What Constitutes Ethical Cybersecurity for Law Firms Today?

Episode Notes

Transcript

[Music]

Intro: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues, and what’s really happening in the trenches. Not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 142^nd edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson. President of Sensei Enterprises, a digital forensics-managed cybersecurity and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is, “What constitutes ethical cybersecurity for law firms today?” Today Sharon and I are going to discuss how much cybersecurity has changed over the past year giving us pause for thought about how lawyers should be looking at cybersecurity in 2023 because ethical standards for cybersecurity have evolved very quickly during 2022. Our overriding question is, “What does reasonable cybersecurity mean as we move into 2023?”

Sharon D. Nelson: I think John that that question has been answered more than usual with some force during the course of this year. A lot of ethicists are speaking about it, particularly about ethics rules 1.1 Competence, and 1.6 Confidentiality. Those are the two primary rules which are impacted by cybersecurity though certainly there are others. But the standard for both is reasonableness. But what’s reasonable has certainly changed over time as we’re always saying, “Sadly, there is no set it and forget it with cybersecurity.” We find every day as we read that something else crosses our vision and we say, “Oh gosh, we got to do something about this at this firm or whatever.”  It’s never-ending. Right? 

John W. Simek: Oh, for sure.

Sharon D. Nelson: So, both John and I have had the great privilege of working with and speaking with legal ethicists across the country since we do so many presentations. So, what we’re telling you today is pretty much in keeping with what other folks are saying and all the measures we will talk about today are deemed reasonable or getting to be reasonable, and we’ll try to sort those out. So, let’s begin and for a very, very long-time law firms believe that their server should be on-premise that it was dangerous to put law firm data in the Cloud. Now, since the pandemic hit, we’ve seen virtually all law firms move their data to the Cloud if it wasn’t already there. Why is that now so important and especially to ethics?

John W. Simek: The reality is that the Cloud is going to protect the firm’s data a heck of a lot better than the firm can do itself. Now there are exceptions. If you’re very, very large mega firm, you’re dumping a lot of money into infrastructure, security, et cetera. If you are an AmLaw 10, certainly there are a lot of bucks you’re spending. But generally, most law firms the solo small and mid-market in particular, they’re not doing those kinds of investments. The Cloud providers, however, they’ve got full-time security professionals on staff. That’s all they do. They eat, sleep, and breathe cybersecurity. They’re constantly patching, they’re constantly doing the reviews or they’re checking their monitoring, they’re doing all those things to make sure that they’ve got the utmost in the secure environment. They can actually protect the firm’s information much, much better. But going to the Cloud certainly has had some great advantages. We’re becoming a more and more mobile workforce, right? There is more work-from-home environment. There is more partial work in the office work-from-home. The whole hybrid thing, the Cloud’s more scalable. But the whole hybrid environment has changed the landscape. I think Sharon, what you let into is that reasonable, right? As this is one of the primary drivers as to why things have changed so much during 2022, but specifically for the Cloud, I just want to point out the folks that want on-premises equipment versus going to the Cloud and I think that correct me if I’m wrong, but we only have one client, right? As a holdout that has an on-premise solution everybody else is in the Cloud, right?

Sharon D. Nelson: There is just one and we’re still working on them but believe it or not it’s really tough to sell people good advice.

(00:05:05)

