How Can Your Law Firm Stay Ahead of Digital Hackers? with Jonathan Steele

Episode Notes

Transcript

Karin Conroy:

This is Counsel Cast part of the Legal Talk Network, and I’m your host, Karin Conroy. When you face a complex case outside your expertise, you bring in a co-counsel for next level results. When you want to engage, expand and elevate your firm, you bring in a marketing co-counsel. In this podcast, I bring in marketing experts who each answer one big question to help your firm achieve more. Here’s today’s guest.

Jonathan Steele:

Oh, hi. Thanks for having me on your show. I’m Jonathan Steele. I’m a divorce attorney in Chicago with a specialty or a focus on cybersecurity and privacy.

Karin Conroy:

Jonathan, thank you so much for being here. Today we are talking about cybersecurity ai, how that relates to your law firm and why it’s important. You’d be surprised how many times I have had clients or even potential clients where their sites are hacked or they’re having some security issue and all of a sudden it never occurred to them that this was a thing that could happen. They just don’t really put the pieces together of how it happens, why it happens, what they should have done, different, all of that stuff. So the title for today’s show is How can your law Firm Stay Ahead of The Digital Hackers? Thank you for being here to begin with. I appreciate this conversation. I feel like I talk about it a lot, but I think a lot of people set it aside. It’s kind of like this thing that my car got broken into this past weekend, and it’s one of those things that you have. I have the locks, I have a security system, but they popped a window and you kind of never think it’s going to happen, and when it actually happens, you’re like, is this real? Is this really happening? One little part of your brain that thinks some of these things are never going to happen, but they do. They happen all the time. So let’s talk first. What are some of these threats to a law firm in terms of cybersecurity, digital threats, everything that falls under that umbrella.

Jonathan Steele:

Okay, so you’re spot on as far as the light bulb moment. When that comes, it’s too late and most people aren’t thinking about it on the preventative end, and law firms aren’t particularly different in that regard. When something terrible happens that they get ransomware and they get locked out of their system, then they start to think, okay, what should we be doing? What should we have done? For a law firm, it’s a similar threat to other companies. Phishing is going to be the biggest threat, at least the most prevalent, and that’s preying on human psychology. You’re not really attacking a system, you’re attacking a human You’re hoping that they click a link, you’re hoping that they send money, something like that. Then second to that I think is business email compromise, where you get an email, it looks like it’s from a managing partner of a law firm asking you to do something urgently, sort of out of the ordinary, and then you peel back the name of the sender and you see it’s not the right domain name or it’s not the right spelling. And again, that’s preying on human psychology.

Karin Conroy:

You know what the one I have been seeing, I get a ton of spam, malware, phishing attempts because I have SEO services and things like that listed on my website and there’s a lot of people from these questionable countries that they just seek that stuff out and I do a good amount of social media promotion and things like that. The one I’ve seen a lot lately that has been very close to getting me is it’s coming from meta and it tells me that I’ve done something wrong. I’ve got a bad post and my account’s going to be shut down before I explain what my process is for. When I see something like that, let me have you walk through what should a person do?

Jonathan Steele:

Stop, slow down, put your phone down, go do something else. Think about it in the meantime, come back to it because rarely is there something that needs to be done right here, right now. And if Facebook, and I’m using some air quotes here, is writing to you and saying your account’s going to be suspended. You’ve got illegal content on there, act Now that may not be how they reach out to you and maybe their email address should be the telltale sign there. They’re not going to be emailing you from a Gmail account or anywhere other than a Facebook domain.

Karin Conroy:

And sometimes it takes me a minute and I have to look at those email addresses. So I use Google for my personal and for my business accounts. So within Google, and I think it’s similar for other inboxes, but within Google, when I look at an email, I have to expand it. It’s not just showing me the full email address by default. Usually it just shows the name of the person. And so the first thing is expand it. Look at the full email address, not just the name because the name from these hackers looks like it’s coming from meta. And then when you expand it, it’s like a bunch of weird characters, maybe a Gmail, maybe a Yahoo, but it’s not coming from Meta because they don’t have access to that domain, so they can’t send from a meta domain, so they make it look as close as they can to fool you. If meta really were contacting me, it would be something like violations at Medoc. It would just be super simple like that. It wouldn’t be like 7, 8, 9, 4, 3, 2. Some big long thing at meta misspelled.

Jonathan Steele:

Where that gets more confusing is when they’re not using a Gmail and they’re using meta analytics.com or meta reach out, meta notifications.co or something that has meta in the name. And so then even if you’re looking at the sender address, you’re not a hundred percent sure until you do a little bit more digging.

Karin Conroy:

So then I usually never click on the stuff in there and then the next thing I usually do is go into the whatever they’re talking about. So in this example, I would go into my meta ads account and there should be something corresponding in there. There should be some big red notification saying there’s a problem here. There never is, but I’m not kidding the number of times that it, especially in the beginning, the first couple of times I saw these emails, they’re very threatening and it just puts you on edge and it puts you on this defensive mode where you have to, like you said at the beginning, the first thing you need to do is stop, catch your breath, take a minute. It’s probably not true. The kind of content I’m putting on meta is not questionable. There’s nothing weird about it, but if you were like, some of my clients are sexual harassment attorneys, they have language that could be flagged just because of the nature of their work and not that what they’re posting is wrong or weird, but these bots sometimes flag the wrong thing. So it is important that you check it out because there are legitimate times when your stuff could be flagged and you could have a problem. If you do that kind of work, then you just have to be super, super careful.

