Digital Detectives

The Importance of Website Security for Law Firms

When thinking about a law firm’s marketing approach, many attorneys put heavy emphasis on having a well-constructed website to aid in attracting business, promoting convenient project management, and improving client retention. However, what potential security risks can your website pose to your firm and your clients? In this episode of Digital Detectives, hosts Sharon Nelson and John Simek sit down with SiteLock President Neill Feather to discuss the importance of website security, data breaches, and why hackers are attacking the websites of law firms.

Special thanks to our sponsors, PInow and SiteLock.

View transcript

Digital Detectives

The Importance of Website Security for Law Firms

10/12/2016

Intro: Welcome to ‘Digital Detectives’, reports from the Battle Front. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon Nelson: Welcome to the 72nd edition of ‘Digital Detectives’. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on ‘Digital Detectives’ our topic is “Website Security for Law Firms”.

Sharon Nelson: And before we get started I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit  HYPERLINK “http://www.pinow.com” pinow.com to learn more.

John W. Simek: We are delighted to welcome as today’s guest Neill Feather, who is the President of SiteLock; the leading provider of website security solutions for business. Neill has over 20 years of experience in the technology and systems industry, notably, providing technology solutions and industry insights for Johnson & Johnson prior to SiteLock.

Neill holds BS degrees in Statistics and Information Systems and International Business from the Pennsylvania State University and an MBA from the University of Pennsylvania’s Wharton School of Business.

Thanks for joining us today, Neill.

Neill Feather: Thanks for having me.

Sharon Nelson: Well, what your company does is so interesting. What’s your background, Neill, what brought you from where you started to hear?

Neill Feather: Yeah, well, thanks for the introduction John and like John said, my background is in Statistics and managing kind of large datasets ,and also IT and I started programming when I was about 12-years-old. I had my first job where someone was paying me to program something.

So I’ve had that kind of background and really over the course of time I think the thing that was attractive to me was looking at really large datasets and trying to identify trends in that information. And so whether that was pharmaceutical data at my first job at Johnson & Johnson and are now really looking at threat data from websites, that’s one of the things that drew me to this opportunity to start this business was the opportunity to look at large amounts of data and apply statistical and other kind of analysis to help look at what are the trends and what are the emerging threats and that’s a real important part of our business here at SiteLock in terms of how we develop products and how we think about identifying and blocking emerging threats.

John W. Simek: I hear what you are saying, Neill, and I have an engineering degree, one of my favorite classes was Probability and Statistics especially when you’re doing the gaming stuff, but can you tell us a little bit or tell our listeners a little bit about what makes SiteLock website security different.

Neill Feather: Yeah, I think there’s a few things. I think one of the things that is important to us is that we’re really focused on websites and web applications and that’s really all we do. So you’ll see some security vendors that are kind of jack of all trades and what we want to be able to provide our customers is a one-stop shop for their website security.

So for a lot of businesses and especially small and midsize businesses and law firms that is really their main and most important information technology asset is their website. So it is their reputation, it is their kind of advertising vehicle that they’re using to attract new customers, talk about their business and educate people and so we’re really focused on that business, and we’ve done that on that aspect of security.

And what we’ve been able to do in that space is really attract a large number of customers in that space that gives us access to data that really no one else has. So what makes us different is while we’re protecting over 6 million websites, we see a lot of things that other security vendors don’t see and that gives us the ability to protect our customers in more different ways as well as in more sophisticated ways than a lot of other providers out there.

Sharon Nelson: Well, I’ll give you a story and then I’m going to ask you for a story. Our story is that we advised a client, a law firm not to host their own website, of course they ignored us, and when they finally had the website busted into, it came up the next morning. When they went to work it was coming up with f the United States Government, which is never a good thing for a law firm website to say.

So that’s my story of what we have seen from here, what have you seen as a terrible story of someone who has not paid attention to website security, Neill?

(00:04:55)

Neill Feather: Yeah, I mean, we see it all the time, and this is kind of our world as everyday, we’re kind of experiencing this with our customers and with our perspective customers. A lot of people take for granted that they’re not at risk for this type of issue. People think no one wants to target my website, why would anyone care about me, I’m not a big company.