John W. Simek: Well, I think that one client Sharon D. Nelson: Well, I think that one client if my memories are right, they have an international client that actually has forced them as a law firm to make sure that they have their data on-prem. So, that’s a kind of unique situation for them, but all the other law firms that we deal with it, which is hundreds, everybody’s on the Cloud. But in particular, I want to talk about Microsoft Exchange and Microsoft Exchange jeez I’m going to get the dates wrong here. But if my memory is right, at the end of last year, the end of 2021, there are four zero-day vulnerabilities were discovered, and then, once those things were discovered, what happened? Cybercriminals were out attacking the on-premise exchange servers, all four vulnerabilities simultaneously. I think the important part is, it wasn’t just cyber criminals that were doing it. These are state-sponsored folks, that’s as the folks did the investigations, they discovered that. So, all right, well, now that’s back last year this 2021, and the good news is that exchange online was not impacted, right? The Cloud version was not, but then you fast forward to 2022, and this is about less than a month ago, two more vulnerabilities, zero-day vulnerabilities were discovered in Microsoft Exchange. What happened? State-sponsored, attackers jumping on that again, and they’re attacking those on-premise exchange servers, and once again, exchange in the Cloud was not impacted. So, we’re just talking to roughly a year’s time here where we’ve seen significant attacks occurring on on-premise solutions. Well, I don’t know about you, but that certainly would make me take a good hard look going to the Cloud if I wasn’t already there.

Sharon D. Nelson: Absolutely and I do think people had caught on to this and since the advice has been almost universal, I know we are perhaps unique and only seeing one, but I think most of the managed service providers have seen fewer and fewer of folks who want to have the on-premise now because the advice is so clear, but perhaps the most striking change over the past year and maybe two years has been the clear advice of everyone in cybersecurity that enabling multi-factor authentication is now the single most powerful cybersecurity move law firms can make. We’ve even seen Microsoft, again and again, speak out about this, and cyber insurance firms almost across the board are demanding that you enable MFA. So, would you talk a little bit about why it’s so important, John?

John W. Simek: At the end of the day, MFA is going to significantly improve your security posture. Microsoft’s own data as they looked at all the Microsoft 365 users that are out there, what they discovered was that those folks that had multi-factor authentication enabled, 99.9% of the credential-based account takeover attacks were stopped because of that. I mean not quite a hundred, but if you look at Google and what Google has done, when they implemented MFA using their Titan hardware token for their employees and even today, they say that not a single employee and single Google employees account has been compromised since they made that conversion, so that’s one hundred percent. So, when you look at those kinds of stats, it’s very, very clear, and for those folks that maybe aren’t that familiar with MFA or 2FA, it’s really a second factor. It’s another factor for you to use when you’re authenticating, and when you’re logging into your environment. And they’re really, we’re jumping on this whole podcast today to talk about reasonableness, and this is really, really reasonable primarily because MFA for the most part generally is free. So, that makes it very, very reasonable. The expense to the law firms, to the lawyers, really isn’t there at all. There may be some configuration costs upfront depending on the applications et cetera that you’re using, but overall, you can’t get much better than that, right? Almost a hundred percent in blocking, unauthorized attacks, and no money, which road would you take?

Sharon D. Nelson: It doesn’t get much better than that but despite our pleas for clients to adopt this, we have had a couple of law firm clients refuse multi-factor authentication as being too much trouble. They just don’t want a second step and employees hate a second step. They don’t want to have their phone in the same place as their laptop. They don’t want to do something not only on the laptop to bring it up, but then to authenticate it on the phone. So, they don’t like any of that. So, we documented these clients that were resisting our advice, we documented it and they refused to take it and as you might imagine, both got hit by cyberattacks. I give the law firms full credit, they owned up to their failure to take good advice and asked us very politely if we would now, please have restored their systems, so that we would now please install 2FA. They learned and sometimes, it takes something like that and thank God there was nothing really horrible that happen here. 

(00:10:03)

Sharon D. Nelson: It was bad, but it wasn’t horrible so, they were good. But John, what, I think would be helpful because people don’t understand how easy it is really to get used to it. I didn’t like it at first. I mean, it is one more thing. It’s just one more thing and that’s why they are resistant

John W. Simek: Another lawyer resistant to change.

Sharon D. Nelson: Yeah, well I was that lawyer too. So, if you would tell us about the four kinds of MFA, maybe least secure to most secure, and how easy each of them I mean, that’s I think helpful to people.

