Escalating cyber threats demand heightened security practices for law firms

Episode Notes

Transcript

Robert Half Legal Report

Escalating cyber threats demand heightened security practices for law firms

10/19/2017

[Music]

Intro: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession related to hiring, staff management and more, with leading experts in the field. Robert Half Legal provides lawyers, paralegals, and support staff to law firms and corporate legal departments on a project and full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.

[Music]

Charles Volkert: Hello everyone and welcome. I am Charles Volkert, Senior District President of Robert Half Legal and the host of our program.

Joining me today is Scott Giordano, a Director of Robert Half Legal’s Consulting Solutions Practice. Scott is an attorney with more than 20 years of legal, technology and risk management consulting experience. He is an IAPP fellow of Information Privacy and a Certified Information Systems Security Professional. And he serves law firms and their corporate clients globally as a subject matter expert on the multinational data protection issues that are involved with companies and the intersection with technology.

Welcome to the show Scott. It’s great to have you today.

Scott Giordano: Thanks for having me on board, very happy to be here.

Charles Volkert: Great. Well, we are going to discuss cybercrime today, a hot topic that has growing implications for law firms and their corporate clients. We will examine some of the latest cyber threats that are emerging, why law firms are among the most vulnerable targets for cyber attacks and the risks that they face.

We will also discuss where firms are lagging when it comes to data privacy protections and share insights on strategies that firms are using to strengthen their defenses, mitigate their risks and enhance their overall security practices.

So, let’s jump into it Scott. There is no question cyber criminals are threatening the security of organizations around the world at an accelerating and truly alarming rate. According to the Cybersecurity Ventures, businesses around the world are expected to spend more than $120 billion on cybersecurity products and services by the end of this year. Juniper Research projects that cybercrime will cost businesses more than 2 trillion annually by 2019.

And it’s not only large companies that are being impacted. According to a study by Symantec, small businesses are increasingly becoming the target of hackers, with more than 40% of cyber attacks today directed at small businesses. And as we have seen from the recent hacks and ransomware attacks, law firms are not immune from these growing cybercrimes. Why are law firms increasingly becoming the target and focus of cyber attacks?

Scott Giordano: Well, they are doing so because criminals and state actors, I might add, correctly see attorneys as both sources of useful information and not particularly tough targets. I mean, think about all the trusted information that clients send to their attorneys. It could be their targets of mergers or acquisitions, it could be intellectual property, it could be details of actions that ultimately prove criminal or it can be just things that are just embarrassing to them. So, the list of opportunities to exploit is pretty long.

And if you couple that with the perception, deserve it or not, that attorneys are not particularly sophisticated in terms of information security, then you have got a bigger issue.

And I will give you an example. I have a friend who just bought a house. And the title company noted in every communication with them not to wire money to anyone during the closing process. And this is directly as a result of all the fraud that has been perpetrated because bad guys are breaking in to attorneys and intercepting communications with respect to the property closings. So, it’s a huge issue and it’s not going away anytime soon.

Charles Volkert: Unbelievable. What a great example that you provide for our audience there. And I couldn’t agree with you more. Research we have conducted about the adoption of technology by many businesses revealed that the legal field has typically trailed behind other industries in deploying innovative technologies and that applies obviously to security practices as well. Are there other concerns and reasons why law firms are lagging behind when it comes to data privacy and security precautions?

Scott Giordano: Well, security programs have the potential to be very expensive for organizations that already have a very low level of operating maturity as we say and the investment can seem daunting. So, it’s very difficult to get firms to make major investments when they don’t promise an immediate return. And it’s tough to prove the value of a bad thing that didn’t happen. So really you are in a tough position to get budget for things like that.

(00:04:50)

Secondly, a solid security program also requires a cultural change in an organization and it means setting standards for privacy and security, it means conducting training and it means policing all the compliance going on in the organization. And I can’t tell you how many times in my career, for example, I have seen confidential documents left on a copy machine or a fax machine and instilling the kind of needed discipline in an organization to prevent that kind of stuff is just not going to be easy.

Charles Volkert: Absolutely. And I have got to believe Scott that ongoing media coverage of security breaches and evolving cyber threats has significantly raised the awareness of the critical importance of sophisticated security protection. I can remember when news sources reported on the Panama Papers, more than 11 million documents had been leaked from the Panamanian Law Firm. The sheer scope of that incident and the resulting news coverage clearly underscored the imperative nature of law firm security activities.

I guess I would ask, how have law firm cybersecurity strategies and investments changed during the past few years?