But the reality is that small businesses and law firms and other folks you have access to sensitive information are being targeted in a way that they really haven’t before. There’s so much as technology has advanced, so has the technology that’s used by attackers. And so there’s so much of the attacks today are automated that really anybody is a target, and so when we talk to folks a lot of them are unaware of the risk, and one example is, we worked with a recruiting firm, who is in this kind of talent management business and they’re attracting folks in various different industries including the legal industry to move from one firm to another or after they graduate Law School, come out and it was something that they had just recently gotten into was this more professional services, legal, financial and others.

And right after their launch they were compromised and their website had been redirecting to and inappropriate website. And so people that they were trying to really build a brand with, the first impression of them was not a great one.

And so we see that unfortunately more frequently than we would like to, but really that is one story but it happens on an all through frequent basis as some of the folks who own these websites take for granted the security of those sites.

Sharon Nelson: So I’m gathering that by inappropriate it would fit within that broad scope of when you say, “not appropriate for workplace viewing”, is that correct?

Neill Feather: Yeah, not safe for work, I guess is the –

Sharon Nelson: Yeah, that’s works for me too. Okay, I think we’re all clear now.

John W. Simek: Well, Neill, there is a lot of bad guys that are out there, but why are the hackers and the cybercriminals specifically targeting websites of law firms?

Neill Feather: Well, I think law firms and their websites have access to a lot of information that’s very attractive to attackers, whether that be specific to that law firm, maybe there is a client that they’re interested in and if they want to get more information about or whether that’s a — some case that was taken that was controversial and so they want to prove a point by attacking that law firm’s website.

But beyond that really any law firm has a lot of sensitive information that was very attractive. There is very sophisticated markets for consumer information, e-mails, phone numbers, addresses of individuals that can be sold on the Internet. Beyond that every website has access to a lot of computing power and a lot of capabilities that are useful to launch threats against other websites.

So even if you’re not the target, you may be an intermediary in attacking someone else unwittingly so they may use your website to try to send a bunch of traffic to another website in order to shut it down in something like a denial-of-service attack or they may use your website to launch a phishing attack against another third-party or someone who’s registered in your email database by sending email out as if they were you.

So there’s a lot of different reasons that these hackers are motivated to take over websites, and specifically legal websites have a lot more of that type of information that is more interesting and really more valuable to a cyber criminal.

John W. Simek: So kind of a soft underbelly then?

Neill Feather: I think that’s the one thing about websites that people really don’t realize that when you’re talking about other information technology assets, if you’re managing a law firm’s IT infrastructure, you don’t want anyone outside of the law firm to have access to PCs and phones and things like that that are in your IT infrastructure but you want everybody to access your website, right?

So it really is a soft target for the attackers because it’s so publicly visible and publicly accessible and you’re trying to make it interactive and a great experience and unfortunately that can lead to an open-door and an open invitation for attackers.

Sharon Nelson: Now, I can just see somebody who’s listening to this say, please reassure me that even though they can get to data on my website and they can get to things that I wouldn’t want them to get to. When you’re talking about them compromising the website you’re not talking about them compromising their actual network where their confidential files are stored; these are two different things. Both can be very dangerous, but they’re two different things.

Neill Feather: Yeah, I suppose it depends. In a lot of cases, people don’t host their websites on the same network as the rest of their infrastructure, but to your example earlier Sharon, you mentioned that your client you had advised some people are hosting their websites on internal networks and so they offer a good kind of entry point and jumping off point to go after more different targets internal to the organization.

(00:09:57)

So it depends on how the information technology architecture is in each individual firm, but you’re right, the majority of folks do host their sites in some kind of cloud-based architecture.

Sharon Nelson: And that’s a whole lot safer if you’ve been listening to Neill, to our listeners, make sure you listen to my horror story about somebody who thought they were smart enough to do it themselves and really you do want your website in a separate location. To follow on with my next slot how do cybercriminals actually attack and infect websites? How do they do that? It’s mystery to most folks.

Neill Feather: Yeah, I mean, what they do is they will probe around the Internet and probe around the site for weaknesses. We call vulnerabilities in the website and that can be anything from a week coding practice that a developer use who is working on the site to add functionality where they’re able to essentially make the website perform something think that wasn’t intended by the developer. So for example they may be able to submit commands that allow them to extract data from your database in a way that was not intended by the developer, that’d be something called a SQL injection, that’s a pretty common type of attack.

Another way is, a lot of websites now run on software that you can go download open source software and run on your website, and sometimes folks are downloading software that comes with vulnerabilities in it, not unlike how when you have your PC, if you have a Windows PC, you’re getting updates about security patches once a week from Microsoft and from other vendors, the same thing is true about software that you run on your website. Software gets released, later on people find out those vulnerabilities, if you’re not patching those proactively someone will be looking for those vulnerabilities on your website and use those as an entry point to attack your site and probably many others that look like it.