John W. Simek: Generally, and then I’m going to again talk in generalities. I’m going to talk about technology. I’m not going to talk about people, but everyone’s pretty much used to the “Hey, I can get a text message.”  that SMS text message to your phone, and that’s your second factor. So now you’ve login, you get this text, you get a number you type that number in, and off you go. Of all the forms of that second factor, which is the least secure of them for a bunch of technical reasons. There’s a process called Sim swapping et cetera because text messaging basically if you think about it, assumes that you the user, you’re the only one that has access to that phone. The software doesn’t know that you don’t have the phone somebody else has the phone or somebody else stole your phone number. But again, if that’s the only choice you have, then by all means use it. It’s a heck of a lot better than not having 2FA but is the most common one. And some folks actually are there resistant to that, Sharon because they say, “I don’t want to give my cellphone to somebody.” They don’t want to expose their cellphone number. They’ll give it to their clients, but they won’t give it to a software vendor and that I don’t get it. But anyway, so there’s that piece of this the first and most common one. The second more secure way to do it is to use an authentication app something like Authy, Duo, Google Authenticator something along those lines. And what that is, you install this app on your phone, and it generates a code every 30 seconds, the code changes, and the number changes. So, you’re not getting that transmission of that text message, and you log in, and then it’s going to say, “put the code in,” you look at your phone, you launch the app, you look and say, “okay, for this particular site, I need and here’s my number” and you put that in and then off you go. So that is a more secure way to do that. Now, having said that though, not all systems give you multiple choices, right, to do this, to do the text messages, to do the app, etcetera? What I’m describing though is if you have a choice between text messages and using the app, use the app, certainly. The third level then it’s called push notifications. This is where you have that authentication app, but you don’t get that number, that code when you log in, then a notification comes to your phone and then you just answer yes or no, or go or no, go or stop, go whatever the notification, however, comes in. So, that’s the third level. That’s the technology now, as, Sharon, there is this thing called push fatigue, where someone will sit there and all of a sudden, their phone lights up. It’s a push notification and they say, “Oh no, I’m not logging in. No, I’m not doing that,” And then 10 seconds later another one comes. “What’s going on? No.”  And then another one. “No. No.”  And they keep the answer. No. And after a couple of minutes, to get really tired. “Oh, the hell with it, answer yes.”

Sharon D. Nelson: We’ve seen that of course.

John W. Simek: Oh, yeah. Oh, yeah.

Sharon D. Nelson: in a live case where that’s how the intruder got in.

John W. Simek: That’s right. So, they pound away at you, that’s called fatigue, right? They keep hammering and hammering, and hammering, till the user just says, “Ahh” and they don’t think, they’re just annoyed. And they say, “Okay, go ahead” and that lets the attacker in. But having said that that’s the human element. The technology is pretty strong. It’s the human that screwed it up. And then the fourth and more secure one is that hardware token, the Yubikey, the Titan key, whatever it is, where you have a physical device, and when you go to log in, you stick this key into your phone, into your laptop, whatever it is and then it reads that, and that’s what authorizes you in there. That’s the most secure. I’ve gone through these, these four different things, but the one I think to talk about the reasonableness Sharon, that you mentioned and why people are resistant is, in a large portion of the time, you can say “to trust your device your login for a certain period of time.” Seven days 14, 30 days, whatever it is, so you’re not annoyed every time by the second factor, so that helps it a little bit.

Sharon D. Nelson: It does and of course, the insurance companies are very keen on MFA, so you’re probably, you’re either not going to get insurance if you don’t have it, or you’re going to pay a huge premium for not having it, but mostly you’re going to get coverage declined. 

John W. Simek: That’s correct. 

Sharon D. Nelson: So, before we move on to our next segment, let’s take a quick commercial break.

