🔒 Cybersecurity for lawyers

• Secure your DNS: it's critical
• Host it (physically) in a suitable country
• Secure the connection between your mail client and your email server
• Consider PGP/GPG for email encryption
• If you cannot encrypt your email, consider encrypted attachments
• Do not trust that the sender is who they say they are
• Do not trust unexpected attachments
• Disable automatic loading of remote content
• Don't use tracking pixels or remotely-hosted content
• Be aware of phishing email

Here

Here

Check that your mail server permits encrypted connections, and make sure you use them.

When you set up your mail client (e.g. Outlook, Thunderbird, or macOS's Mail), look for an option like “Use TLS/SSL”.

If you do not do this, someone spying on your connection might be able to see:

• your username and password, and then access your email — they could read your mail, and send email coming from your account.
• the content of your messages, including attachments.

As you cannot be sure whether your recipient has done the same, if you are sending anything sensitive, encrypt it before you send it by email (e.g. by using PGP, or an encrypted .zip folder, or use something other than email.

Ask whoever administers your mail server to configure what is known as “opportunistic TLS”. When you attempt to send an email to a third party, your server will try to see if can make an encrypted connection to their mail server.

If it can't, it will still transmit your email anyway, and, in doing so, it will pass unencrypted over the Internet. Because of this, if you are sending anything sensitive, encrypt it before you send it by email (e.g. by using PGP/GPG, or an encrypted .zip folder, or use something other than email.

Securing email is difficult, as you are trying to bring an acceptable level of security to an inherently insecure system.

If you've done the steps above, and still want added security, PGP — Pretty Good Privacy — and its open source implementation, GPG, is a means of encrypting your email and its attachments “end-to-end”, meaning that only the recipient (or someone who has compromised their security credentials) is capable of seeing the content of what you have sent.

PGP/GPG secures only the content of what you have sent, and does not hide the existence of a communication, nor the identity of the sender or recipient, nor — importantly — the subject line.

Because of the way it works, both you and the recipient have to be PGP/GPG users, and you have to have some specific information about them: their “public key”.

PGP/GPG is not perfect, but it is better than not encrypting your email. Depending on your needs, you might want to look at alternatives to email, which offer better security.

macOS: GPGTools. This is a good "first steps" guide to using GPGtools with the native macOS email client. There is also a version of Canary Mail for macOS.

Windows: Enigmail, used with the Thunderbird email client. Set up guide, by the Electronic Frontier Foundation

iOS: Canary Mail (make sure you use “fetch” rather than “push” mode).

PGP/GPG is not for everyone and, even if you use it, it is of no use if your intended recipient does not.

If you need to transfer something sensitive as a once-off by email, put your message, or the files you want to send, into a directory, and then encrypt the directory. Send that encrypted directory to your recipient, via email, and give them the password by a separate, secure channel. Do not email the password, as otherwise you have sent both the thing you are protecting, and the password to access it, by the same means: someone monitoring their email would get both elements.

As with PGP/GPG, this would still leave the subject line and content of the email, along with sender and recipient information, available to anyone.

You will be able to see the name of the attachments and, in the case of files in a zip folder, potentially the names of those files too, so use non-identifying names for the files if that is a concern.

How you do this varies from platform to platform.

On macOS, you can do it using Terminal, but it is not particularly user-friendly.

For Windows, 7zip offers easy-to-use encryption.

It is very easy to make an email look like it has come from someone else — the email you receive from your boss, or client, or someone in another law firm, may not have come from them at all.

It's easier said than done but, before you take action based on an email, especially if anything about it strikes you as unusual (time of sending, tone, the fact that you thought you'd had a conversation about the topic already etc.), check with the sender via a different means of communication already known to you.

An unexpected attachment may be an attempt to attack your systems.

There is no harm in ringing up the purported sender, and asking if it was really from them. But don’t use the phone number in the email itself (as that might not be their actual phone number) — verify some other way, such as using a number you already have on file with them.

Some people tart up their email by adding images hosted on remote computers. When you open those email, you connect to those remote computers and download the images.

When you do this, you leave a footprint on the remote computer. Sometimes, this is used as a tracking technique, using small, invisible images as a means of detecting when you opened an email.

Check that all your email clients have disabled loading of remote content.

For example, in macOS's Mail application, it is in Preferences / Viewing:

Although it might be convenient to know who has opened your email and when, using tracking pixels or remotely-hosted content is bad practice.

“Phishing” email are spam email where the sender tries to trick the recipient into handing over sensitive data. It could be someone pretending to be your bank, your accounts department, or even a client. Some phishing attacks are very good, especially when they are targeted at you (for example, based on information obtained from a previous successful attack, or a breach).

See the guidance from the National Cyber Security Centre on how to spot phishing attempts, and mitigate risks.