John W. Simek: So give us some good news, Neill. Are there any tools that law firms can use to defend themselves?

Neill Feather: Yeah, so the good news is that there are tools. We certainly have a variety of products that we know help website owners reduce their risk of being a victim of a cyber attack or a compromise, and so things like vulnerability detection are important and vulnerability management so that you understand what you know risks you have on your website. We also think that looking at potentially malware on the website just like you have a virus scanner on your computer that’s going to tell you if you have something malicious there, there are products like that for your website that will identify and remove malware from your website, we have a product called Smart that does exactly that.

And then, just like you have a firewall on your computer there’s a website firewall that you can use to block attacks proactively that are coming to your website. Those might be from a targeted attacker, an individual who is motivated to come at your site directly or just automated attacks that are launched against any website looking for some of those vulnerabilities that we talked about before. So there’s a lot of tools out there. The good news also is that as technology has evolved these tools are affordable for law firms of any size to take advantage of. I think the biggest thing is just educating yourself that whether you need something like this and taking advantage of it because there are certainly options out there to help mitigate these attacks and block them so that you don’t experience one of these horror stories that we were telling earlier.

Sharon Nelson: And great stories they were. Before we move on to our next segment let’s take a quick commercial break.

[Music]

Advertiser: At least 80 of the 100 biggest law firms in the country had been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes Website Scanning, Web Application Firewall, including Distributed Denial of Service mitigation, and 24×7×365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

[Music]

Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigations, including workers’ compensation and surveillance. Find a prescreened private investigator today, visit  HYPERLINK “www.pinow.com” www.pinow.com.

(00:14:54)

[Music]

Sharon Nelson: Welcome back to ‘Digital Detectives’ on the Legal Talk Network. Today our topic is “Website Security for Law Firms”. Our guest is Neill Feather who is the President of SiteLock, the leading provider of website security solutions for businesses.

Neill, is it possible to completely secure your website from cyber attacks and breaches or do you really have to be prepared to respond to a successful attack?

Neill Feather: Yeah, it’s a great question and it’s one that we get a lot from customers. We have a lot of different products that help really reduce the risk of a cyber attack, and when you think about security that’s really what you’re talking about as risk management and how can you reduce the risk of an attack or of a breach. Nothing is really 100% in the security world, attacks continue to evolve and we continue to evolve our products and so do others in the space to help protect our customers. Anyone who tells you to have a 100% solution for security is someone that you would want to be questioning I think.

And so, we always recommend that you have multiple layers of security like belts and suspenders kind of approach to it, as well as in the worst-case scenario you really do want to have a breach response plan in place, so we think that’s something that’s important and we counsel our clients to do — think about if a breach were to occur through our website or through another means into our firm how would we want to respond, which groups from law enforcement would we want to involve, how would we want to communicate this to our customers, what types of things would we need to offer to our customers in order to make sure that they feel safe and that they’re going to be taken care of through this and breaches happen to firms of all sizes. So I think it’s something that is kind of prudent to be prepared for.

That said I think there are a lot of steps you can take to make sure that you’re not becoming a victim of these attacks and really reduce your risk of an attack.

Sharon Nelson: Well, I agree with you completely, and to tell you the truth, if I go to a vendor and they tell me that they have a 100% security solution, I strike them from the list.

Neill Feather: Yeah, everybody wants that kind of security blanket, but the reality is, unfortunately in our space and being a statistician I feel this way about a lot of things but nothing is a 100%, it’s really hard to find a sure thing, but we want to be as close as we can do that and we want to counsel people about being realistic that since nothing is a 100% you always want to be prepared.

Sharon Nelson: Yeah, absolutely.

John W. Simek: Well Neill, what are some of the website security mistakes that law firms make and I’m thinking back to your answer before the break. What about client portals? I mean, it seems website, because that’s kind of how they get in and that seems kind of a little risky for me.

Neill Feather: Yeah one of the things that we find is — the great thing about having your own website is that you can create a really great interactive experience for your customers and visitors, and so, with that we’ve done a lot of work and we have — as I mentioned over 6 million customers and we’ve examined what are the characteristics of websites that make them more or less likely to be at risk for a compromise, and one of the things is the more complicated and the more complex the site is and the more interactive it is makes it more of a risk to be compromised.