(00:14:56)

Female Advertiser: As a lawyer, insurance is one of the last parts of your job you want to spend unbillable hours on. That’s why thousands of lawyers have switched to Embroker. Embroker offers A-plus-rated insurance for law firms. You can quote and buy instantly online. If you need help, they have experts on standby. Go from sign up to purchase in 15 minutes by visiting Embroker.com/law. That’s E-M-B-R-O-K-E-R.com/law

[Music]

Female Advertiser: Looking for secure legal software to help manage your firm’s matters in the Cloud? With Clio’s Cloud-based legal software, you can safely manage everything, from client intake to billing, from one secure platform, so that attorneys can spend more time doing what they do best, practicing law. To learn why over 150,000 attorneys, firm staff, and IT leaders trust Clio, visit clio.com, today. That’s Clio spelled C-L-I-O dot com.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is, what constitutes ethical cybersecurity for law firms today? At this point, John all legal ethicists agree that law firms have a duty to monitor for a breach. Again, this is a reasonable measure to protect client confidentiality. So, tell us John, what, especially for small firms, what are reasonable measures to monitor for a data breach?

John W. Simek: I want to talk quickly about one of our favorite products which is a product from Cisco called the Meraki. That’s M-E-R-A-K-I. Meraki is a combination firewall, intrusion detection, and intrusion prevention system, and you can get other add-ons like wireless, that kind of thing. But the IDS, the IPS that intrusion detection, intrusion prevention system is the one that’s going to help you and meet your requirement to monitor for that data breach. Originally, IDS/IPS is when they first came out with thousands of dollars, the Meraki however is only a few hundred bucks. I mean, they make larger ones for larger firms, bigger firms, mid-sized firms, and large firms, but for the solo small market, you can get a Meraki in the three-to-four-hundred-dollar range. It’s a one-time purchase and that’s the hardware cost. You license the software. The software is licensed. We do it for our clients for a three-year term and in that three-year term get the cost of that license down to around $300-$350 a year. So, it’s very, very, reasonable. There’s that word, right? And what this does then is it brings that to you, right? It brings that, it brings a lot of other features, but that that ability to monitor for that data breach to get all that functions built into that system, a very, very affordable solution.

Sharon D. Nelson: Yeah, is there anything else you want to talk to you about that or do you want me to head over to third-party security assessments?

John W. Simek: Well, I could spend a lot of time talking about the Meraki. I really do like it. I mean it’s Cloud configurable, all of the different features et cetera for it.

Sharon D. Nelson: Maybe we should say, John too that our clients love it. They’ve had it for a long time. It works like a draft horse, it never gives up, and it’s not crazy expensive. So, the fact that we were able to locate such a fine product at such a low cost has really been a blessing for the clients.

John W. Simek: I was going to say we’ve been implementing these for years for our clients, and the other thing you want to say is, we don’t get any financial kickback either.

Sharon D. Nelson: No. It’s just the best thing we found, so we’re sharing. All right, how about if we move on to security assessments by third parties and the cyber insurance companies really want that now? A lot of them require it and here they’re doing you a favor even though it costs money because you can’t fix what you don’t know is broken. So, these are really valuable assessments because you get an outside consultant, who does a full assessment of your network, and usually, you can and should be able to get this done by paying a flat fee which includes a report documenting what was done as well as the critical vulnerabilities, which you need to fix right away, the medium level vulnerabilities, which you might have a little time to budget to fix those, and more minor vulnerabilities, which you can plan to address as you can in your budget allows. Clients too often request these assessments, and they can sort of be used as a marketing tool. Not one that you would use publicly, but when in private discussions with potential or actual clients, clients want reassurance these days that their data is secure, and of course, a lot of law firms have been breached, and clients have been impacted, and I think you have a cyber insurance tip to offer, John?

John W. Simek: One of the tips that I want to tell folks about is, it’s all about the broker, make sure that you’ve got a broker that’s familiar with cyber coverage because they’re your advocate. 

(00:20:01)

We had our own, Sharon, as you know our own personal experience where our insurance broker that we’ve had for over 20 years just wasn’t up to speed with a lot of the cyber things, and we weren’t getting what we felt was adequate coverage for a fair price, and especially as the prices start going higher and higher, right? With the 30-40 percent a year increase in premiums, we got off that horse, got a different horse, change brokers, and the broker that we ended up with was very, very, very, good and new to the marketplace, knew the players, and we’re actually paying less than our premiums and getting better and more coverage.

