In the United States, over the past 100 years, there have been seventeen periods defined as recessions. Unfortunately, a recession is the U.S. often impacts the rest of the world — sorry. Typically a recession is “technically” over fairly quickly. But the effects linger — sometimes for years. Large firms lay off associates who end up competing with smaller firms. Medium-sized firms reduce prices and impact smaller firms who lose business. Clients reduce legal spend and take a long time to ramp back up. It gets ugly quickly and it stays ugly for longer than hoped.
Imagine the impact of losing your laptop and your phone in a tsunami. Both of them gone, in one horrible moment. Seriously, imagine it: that’s where we’re going today. Things are going to get destructive and wet.
Most of us now keep our information–client files, notes, data, financial information, and the rest–in the cloud. Generally, it’s safe there. Sure there’s the occasional Russian hacker, but mostly we’re much better off than we were back in the days of servers in closets.
Hopefully, the loss of a device or two–in a tsunami or otherwise–would simply result in the need to replace your devices, restore some software, and log back into your business.
But what if you couldn’t get back in? What if the data was safe in the cloud but inaccessible, at least for a while, to you and your team? That could be devastating.
Would a tsunami wipe you off the map?
I refer to tsunamis quite often. Maybe I overuse them as examples. I have a little tsunami PTSD.
I was mildly traumatized by my time in Sri Lanka, sitting on a ghost-filled beach for a month. The same beach had been overrun on December 26, 2004 by the Boxing Day tsunami. A quarter of a million people died in the region that day. I wasn’t there until more than ten years later. But the deaths that had happened years earlier still hung in the air; people choked up when the topic arose in conversation.
There were grave markers everywhere I looked. I heard story after story of mothers encouraging their children to run out onto the seafloor to collect fish jumping up in the air from the remaining puddles as the water moved quickly away from the coast. The fish seemed to be a gift from god. Then, with a force I can’t even imagine, the water came back in a giant wave, washing the children, their mothers and fathers, and a devastating number of people to their deaths.
Who has your passwords?
Maybe I’m just paranoid because I travel constantly. I worry about our technology and data getting lost or stolen. I’ve spent considerable time thinking through what would happen if we left our things in a taxi or circumstances resulted in our losing our devices.
Once I thought it through, I realized that a tsunami is the perfect hypothetical for an exercise in making sure your data is safe.
I’ve worked through the tsunami scenario each time we’ve changed up our technology. We were using Lastpass to store passwords. We switched to 1Password. Time for a tsunami exercise. We went through it again when we ditched our MacBooks for Windows laptops. Again when we moved from Dell laptops to iPads, then Huaweis, then back to MacBooks. We’ve changed machines quite a bit, and the process for recovering data is very different depending on your devices of the moment. Android and iPhone each present different challenges, in the same way that Apple’s iOS and Microsoft’s Windows require different muscle memory.
The tsunami scenario reveals the problems you haven’t yet solved. Do the tsunami exercise any time things change. Between software and hardware swaps, we’re all having to relearn our systems with great regularity. Things change fast when it comes to technology.
Initially I thought I was plodding through a scenario for someone working solo or in a very small firm, like me. But as I talked to others, I realized that some larger firms have vulnerabilities too. A tsunami-like event could wipe out the entire firm because a single person might be responsible for holding the authorization to access the data. Use the tsunami scenario to uncover those vulnerabilities.
The tsunami scenario
So let me describe the hypothetical scenario I imagined while sitting on that beach.
A lawyer is on vacation and brings along her usual assortment of devices so she can get some work done between rum punches. Her spouse has a few as well. At some point, it’s clear that between them, they have all of their devices on the trip. They have no use for technology that can’t travel, so there’s no desktop computer left back at home. Like so many of us, they are a laptops-and-phones couple.
They’re sitting on the beach. They see the water recede. They’re alert enough to quickly calculate that it’s likely related to the small earthquake they felt earlier in the day.
They move quickly uphill by climbing the mountain slope behind the hotel.