Scott Giordano: My experience has been that the strategies tend to mirror those of the corporate world. So, for example, relying on cloud providers restoring documents and email or setting more stringent policies for creating passwords and also providing security awareness training, and this last item I am a big fan of. The best security measure ever invented is an alert employee.

So, there was an experiment some years ago where someone placed some USB drive just randomly in parking lots and then tracked who plugged them in to a computer. The fail rate, if you want to call it that, was about 70%. So proper training reduces the chances of someone falling for things like that.

Charles Volkert: Great information and great discussion Scott. Now it’s time for a quick break.

[Music]

Advertiser: To find, hire and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that can adapt to changing workload levels, realize significant cost savings and improve the overall management of human resources. We offer a wide range of resources to assist hiring managers and job candidates, including our annual Salary Guide, industry-leading workplace research and valuable interactive tools. For more information, call us at 800-870-8367 or visit  HYPERLINK “http://www.roberthalflegal.com” roberthalflegal.com.

[Music]

Charles Volkert: Welcome back to the Robert Half Legal Report. I am Charles Volkert and joining me today is Scott Giordano, a Director with Robert Half Legal’s Consulting Solutions Practice.

Before the break we were discussing how law firms are stepping up efforts to enhance security practices and defend against cyber threats. One point that was raised that bears repeating that law firms need to be vigilant in their security activities due to the dynamic nature of security risks today.

By all accounts the security threat landscape continues to intensify and evolve. The Information Security Forum forecasted key threats that businesses should anticipate this year, including the transition of malware attacks from PCs and laptops to under-protected smartphones and other mobile Internet of Things devices, more frequent and sophisticated cyber attacks targeting businesses, governments and consumers, and finally, more organized criminal activity that will prove more damaging and costly. In fact, Cybersecurity Ventures forecast that cybercrime will cost businesses globally more than $6 trillion annually by 2021.

Scott, as we look to the future, what cybersecurity threats are emerging that law firm should be paying specific attention to?

Scott Giordano: Well, if I had to pick three it would be the following. First up are state actors and the potential for state actors such as North Korea breaking into firms in order to find embarrassing information is just tremendous.

If you all remember the Sony hack that occurred a few years ago, it’s credited with North Korea being involved and disclosing all kinds of embarrassing information about Sony executives.

Also, there was a similar disclosure that took place during the 2016 presidential election, I think we are probably all familiar with, that was credited to Russia, and despite what you hear in the news media definitively tracing any of these break-ins to a particular bad actor is just tough. So, in some cases we are just never going to know.

Secondly, I think that sophisticated criminals are very important to be aware of, so these organizations either develop hacking tools or they steal them, they acquire them on the black market and then they use them to attack targets that just don’t have the resources to fight back.

So, a good example, ransomware. There has been ransomware attacks against hospitals and there is really no means for them to fight back. Same thing, believe it or not, with municipal law enforcement agencies, there’s these kind of attacks that underscore the importance of having a really solid disaster recovery and business continuity program, because in many cases they are never going to get their data back, so you really have to have that ready to roll.

(00:10:11)

And then finally I would put employee negligence in the top three. So, think about your regular employees at a law firm, your partners, think about just about anyone at the firm, all potential vectors for bad guys. And I suspect everyone on the audience here has seen emails with attached documents that were sent to the wrong people. I know I get them with some regularity on my own personal email. And in fact, our email system here at Robert Half will tell you if a recipient is someone outside the organization so that way you are not mailing someone who is outside the organization with the same name as someone inside the organization. So that’s a huge benefit for us to prevent things going out that shouldn’t be going out.

And then also the danger of clicking on phishing emails. Phishing emails are a huge issue. They are just so effective at inserting malware into systems. So, I would put that at top of my training list for anti-malware and anti-bad guy, if you will, would be phishing emails.

And then I guess to close the thought, it’s incumbent on firms to stay current on the threat landscape. I am just amazed at how fast these threats emerge. So, think about the whole phenomenon of ransomware. It was successful just a handful of times and then suddenly it was everywhere, almost overnight. So, one of the reasons why you have to be on top of these things is because if you don’t, the bad guys advance so fast and before you know it they have got you.

Charles Volkert: Great insight Scott as to what we are going to continue to see from your word the bad guys. And so, I am guessing as I am out there talking to the legal organizations, there are so many resources for our listeners to go to and to learn more besides just from your expertise. Could you share what’s available out there to law firms to help them stay on the cutting edge of cyber matters?

Scott Giordano: Sure, sure, happy to. Many of our clients look to the International Legal Technology Association or ILTA. It’s a really valuable source on intelligence, on security matters and certainly I spend a lot of time with the ILTA folks.

