How to manage your client's data responsibly
Download as PPTX, PDF0 likes82 views
1) The document provides tips on how to manage client data responsibly and securely, including using a VOI provider for identity checks, enabling two-factor authentication, sharing documents securely with expiration dates, storing documents securely in the cloud using encryption, properly disposing of data and physical documents, and contacting proper authorities in the event of a breach. 2) Topics covered include password security, document sharing best practices, secure storage and transfer methods, device and media disposal, and incident response. 3) Resources mentioned that can help with secure practices and incident response include the Law Council of Australia Cyber Precedent, Lawcover crisis management, and identity theft non-profits.
How to manage your client's data responsibly
- 1. How to manage your client’s data responsibly Protect your clients from fraud, identity theft and confidential information Jeremiah Cruz jeremy@cryptoaustralia.org.au Nick Kavadias nick@cryptoaustralia.org.au Gabor Szathmari gabor@cryptoaustralia.org.aucryptoaustralia.org.au
- 2. Who is CryptoAUSTRALIA • A not-for-profit started by security and privacy enthusiasts. • We have nothing to do with BitCoin, so please stop asking. • We are for finding practical ways of dealing with the modern privacy and security challenges. • We are looking for sponsors in order to continue our work and research. • This may be a new concept to lawyers, but we are running these events for free*. * This presentation does not constitute cybersecurity advice.
- 3. Self Promotion.. Tonight’s speakers: •Jeremy – Network Security Expert •Nick – Solicitor and Technologist •Gabor – Cybersecurity Expert
- 4. We know how to internet… @CryptoAustralia #cryptoaus http://chat.cryptoaustralia.org.au https://fb.me/CryptoStraya Interact with us in the digital world…
- 5. What we are covering tonight… 1) Bad practices 2) Password security (2FA and Password reuse) 3) Sharing documents securely 4) Storing documents securely 5) Prudent data disposal practices 6) Physical security (dos and don’ts) 7) What to do post-breach 🙏
- 6. Secret: “hackers” log into your webmail
- 7. Password hygiene • Websites get hacked. • People reuse same email and password across multiple online accounts. D’oh!
- 8. Haveibeenpwned Do you have leaked passwords? https://haveibeenpwned.com/
- 13. Meanwhile on SpyCloud... (an unrelated account)
- 15. Bad client document & personal information management practices • VOI checks • Online document conversion • Document sharing (e.g. Dropbox) • Keeping emails forever • Public Wifi
- 16. Bad practices - VOI checks 100 points ID checks – Leaks everywhere • Scan-to-email printers (bonus: unencrypted traffic) • Documents sent/received over emails • Emails are never deleted on the sender/receiver side
- 17. Bad practices - VOI checks • Don’t ask for scanned documents to be sent over emails • Rely on VOI providers instead • Secure smartphone app and web portal • https://www.dvs.gov.au/users/Pages/Identity- service-providers.aspx
- 18. Bad practices
- 19. Bad practices - Online document conversion Online2PDF.com, freepdfconvert.com... • They provide a convenient service to convert documents to PDF
- 21. Bad practices - Online document conversion Online2PDF.com, freepdfconvert.com... • Who’s behind the service? • What happens to your documents? • Why would you upload sensitive documents to random strangers?
- 22. Online document conversion Convert documents offline with Adobe Professional
- 23. Bad practices - Document sharing over emails Problem statement: Your email file attachments and embedder download links remain in your ‘Sent’ email folder forever, waiting for a hacker to login and download them
- 24. Bad practices - Document sharing over cloud-based file storage services File sharing with Dropbox, OneDrive, random service: • Download links are valid forever • Mailbox gets hacked → Links are still live
- 25. Transferring sensitive documents securely • Send web links instead of file attachments where appropriate • Use expiring web links Services: Google Drive, Sync.com, Tresorit...
- 26. Bad practices
- 28. Bad practices - Emails are kept forever Keeping all emails for extended period • Limit the damage if the mailbox gets hacked • Set an archive and retention policy and archive emails to a secure third-party service (e.g. Spinbackup, Backupify) • Office 365, G Suite support retention policies
- 29. Bad practices
- 30. Bad practices - Public Wifi Lots of hacking wizardry: • Password theft via fake login pages • HTTP pages tampered on the fly • Theft of unencrypted sensitive data Just take our advice on the next slide
- 31. Public Wifi – Use VPN or a 4G dongle
- 32. Good security hygiene What else you can do
- 33. Secret: “hackers” log into your webmail
- 34. Password hygiene • Websites get hacked. • People reuse same email and password across multiple online accounts. D’oh!
- 35. Two-factor authentication Most powerful defence from: •Crappy passwords (Letmein1) •Stolen passwords (phishing) •Leaked passwords (reuse)
- 37. Password hygiene – Wallets Remember a single password only • LastPass • 1Password • Dashlane • RoboForm • < Any random password wallet >
- 38. Storing documents securely Cloud file storage – Who your adversary is • Hackers? - Dropbox, G Drive, OneDrive + Two-factor authentication turned on • Government? - End-to-end encrypted service: Sync.com, Tresorit • Encrypt your disks, USB flash drives and smartphones • BitLocker - Windows 10 Professional • FileVault – Mac • Android supports disk encryption • On iOS disk encryption is turned on by default
- 39. Prudent data disposal practices Laptops, computers: • Magnetic disks: overwrite • DBAN (https://dban.org/) • SSD: Physical destruction • USB flash drives: Physical destruction
- 40. Prudent data disposal practices iPhone: Factory reset Android*: 1. Encrypt device 2. Remove storage and SIM cards 3. Factory reset 4. Remove from Google account Phones (SD card): Physical destruction * https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html
- 41. Physical security (dos and don’ts)
- 42. Physical security (dos and don’ts) • Shredding documents • Diamond cut shredder • Secure document disposal service • Can secure dispose digital media for you • Digital certificates (e.g. PEXA key) •Leave them unplugged when not in use •Cut the built-in smart card in half to dispose
- 43. What to do when you get hacked 🙏 • Disconnect your computer from the Internet and stop using it • Notify LawCover - They have an incident response team • Checklist: http://lca.lawcouncil.asn.au/lawcou ncil/images/cyber/CP-What-to- Do.pdf
- 44. Summary 1) Use a VOI provider for identity checks 2) Use 2FA and don’t reuse your password 3) Share documents with expiring links 4) Store documents in the cloud securely (2FA) 5) Dispose data securely 6) Shred documents & protect digital certificates 7) Notify LawCover when the house is on fire
- 45. Where to get help • Law Council of Australia Cyber Precedent, great learning resource • Law Council cyber-attack checklist • Lawcover crisis management team can help you clean up the mess. • Victim of identity theft, you should contact IDCARE, NFP helping people • Have a conversation with your IT Service Provider, or staff. Use these slides as a talking point!