They’ve got their phones with them, but their laptops are in the hotel room. There’s no time to retrieve the laptops. They climb up and watch as the water approaches fast. It keeps rising. It grabs them, and they’re swept off their feet, smashing through debris and over trees. Their phones, of course, are lost in the mêlée.
But thankfully, they survive. They manage to find one another and get back to the hotel. The building is gone–and so are their laptops.
It’ll be days before they are rescued. They have no technology or passports or clothing. There is no way to make outgoing calls by phone. There is nothing they can do yet. They wait.
It need not be anything as dramatic as a tsunami either. I was once in a coffee shop where a woman lost her phone and laptop in an instant, because someone sneakily grabbed her bag and was out the door in a flash.
[ While I have you here, I wanted to remind you that you can get the latest articles delivered to your inbox a week before they go up on the web. Just one email per week. Sign up here. ]
Passwords won’t get your data back
At one time it was pretty simple to access your data from any device. If the tsunami hit, and you survived, you’d find a laptop or phone, open a web browser and log in. Security was mostly based on a combination of username and password.
It’s not that simple anymore.
Apple, for instance, requires you to use a special form of two-factor identification in order to gain access to your new device. In the absence of your old devices, it becomes very difficult to get the required code from Apple.
Normally, when you enter your username and password in your new iPhone, you’ll be asked to enter a six-digit verification code that you can retrieve on one of your trusted devices. But–oops–both of your trusted devices were lost in the tsunami.
No worries, Apple can send you the code via phone call or text. Oops–you don’t yet have access to your old phone number (because tsunami), so you can’t yet receive a text or call. You’d love to be able to make or receive a call right now–that’s why you want to access your device.
Certainly Apple can help you at this point, right? Sure, Apple will come to the rescue IF you know your username and password, and can place a call. You call Apple–if you can borrow a working phone–and they can help you access your device. Unfortunately, that might take a few days, especially if you need access over a weekend or holiday.
It will take longer if you don’t yet have access to your username and password. There is no guarantee that Apple can get you back into your hardware if you don’t know the correct answers to their questions or have proper documentation to verify your identity. Regardless, nothing will happen instantaneously. Security requires careful authentication of your identity.
We’re more secure than ever, even from ourselves. We’re especially secure when the tsunami hits. You need to be prepared.
Your best defense?
Your best defense is a solid plan that you’ve thought through completely and then tested in a real-life setting.
It’s one thing to think about your plan for gaining access to your data. It’s another thing entirely to actually work through the process. When I first tested my system, I ran into issue after issue. I had no idea how tightly our data is tied to our particular devices, biometric data, phone number, and specific SIM card. It’s complicated.
You’re a lawyer, so you’re already risk-averse. Deep down, you believe that a tsunami, or comparable disaster, can strike at any time. It could come in the form of flood, or fire, or much worse. It might happen to you while you’re on vacation, or it might happen to the office while you’re on vacation. Disasters are, unfortunately, hard to predict with specificity. But disasters do strike with some frequency. You’re not the kind of person who might lull yourself into magical thinking. You know your tsunami is coming.
Your best defense is a plan. You need to get very detailed, very specific, and plan for the worst-case scenario. It’s kind of a fun game, as long as the tsunami is just imaginary. But I still can’t get those images out of my head. The reality of that month in Sri Lanka was very motivating.
My system for getting my data back
I’ve created a plan, applicable for this moment in time, for my particular combination of hardware and software. It takes into account that I might be anywhere in the world and that I might lose all of my devices.
I’ll share the overview of my plan, but it truly only applies to my situation. You’ll want to carefully work through your own plan. I’d suggest doing it now.
My system looks like this:
1. Record 1Password secret key on paper and store it
I use 1Password to keep all of my passwords and two-factor codes safe. I can access my data with a username and password, but only from a device I’ve used before. A new device doesn’t work without inputting my “secret key.” I’m frozen until I get into 1Password because I use long, unique passwords for everything. I need 1Password access in order to get started down this path. I’ve got the secret key written down in a hidden location but I expect it to be washed away in the tsunami.
