New Zealand Law Society - Stop using free email services, expert says

Stop using free email services, expert says

This article is over 3 years old. More recent information on this subject may exist.

Recent reports in the media about lawyers’ emails being “hacked” raises the question as to whether some lawyers are doing enough to protect privileged information via third party email providers.

Aura Information Security CEO Andy Prow says free email services are commonly used in the profession and that it’s time to stop if the lawyers concerned are serious about protecting their firms’ and clients’ interests.

Mr Prow – who works with law firms throughout the country – says only a handful of firms use up-to-date file storage and communication technology and that “many firms are way behind in their IT and information security practices, with some still back in the dark ages”.

Mr Prow says he has seen many lawyers using free email services, which is no longer an acceptable way to communicate with your clients.

He says free accounts leave you open to people easily creating a spoof one and pretending to be you. Considering the private and privileged information being transferred these days between law firms and their clients via email, it should be treated far more seriously. “” is no longer an acceptable and trusted way to communicate.

“We work with a number of law firms in New Zealand and one of the big things that leaps out to us is that law is still quite an antiquated industry in the way it operates. That’s fine from a legal perspective, but not from an IT security perspective.

“The thing is that IT moves forward so fast. In my opinion the legal beast and legal people are not used to racing forward at light speed,” Mr Prow says.

Mr Prow says online information security “is one area where you must keep consistently up to date”, and that free email services just don’t cut it anymore.

“I absolutely recommend to anyone in law: don’t use the free ones, use the corporate versions.

"Use your trusted domain names and if you’re using Office 365, Google or any of the other providers, use all of the security measures that they give you.”

Mr Prow says, however, that using third party providers such as Gmail, (previously Hotmail) can be an “incredibly secure way to email” provided you use the business versions and employ the correct security settings.

“It’s unfortunate how much we rely on email today as it is a very insecure mechanism. Even if you’re securing how you access your email, at the backend it is transferred around the globe un-encrypted and therefore is both ‘snoopable’ and ‘tamperable’.”

The most technologically up-to-date firms are now moving to “back-end file storage” (such as Google Docs) where you send an email to a client advising them of a change to a document and that person can use a secure login password to access, for example. The sensitive documents are never actually transferred via email.

Mr Prow says one of the biggest risks for a business these days is password reuse.

He says when he hears of people’s email accounts being “hacked” it raises several alarms. Firstly it usually suggests to him that a weak password was set and secondly, there wasn’t two-factor authentication set up.

More worrying though is the issue of password re-use, where commonly the password hacked from one system can be re-used in other (if not all) of that individual’s online accounts.

“We’ve seen examples of passwords stolen from low-security targets such as online rewards sites, newsletter subscriptions or online pizza stores being used to access corporate email accounts or highly sensitive back-end systems – all because the user in question re-used the same password across all of these systems.

“However most security risks can be mitigated with the usage of new technology and some consistent security practices used across a law firm,” says Mr Prow.

He adds that it’s also going to become more common that a law firms’ clients will start expecting secure ways to communicate with their lawyers, and will start demanding to know how well their private data is being held.

“I suggest that once a year, get someone to give a security health check, because if you’re not improving and tweaking the security of your systems every year then they’re aging and getting too old.

“We see how every week there is another privacy breach article in the news. Assume that the practices you did last year are already out of date and take the time to keep up and treat your clients’ privacy with the care that’s required,” he says.

Lawyer Listing for Bots