Sharon D. Nelson: And we have found that this is a tip that most people actually don’t know about. So, do explore your broker because that is a great tip, and then I want to move to one of the most important and reasonable cybersecurity measures you can take, and that is to offer at least once a year and twice as better, cyber security awareness training for your law firm employees, because employees are involved in, and I’ve now seen in the last couple weeks, I’ve seen eighty percent of successful attacks, eighty-two percent and eighty-five percent, but you get the point, they are involved in the vast majority of them some way or another. So, this kind of training is very important in a hybrid work-from-home world which we’re still living in, and it may be required by your cyber insurance carrier more and more we see that it is. To state the obvious, if you go to a large cybersecurity firm like CrowdStrike, which is a great firm, you’re going to get a bigger price tag for that training. So, smaller firms are fine, and if you have a solo, small, midsize firm, you might want that so long as you can and make sure they have high-level cyber security certifications, maybe you get some references, et cetera, et cetera, but you want the more modestly priced. And just by way of example, sensei’s one-hour presentation is $500, and trust me, employees cannot take in more than an hour of this kind of material. They are simply overwhelmed by the information that comes with cybersecurity. So, one hour we find is perfect. We suggest that you never use in-house IT because they don’t carry a big enough stick. They’re people that are known as the outsiders coming in from somewhere else, the pros. The pros from Dover as they used to say and mesh those are better. So, make sure you get a recording of the trading, so it’s available to anyone who couldn’t make it and so, you can use it as well to train new employees, because it will be viable for some time, and the training session itself should include recommendations for safe computing behavior, education on spam, phishing, including standard phishing, targeted phishing, voice phishing, SMS phishing. There is an endless pool of phishing with some real-life examples to make the lessons stick. The employees need to truly understand wire fraud and business email compromise, and how the schemes work. Criminals are brilliant at social engineering, so they need to hear some of those real-life stories too to hammer the lesson home. There are a lot more topics in this session, but I’ll run out of time if I try to list them all, but you get the message that this sort of thing for $500 or so, that’s a very reasonable measure and that’s well within the ethical requirements.

John W. Simek: I will put my hat on that as well, Sharon you may not have a choice, right? The cyber insurance provider may require that you do that. I can’t last year two years, all the applications that we’ve seen They specifically asked for that. In the last year, two years, all the applications that we’ve seen, they specifically asked that.

Sharon D. Nelson: They ask if you have it and or they require it one or the other but it’s one or the other, for sure. 

John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.

[Music]

Female Advertiser: Are you looking for a podcast that was created for new solos? Then, join me, Adriana Linares, each month on the New Solo Podcast. We talk to lawyers who’ve built their own successful practices and share their insights to help you grow yours. You can find New Solo on the Legal Talk Network or anywhere you get your podcasts.

[Music]

Male Advertiser: They say, “the best things in life are free,” which either means the Legal Toolkit Podcast is pretty awesome or we’re totally committed to the wrong business model. You’ll just have to tune in to find out which it is. I’m Jared Correia and in each episode, I run the risk of making a total ass of myself, so you can have a laugh, learn something new and why not maybe even improve your law practice. Start believing in podcasts can be both fun and helpful. Subscribe now to Legal Toolkit. Go ahead, I’ll wait.

[Music]

Sharon D. Nelson: Welcome back to the Digital Detectives on the Legal Talk Network. Today our topic is, what constitutes ethical cybersecurity for law firms today? So, John, let’s move to zero-trust architecture.

(00:25:01)

Sharon D. Nelson: Three words are kind of foggy to other people in our profession. The lawyers just don’t get it, but I think you and I both agree that ZTA as it is known will be ethically mandatory within the next two years. So, we’re getting a little bit ahead of ourselves, but this is to be something all the large firms are working on, many of the mid-sized firms, and the solo smalls of course they’re lagging as they always do. But let’s explain what ZTA is in the need to budget for it. I should mention before I turn it over to you that the federal government is on track to adopt ZTA as a whole by the end of 2024, and that’s going to create, I think a standard by which we are all going to be governed. So, John, tell us about ZTA, why it’s so critical, why protecting the perimeter is worthless these days, and why VPNs are going to go away.

