1) The document provides tips on how to manage client data responsibly and securely, including using a VOI provider for identity checks, enabling two-factor authentication, sharing documents securely with expiration dates, storing documents securely in the cloud using encryption, properly disposing of data and physical documents, and contacting proper authorities in the event of a breach. 2) Topics covered include password security, document sharing best practices, secure storage and transfer methods, device and media disposal, and incident response. 3) Resources mentioned that can help with secure practices and incident response include the Law Council of Australia Cyber Precedent, Lawcover crisis management, and identity theft non-profits.

1. How to manage your client’s
data responsibly
Protect your clients from fraud, identity theft and
confidential information
Jeremiah Cruz
jeremy@cryptoaustralia.org.au
Nick Kavadias
nick@cryptoaustralia.org.au
Gabor Szathmari
gabor@cryptoaustralia.org.aucryptoaustralia.org.au

2. Who is CryptoAUSTRALIA
• A not-for-profit started by security and privacy enthusiasts.
• We have nothing to do with BitCoin, so please stop asking.
• We are for finding practical ways of dealing with the modern
privacy and security challenges.
• We are looking for sponsors in order to continue our work
and research.
• This may be a new concept to lawyers, but we are running
these events for free*.
* This presentation does not constitute cybersecurity advice.

3. Self Promotion..
Tonight’s speakers:
•Jeremy – Network Security Expert
•Nick – Solicitor and Technologist
•Gabor – Cybersecurity Expert

4. We know how to internet…
@CryptoAustralia
#cryptoaus
http://chat.cryptoaustralia.org.au
https://fb.me/CryptoStraya
Interact with us in the digital world…

5. What we are covering tonight…
1) Bad practices
2) Password security
(2FA and Password reuse)
3) Sharing documents securely
4) Storing documents securely
5) Prudent data disposal practices
6) Physical security (dos and don’ts)
7) What to do post-breach 🙏

6. Secret: “hackers” log into your webmail

7. Password hygiene
• Websites get hacked.
• People reuse same
email and password
across multiple online
accounts. D’oh!

8. Haveibeenpwned
Do you have leaked passwords? https://haveibeenpwned.com/

9. Haveibeenpwned Leaderboard
Today’s winner is …

13. Meanwhile on SpyCloud...
(an unrelated account)

14. Meanwhile on SpyCloud

15. Bad client document & personal
information management practices
• VOI checks
• Online document conversion
• Document sharing (e.g. Dropbox)
• Keeping emails forever
• Public Wifi

16. Bad practices - VOI checks
100 points ID checks – Leaks everywhere
• Scan-to-email printers (bonus: unencrypted
traffic)
• Documents sent/received over emails
• Emails are never deleted on the
sender/receiver side

17. Bad practices - VOI checks
• Don’t ask for scanned documents to be sent over
emails
• Rely on VOI providers instead
• Secure smartphone app and web portal
• https://www.dvs.gov.au/users/Pages/Identity-
service-providers.aspx

18. Bad practices

19. Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
• They provide a convenient service to
convert documents to PDF

21. Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
• Who’s behind the service?
• What happens to your documents?
• Why would you upload
sensitive documents to random
strangers?

22. Online document conversion
Convert documents offline with
Adobe Professional

23. Bad practices -
Document sharing over emails
Problem statement:
Your email file attachments and
embedder download links remain in
your ‘Sent’ email folder forever, waiting
for a hacker to login and download them

24. Bad practices -
Document sharing over cloud-based file
storage services
File sharing with Dropbox, OneDrive, random
service:
• Download links are valid forever
• Mailbox gets hacked → Links are still live

25. Transferring sensitive documents securely
• Send web links instead of file
attachments where appropriate
• Use expiring web links
Services:
Google Drive, Sync.com, Tresorit...

26. Bad practices

27. Transferring documents securely

28. Bad practices - Emails are kept forever
Keeping all emails for extended period
• Limit the damage if the mailbox gets hacked
• Set an archive and retention policy and archive
emails to a secure third-party service
(e.g. Spinbackup, Backupify)
• Office 365, G Suite support retention policies

29. Bad practices

30. Bad practices - Public Wifi
Lots of hacking wizardry:
• Password theft via fake login pages
• HTTP pages tampered on the fly
• Theft of unencrypted sensitive data
Just take our advice on the next slide

31. Public Wifi – Use VPN or a 4G dongle

32. Good security hygiene
What else you can do

33. Secret: “hackers” log into your webmail

34. Password hygiene
• Websites get hacked.
• People reuse same
email and password
across multiple online
accounts. D’oh!

35. Two-factor authentication
Most powerful defence from:
•Crappy passwords (Letmein1)
•Stolen passwords (phishing)
•Leaked passwords (reuse)

36. Two-factor authentication

37. Password hygiene – Wallets
Remember a single password only
• LastPass
• 1Password
• Dashlane
• RoboForm
• < Any random password wallet >

38. Storing documents securely
Cloud file storage – Who your adversary is
• Hackers? - Dropbox, G Drive, OneDrive + Two-factor
authentication turned on
• Government? - End-to-end encrypted service: Sync.com, Tresorit
• Encrypt your disks, USB flash drives and smartphones
• BitLocker - Windows 10 Professional
• FileVault – Mac
• Android supports disk encryption
• On iOS disk encryption is turned on by default

39. Prudent data disposal practices
Laptops, computers:
• Magnetic disks: overwrite
• DBAN (https://dban.org/)
• SSD: Physical destruction
• USB flash drives: Physical destruction

40. Prudent data disposal practices
iPhone: Factory reset
Android*:
1. Encrypt device
2. Remove storage and SIM cards
3. Factory reset
4. Remove from Google account
Phones (SD card): Physical destruction
* https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html

41. Physical security (dos and don’ts)

42. Physical security (dos and don’ts)
• Shredding documents
• Diamond cut shredder
• Secure document disposal service
• Can secure dispose digital media for you
• Digital certificates (e.g. PEXA key)
•Leave them unplugged when not in use
•Cut the built-in smart card in half to dispose

43. What to do when you get hacked 🙏
• Disconnect your computer from the
Internet and stop using it
• Notify LawCover - They have an
incident response team
• Checklist:
http://lca.lawcouncil.asn.au/lawcou
ncil/images/cyber/CP-What-to-
Do.pdf

44. Summary
1) Use a VOI provider for identity checks
2) Use 2FA and don’t reuse your password
3) Share documents with expiring links
4) Store documents in the cloud securely (2FA)
5) Dispose data securely
6) Shred documents & protect digital certificates
7) Notify LawCover when the house is on fire

45. Where to get help
• Law Council of Australia Cyber Precedent, great learning resource
• Law Council cyber-attack checklist
• Lawcover crisis management team can help you clean up the
mess.
• Victim of identity theft, you should contact IDCARE, NFP helping
people
• Have a conversation with your IT Service Provider, or staff. Use
these slides as a talking point!

46. @CryptoAustralia
#cryptoaus
http://chat.cryptoaustralia.org.au
https://fb.me/CryptoStraya
Get updates:
https://cryptoaustralia.org.au/newsletter
Next workshop:
https://www.meetup.com/Cybersecurity
-for-Lawyers-by-CryptoAUSTRALIA/