When you think about it that makes sense because there is a lot more of what we call an attack surface. You can attack the database, you can attack some of these dynamic components that are interacting with the user and there’s more different ways for an attacker to get at that site, and so, when you think about the risk of a website the more features you add, maybe the better the user experience, which is great, but it also means that you need to think about securing those features and working with experts to make sure that your site remains safe as it becomes more complex.

And I think one of the things that a lot of firms make and law firms included is that they underestimate their risk of being attacked, I think that’s generally true with people that we’re not great at estimating risk and so that people kind of feel like it can’t happen to me. When we talk to people a lot is that I never thought this would happen to me. I didn’t notice this was something I needed to be worried about and that’s I think the biggest mistake is that folks are not necessarily all educated on what risks they face in the cyber environment particularly around making sure that their websites and web applications are safe for their visitors.

Sharon Nelson: I certainly agree that many of them just are not aware education is always a problem with law firms, they are so busy doing what they’re doing that they don’t have time sometimes or feel they don’t have time to get educated on the technology they are using. So here’s a broad question. How will website security impact the legal industry in the future? So read some tea leaves and goat entrails and tell me what you predict?

Neill Feather: Making predictions in this market is always a risky proposition. It changes all the time.

John W. Simek: You’re asking a statistician to do a prediction.

Neill Feather: On a legal’s auction nonetheless. So I think about this environment that one of the things that I see kind of taking shape is this Internet of Things is really a revolution that is taking place and so many connected devices introduces a lot of questions into the security landscape.

(00:20:13)

From a website perspective particularly we’re introducing so much computing power and so many different nodes of computing power that the types of attacks that we see on websites now are coming from so many different places and are so highly automated and there’s so much traffic that they are pushing out to websites when these Internet of Things devices go bad and are being compromised and taken over and used against innocent website owners and other innocent victims to launch more and more attacks.

So what would I see the volume of these attacks and the frequency of these attacks is increasing. So I think for the legal industry be thinking about it, really making sure that they’re taking that responsibility to secure their sites because this kind of hiding and security by obscurity is really a thing of the past and you really need to make sure that you are putting the right pieces in place to protect yourself no matter the size of the firm or the kind of prominence of the firm or even, in the past maybe the biggest risk was probably around doing something controversial and someone trying to make a political statement by attacking you.

Now it’s really about getting access to information, computing power resources that you have that can be used against either your own customers or others in future attacks.

John W. Simek: Well, Neill, any last words of wisdom and please tell our listeners how they can get in touch with you or learn more about SiteLock themselves?

Neill Feather: Sure, thanks. I think just kind of on a closing note I know we talked a lot about scary things and security and what’s coming in the future and all of that, but one of the things that — because we live and breathe this stuff and I think a lot of folks use security as a chore. We would encourage you to think of it as an enabler and think of it as a little bit more, hey, I know that I can secure a very interactive website for my customers, so that and my clients, and that makes me able to do really interesting things with a client portal and give them access to information that maybe I couldn’t do in the past, and so security really enables me to give them a better experience.

And so, we look at it as an enabler of business rather than a chore and we encourage people to think about it that way as they are kind of building out these websites and web infrastructures. If you’d like to talk to us about it more we’d invite everyone to do that,  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives is the URL for the show. You give us a call, our phone number is there on the site or shoot us an e-mail at support@sitelock.com and we’ll get you set up, but we’d love to talk to folks about how we can be part of the solution for making sure that they’re giving their customers and clients a secure online experience.

Sharon D. Nelson: We’ve never done this topic before, Neill, so I was really happy when we had the opportunity to have you on the show because I actually think this is something that in the information security purview of lawyers is completely overlooked much of the time unless you’re an Am Law 200 firm, I think very few law firms look at website security at all. They simply trust the provider to provide the security and that’s the beginning and the end of it.

So I think you’ve opened up the eyes of a lot of our listeners and hopefully their ears as well, and your expertise is obviously vast, so I thank you for sharing it with us today, it’s been fascinating.

Neill Feather: Yeah, thanks for having me. I appreciate the time.

John W. Simek: Well, that does it for this edition of ‘Digital Detectives’, and remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast please review us on iTunes.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology, and security services at  HYPERLINK “http://www.senseient.com” senseient.com. We’ll see you next time on ‘Digital Detectives’.

[Music]

Outro: Thanks for listening to ‘Digital Detectives’ on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.

[Music]