John W. Simek: Well, VPNs are on their way out but zero-trust architecture basically in a nutshell, and I’m not going to get into the whole propeller head, park, and protect your explanation of it, but essentially, you can’t trust anything anymore. We used to have this wall, right, the moat, the perimeter around, we knew where our employees where we knew where our computers were, you were inside that wall inside that moat, so we knew what to protect, right? We knew where the folks were, we had on-premise servers and whatever. Well, that’s not the case anymore. As we’ve been talking about here, we’re more in the Cloud. We have more mobility. It’s not just one Cloud, we are in multiple Clouds, so they’re all over the place. Our employees are all over the place. They’re out at home. They’re working a couple of days if not, all the time or they’re in the office. So, now you’ve got this device that goes, what does that mesh thing, right? In the episode, Sharon was like, “I can go in, I can go out, and I can go in.”

Sharon D. Nelson: That’s Frank Burns,

John W. Simek: So, you’re not really sure where it is. So, basically, with zero-trust is trying to impose upon folks that we need to authenticate every device, every person, and every access to data every time, right? It’s not automatic. And then once you’re connected, we have to re-authenticate that’s in a nutshell what zero-trust is. VPNs have been used as a way to have this remote access, right? The secure encrypted connection to come into the network. The fallacy is that folks think that VPNs, the folks and cyber insurers, by the way, the carriers believe that this is the panacea of VPNs are bulletproof yada, yada. No, that’s not true. VPNs have vulnerabilities. In fact, I just read a recent study a couple of weeks ago, there are over 500 documented vulnerabilities for VPNs that are contained within that, what’s called the CVE database. And so, if you’ve got that many of them and they’re not patched, by the way, that’s why they’re still in that database. That’s one of the reasons, and why VPNs are coming out of favor because of the vulnerabilities that are already there that have been identified to them. But another reason that folks are looking at, is the VPN you assume that the device is trusted. So, imagine this, if it’s outside the network, and that device gets compromised, but yet it’s coming into the network, it can wreak havoc, so that a single infected device can actually infect the entire network. So, that’s not very good either, right? That’s another reason that ZTA is coming on strong, and why folks are moving away from VPN. So, I hope that answers it.

Sharon D. Nelson: Yeah, think so, and really part of our message here is, this may not be ethically mandatory yet, but it’s going to be soon. So, you might as well start learning about it and budgeting for it. 

John W. Simek: Yeah, budgeting I think is the big important thing.

Sharon D. Nelson: So, let us end with previewing for our next Digital Detectives episode a bit because we were kind of excited to see from a friend of ours that Pennsylvania has issued two new ethics opinions; one of which suggests that it is unethical to use email to communicate with clients and I can hear the “Oh no” already from the lawyers and there was another one —

John W. Simek: What did I do with that fax machine?

Sharon D. Nelson: Yeah, maybe they’re going to have to dust the dust off, but anyway, and then there was another opinion following on the heels of a recent New York ethics opinion stating that it is unethical to share your contact information with apps without meeting a list of criteria as to how it’s going to be used et cetera, et cetera, and our guest for that session will be Dan Siegel, the chair of the Pennsylvania Bar Ethics Committee. Dan is very impassioned on this subject, but I think that some of it will be controversial for some people, and that said, I believe we’ve given the audience a lot to think about for one episode. Don’t you, John?

John W. Simek: We sure as heck have and hopefully their heads aren’t hurting. Well, that does it for this edition of Digital Detectives.

[Music]

And remember you can subscribe to all the editions of this podcast at Legal Talk Network.com or an apple podcast. And if you enjoyed our podcast, please rate us on Apple Podcast.

(00:30:08)

Sharon D. Nelson: You can find out more about Sensei’s digital forensics, managed technology, and managed cyber security services at S-E-N-S-E-I E-N-T dot com. We’ll see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and on iTunes.

[Music]