The Slaw blog had a good basic post yesterday morning on cybersecurity for law firms. It made me want to share some of their advice, to which I’d add a few of my own and which may apply not only to professionals but also to any type of organization.
As you may notice, a lot of this is basically common sense, as applied in the digital age:
Start by asking yourself what type of data your organization handles, and contemplate what problems you may have were it to fall in other hands or become unavailable;
Inventory all devices which your organization uses, including in particular those that connect to its systems and/or the Internet and make sure your personnel knows the dangers associated with plugging anything new (for ex., an infected USB stick);
Realize that anything you plug into the Internet (i.e. make accessible) may become a point of entry for eventual hackers or infections, in particular any devices that have not been fully updated (including any firmware and software running on it) – make sure all your hardware and software are regularly updated (starting with your router and computers/servers);
Stop allowing or using weak passwords and force everyone to use a solid password manager;
Better yet, have everyone in the organization access every tool that can be through Two Factor Authentication (2FA);
Acknowledge that employees require on-going cybersecurity training and reminders, and actually schedule it so that it does happen, at least every year,. Including as to things like:
The risks associated with using passwords (such as weak or reused ones);
Problems which may be triggered by navigating one’s browser to a malicious site or clicking on a link in an email;
The dangers of activating, opening or clicking on attachments;
The concept of social engineering and its role in many attacks;
Know in advance who you will call in case of an incident to investigate or remedy, and make sure your personnel knows what your game plan is;
Do not assume you are safe because no one would bother attacking you, as we’re all potential victims of cybersecurity incidents, as anyone can fall victim to an attack without even having been specifically targeted.
With Québec’s passing of a new personal information stature, further to Bill 64, I’d say now’s a good time to brush-up on your cybersecurity practices and safeguards!
Email now apparently takes more than 2 hours of a typical person’s job, in any given day, a figure which I figure is likely exceeded for a typical attorney. With that kind of time invested in it, you’d think we’ve collectively gotten better, over time, at handling it -not so, if you ask me.
I happened this morning on a post entitled 40 One-Sentence Email Tips which inspired me to distill my own experience (of 20 years reading/writing emails), for your benefit and my own. Here it is, in the hope it may help us be more productive:
Send less emails, receive less emails;
Limit your consents to receiving mass emails (like newsletters);
Use your email app intelligently – don’t spend time manually saving emails into folders, etc.;
Don’t generally answer emails instantly or at all times of the day or night, or risk involuntarily training recipients of your emails to expect that level of responsiveness;
For any new email, start by asking yourself whether this communication channel is appropriate for this particular discussion (would a text or a call be better?);
If email is the way to go, don’t C.C. any person that doesn’t really need to see that email (as you’ll be wasting their precious time with your thoughtless inclusion of their address);
Give your email a Subject that does describe adequately what it’s about (dhu);
Start your emails with a sentence or two that provides context and what specifically you hope to get back from this recipient (information, action, etc.);
In the body of your email, be brief and concise: keep sentences and paragraphs short, and limit the length of your email to about a page -max;
Be kind to recipients of your emails and use plenty of spaces and bullet points, to make scanning your message easy and quick (typically, that person will want to spend about 30 seconds reading it).
We’re collectively spending A LOT of time on electronic communications, which doesn’t mean the average person (or lawyer, for that matter) knows how to handle it adequately. Remember, your email app should work for you, not the other way around.
While doing some work as to open source, I recently came across a section of the list of officially accredited open source license and that includes 3 licenses Made in Québec. These were apparently created by Québec authorities for its own purposes. Not too surprisingly, the original version of these 3 open source licenses is in French, contrary to most others of this kind.
The official site www.opensource.org now lists these 3 licenses, which I’m linking below to a micro-site created by the Centre de services partagés du Québec called “Forge gouvernementale”. The presentation of the documents on this site is much easier to read than the version posted on opensource.org (that presents the text of each license in a single block of text):
The OSS licenses at issue were created with the government’s software development efforts in mind and (initially) presented in French, though an English translation is available. As with other open source licenses, the goal here is to free source code in the manner that maximizes the users’ rights and the ease with which it may be used and redistributed down the line. If you’re curious (I was), the Québec government published the following FAQ about these licenses.
The first license (LiLiQ-P) is akin to the Apache open source license and, thus fairly permissive. The code released under this license may be included in other software that is then distributed without having to make it available with the source code and without being required to distribute it through an open source license.
The other 2 licenses (LiLiQ-R and LiLiQ-R+) are relatively similar to somewhat more restrictive licenses such as the MPL license and the LGPL license, requiring that resulting software be made available, including as source code, through a LiLiQ-type license. Another feature of the licenses at issue resides in their reciprocity provisions, generally allowing the combination of LiLiQ code with code made available pursuant to most other open source licenses.
Is anyone really surprised that Québec would want to express how different it is from the rest of Canada (and the world) by creating its own version of an open source license? Eh, why not?