2. Provide the secret key to others
I’ve provided my secret key to a few trusted people. The secret key, in the absence of the username and password, doesn’t grant access to my data, so I feel comfortable giving it to a couple of people whom I can call if necessary. I’ve asked them to save the key somewhere safe, so that they can read it to me if I call from Sri Lanka. They’ve got a meaningless combination of letters and numbers and I’ve got access to my data if–and this is a big if–I know my username and password for 1Password.
3. Memorize 1Password username and password
There are weak links in every system. I’m the weak link. If I can’t remember my username and password for accessing 1Password then there’s no way to get access to the hundreds of passwords I need to get fully back up and running. I’ve kept the password for my password protector complicated but I’ve also made it memorable. One way to approach that issue is to make it a very long series of words like My-password-is-the-only-way-I-survive-the-tsunami.
[ I'm glad you're enjoying the Friday File. I share my best marketing and practice management advice exclusively with my email subscribers every Friday. Join now. ]
Once I’ve got my secret key from my friend, coupled with the 1Password username and password, I’m ready to log in to 1Password and gain access to all of my most private data.
4. Authorize additional phone numbers
The next obstacle is getting into a new iPhone and MacBook. Apple wants me to enter the two-factor code, or they’re going to make me wait for them on the phone. I really want to be able to use the code and not have to run through the gauntlet Apple will need to impose in order to protect me and my data from myself.
But with no authorized devices left after the tsunami, what can I do? Good question.
Apple allows for multiple phone numbers, even on non-Apple devices, to accept the code via phone call. If I’m in Sri Lanka and am able to acquire a new iPhone, I can buy a local SIM card and call one of the folks I’ve previously set up on the Apple system. They can receive the call from Apple and give me the code.
5. Memorize/record Apple ID and password
Finally, I’ve memorized my Apple ID and password. I’m not sure that I’ll need this in order to get things going again. Hopefully, I’ll gain access to 1Password without needing to get into an Apple device, but I figured it can’t hurt to have this simple combination tucked safely in my brain. I can imagine a scenario where it would be helpful to have this information, but it should be accessible via 1Password after I get back in.
Let’s put it all into action
The tsunami hits. The devices are ripped from my fingers, but the credit card and some cash in my pocket survive. We get away safely and end up finding a guy with a dry stockpile of cheap Android devices. I buy one and he sells me a SIM card for a few bucks. I’m online.
I use the phone to make an international call to one of the people who keep my 1Password Secret Key, and I use that, along with the memorized username and password, to get into 1Password. That gives me my passport image, credit card information, and access to all my other online accounts, and I’m up and running on the Android. Now I can place calls, use my credit cards online, access the image of my passport, etc. We get temporary passports from the nearest US Embassy, and we’re off to a country with an Apple Store.
I make my way to an Apple Store and acquire a new MacBook and iPhone. I’ve already got my Apple ID and password so I’m all set, except that I need to have one of my pre-authorized friends give me the two-factor code via the phone. I enter the username and password, their phone rings, and they text me the code. I’m back up and running on Apple. From there, it’s just a matter of reinstalling software and we’re good to go.
Now it’s your turn
I’d suggest you do some scenario planning for yourself. You might not have plans to be on a beach in a developing country. You might not limit yourself to a laptop and a phone, and might have a pre-authorized device on your desk back at home. But does someone know how to access that device? Have you limited your essential two-factor codes to a single device without backup access? Have you properly saved all of the codes you’ll need? Are you ready?
Play the game for yourself. Work through various possibilities. Try logging out and seeing what it takes to log back in. I was surprised that a username and password alone didn’t get the job done for important software. I hadn’t been paying close attention or thinking through the steps when I set up a new device. Be surprised now–before the tsunami hits.
Mostly, I find our inherent lawyerly-risk-aversion debilitating. It slows us down, makes us hesitate, keeps us from growing our businesses fast. But sometimes, a little risk consciousness is a good thing. It’s time to do some planning, before disaster strikes. The tsunami drill will release your paranoid inner lawyer. Let it out. Then you’ll be ready for anything.