They do an annual study on Legal Industry’s Information Security Practices and just a couple of insights I will share with your listeners. So first up, more than 60% of the respondents said careless employees were the greatest security threat faced by the organization, followed by malware and cybersecurity threats.

The second point was that 65% of organizations in the survey had no staff devoted to information security.

And then finally, more than 60% of the respondents named the following list here, but I want to share with you as overall parts of the risk management plan. So, the first one was information security for mobile devices; second was disaster recovery and business continuity plans; third, security policies for the Internet and social media; the fourth was paper and electronic records retention; and then finally, additional security for protected data. So that’s their study.

There is also a study that was done by Protiviti, which is a global consulting firm that I work with; they are a Robert Half subsidiary, and very good study on managing cyber threats. So, I will share a couple of things from that survey.

One was that having an engaged board and a comprehensive set of security policies made a huge difference in the effectiveness of the organization to defend again cyber risk.

The other one was that most organizations need to enhance their data classification system and the management of data, as well as strengthen their vendor risk management policies, and I can certainly vouch for this last one, vendor risk management is a huge issue.

Charles Volkert: Great information for our listeners and a lot of resources out there that I know you constantly look at and discuss with your clients to stay on top of this. What other strategies Scott should law firms consider to boost cybersecurity protection and reduce risks to their overall organization as well as obviously their end client who they are servicing?

Scott Giordano: If organizations can only choose three things here would be the three off the top of my head. First is develop a firm-wide set of policies and procedures that relate to data security and privacy. And so, this would include things like an overall security policy. It would be specific policies. It could be your acceptable use policy, mobile device policy. And then finally I think a privacy policy would round that out very nicely.

Also, I would like the audience to keep in mind that a true policy includes the possibility of disciplining someone who doesn’t follow it. That’s one of the key questions I always ask is, if something is a policy, can someone be punished; if not, it’s not truly a policy.

Secondly, I am a big proponent of data discovery and classification. So, think about this as a system that identifies the various types of data in your information ecosystem and then tag it according to the sensitivity of it. So, say something is public versus proprietary versus sensitive. Your data loss prevention software then reads it and determines, for example, if you can even email something like a document.

(00:15:06)

Thirdly and finally, the value of vendor risk management cannot be overstated. The third parties, I have seen so many of them as being a big source of risk management issues. Certainly, go look at your agreements you have with these folks and really have a look and see what kind of data protection they are putting in place, whether they are enforcing it. No matter how many of these agreements I read between our clients and their vendors, I am frequently surprised by how many organizations just don’t take security seriously and that includes privacy issues as well.

Finally, as a closing thought I would like to mention there is an old saying that security is not a product, but it’s a process, and I think that still holds true and I think it’s going to hold true for the future.

So, it’s important to talk about infusing data security in everything you do, so you don’t have to think about it, it’s just something that always functions in the background.

Charles Volkert: Great discussion Scott and I would simply like to add that effective defense against cyber threats starts at the very top of the organization, with the law firm leaders. Your corporate executive senior management are ultimately accountable, as we know, far too often in the press, and need to be actively engaged in a firm’s overall cyber protection and readiness program. Not only with the development of security strategies and implementation of plans and policies, but assigning sufficient resources and expertise to the issue to maximize protection against risk.

Well, Scott, it looks like we have reached the end of our program. That was certainly an outstanding discussion and I am sure our audience gained a lot of information and expertise from you. A special thank you to you for joining us today, Scott.

Scott Giordano: Thanks for having me on board. I am very happy to be here.

Charles Volkert: Before we close, I would like to let the audience know how they can contact you and where they can obtain more information.

Scott Giordano: Best thing would be just to email me, because I am on the road often and it’s tough to get me on the phone, so best way  HYPERLINK “mailto:[email protected]” [email protected].

Charles Volkert: Excellent Scott. And I know you are so prompt in follow up that I am sure if one of our audience members has a question, you are great in getting back via email and setting a conference call, so thanks for being open to that.

Our listeners can reach me at  HYPERLINK “mailto:[email protected]” [email protected]. And you can visit the Robert Half Legal website for additional information on legal career and management resources at  HYPERLINK “http://www.roberthalflegal.com” roberthalflegal.com.

Thanks again for listening today. Join us next time on The Robert Half Legal Report as we discuss other important trends impacting the legal profession.

[Music]

Outro: The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice; as always consult a lawyer.

[Music]

Thanks for listening to this podcast. Robert Half Legal connects the most highly-skilled candidates with the best positions in the legal profession. Join us again for the latest information in the next edition of The Robert Half Legal Report here on the Legal Talk Network.

[Music]