable tips to help you see where you’re exposed.
For solo attorneys or small law firms, password security is (or at least should be) an essential component of your overall security plan. Any policy you develop or modify should aid in the prevention of the guessing of one’s passwords, along with other advanced password attacks.