Thank you GLSA for the opportunity to share important information for members about their cybersecurity. In my practice, we focus on helping people understand how to implement easy and reasonable measures to protect themselves and their firms online. One of the core measures that I help people implement is 2 Factor Authentication(2FA). Also referred to as Multi-Factor Authentication(MFA), or 2 Step Authentication. To define what we are talking about, think about the status quo username and password combination. In this scenario, all that is needed to access a resource is a username and a password. This introduces a lot of risk in that the entire lot of data protected behind the combination is solely dependent on the quality and secrecy of the password. Most users, in order to make their lives easier, tend to use passwords over again on multiple sites to make their lives easier. This is understood, considering the sheer volume of credentials a typical partner for firm administrator needs to get through the day. Passwords are a topic for another blog post, however.
Most popular websites and applications now support the ability to add an additional security measure beyond the username and password to better secure access. Gmail, Office 365, most financial and banking sites and firm management applications such as Clio support 2FA. I submit that failing to enable 2FA on your accounts may subject you to a negligence complaint in the event of a data breach. When working with users to set up 2FA, I frequently hear, ‘that was easy’ when completing the process. In most cases activating 2FA on an application is as simple as clicking the security settings for your account, clicking a button to enable and entering your phone number and receiving a test text message. Because of its dependence upon the possession of a device such as a smartphone or an authenticator application, a username and password along with 2FA are exponentially safer than a username and password alone. Because of the ease of use to employ text messages in your 2-factor strategy, I submit that failing to use 2FA for any applications that support it constitutes negligence on your part in your strategy to protect data. There really is not a good excuse for not doing it.
Your action item after reading this blog post is to list the top 3 applications you use in your practice. These would be the applications that contain the most sensitive data about your clients. Perhaps Office 365, Clio or another firm management system, and perhaps a file storage system such as DropBox. Then check each application to determine whether it supports 2FA. Note Office 365, Clio and DropBox all support 2FA. If it does support 2FA, enable it. This applies to everyone in your firm who uses the respective application. Be mindful to include administrative or technical support staff. Also consider these people may be outside your firm such as an IT consultant or contractor. Thank you for the opportunity to contribute to improving data security for GLSA members. Feel free to contact for more info about 2FA or any cybersecurity topic. 888-908-4551 or smz@eWranglersbts.com.