Jonathan Steele:

There’s another tip that came to mind when you’re describing this because it’s the human factor. You can have the most secure computer, the most secure operating systems and firewalls and everything, but at the end of the day, the human’s going to be the weak link there, and it’s a numbers game. So if I send you 10,000 of those emails over the span of a few years, I might get you to click one. It might be at three in the morning when you’re sleep deprived. It might be during travel. You might just not have your wits about you and you might click that link. Something you could look into doing is setting up a filter where you basically tell Gmail, if I get an email with the subject line of meta and it’s not from a meta domain, send it to spam, send it to the trash so that you’re taking your human element out of it and you’re letting a filter do it for you.

Karin Conroy:

The other thing I like to do in terms of tips is I do report all that stuff. I do sit and flag all of it as spam, and then now Google has the option to block and report and then I won’t see anything from that IP address anymore. But they also get reported so that Google and Gmail, they’re super smart, they’ll figure it out and those IP addresses are usually flagged and blacklisted. So that is the segue to the next thing I want to talk about, because you mentioned earlier having your email compromised or hacked or having problems there, and where I see that a lot is if a website gets hacked and then that domain is affected and they don’t do anything about it instantly the threat there is that your domain is going to be impacted and then all of a sudden your emails stop working because obviously your emails are tied to that domain and you have blacklisted issues where they’re not being received. So this is usually when I’m talking to clients, this is where they start to get it and they start to freak out this idea that their emails will not go through. Usually when I get the panic phone call, it’s that they’re trying to email the court system or whatever and it’s not going through, and that’s when they’re at full freakout mode. So let’s talk quickly about how to prevent that, what your thoughts on all of that and what to do in those cases.

Jonathan Steele:

I think that’s just a good example of acting too late. There are preventative steps to do before that happens that we’ll keep it from happening. An ounce of prevention is worth way more than a pound of a cure in this context.

There’s a number of things you can do to keep your domain name reputable. As far as email deliverability, that’s a matter of D Mark records, D Kim records and SPF records. And if it sounds like I’m speaking a different language, it’s something where you buy your domain, GoDaddy, CloudFlare, whatever registrar you’re using to buy the domain. It’s a matter of just setting a specific record in that domain name and that helps tremendously with deliverability. If your website is hacked and your domain name is compromised and people start sending emails from your domain, your DIM records and your dmar records can be set up in a way, you can set up a policy such that if it’s not from you and it’s just spoofing your domain, that your emails are going to automatically go to spam. And so that’s going to help to keep your legitimate emails being treated as legitimate and somebody spoofing your domain as being treated as illegitimate. That’s going to help to prevent and to sort of curtail the outfall because if you let that go too long and your domain just gets flagged as suspicious in Gmail and Yahoo and the cleanup there is much more difficult.

Karin Conroy:

It is, and I’ve seen it take many, many days, sometimes weeks, and then there’s still little places where it doesn’t quite work and it is a giant, giant pain and I don’t wish that on anyone. And it’s definitely something you want to make sure that whoever set up your email that they know those three things that you were talking about, the DA, all of that stuff, because it’s become a requirement now and your emails won’t work quite right if you don’t have all of that security set up. But sometimes if you had an IT guy that you’ve been working with for 20 years and he’s kind of coming close to retirement and he hasn’t been keeping up on it, this is probably something that really got much more traction. I’d say in the last two years or so, maybe a little bit longer than that, but if you haven’t made any updates or improvements to your email systems and securities in the last couple years, that could be a big problem.

Jonathan Steele:

I’m hearing from businesses pretty often now, my outlook’s not working, my emails aren’t going through. It was a recent change for Gmail to require DIM records to be deliverable, and while it was publicized to some extent and I heard about it, that doesn’t mean that my kids’ preschool heard about it. So for a period of time, their emails weren’t going through.

Karin Conroy:

Right, exactly. And you think about every little business and all the different places that you might need to be emailing and getting in contact with, it just becomes a whole thing. So there again, make sure that’s all in place and you don’t necessarily have to do that. If you have a person who set up your email and you have a contact for that, just make sure that they know what that is because that should be top of mind for whoever you’re working with. In terms of your emails and your email accounts and all of that security, what other ways do you have in mind for people to kind of evaluate their overall level of security and whether things are an up to date or not?

Jonathan Steele:

You touched on something earlier that I think is pretty common that you have an IT person that became an IT person when we had typewriters, and so they’re a little out of touch with what the trends are and how to stay ahead of them.

Even just as easy as bringing in a fresh face, a younger person that maybe is outside the mold of what it used to be because maybe Microsoft isn’t the best route anymore. And when that generation was trained, that’s what they learned. They learned Microsoft, they learned Outlook, and that’s what they know and they know it well. Even that their infrastructure has changed over time. So you could still be out of touch with that, but bringing in a fresh face to evaluate, do we need to be wedded to Microsoft and teams and office? Is there a more secure, a more private platform that we could be using that’s helpful and likely if you’re finding a fresh face, you’re finding some younger blood to do this evaluation, they’re going to be trained in what’s called pen testing. That is an art of itself or a science in itself where you’re evaluating systems and servers to see are there soft spots, are there unpatched software on certain platforms that are just sitting ducks waiting to be hacked? So some pen testing is going to identify a lot of those threats.

Karin Conroy:

This is a real issue because we get a good amount of clients coming in where the first conversation starts with, we have a legacy partner or partners who are nearing retirement and they have a way and a thought about the way things should be done. And so this aligns with this part of our contract that says these are the following browsers that we support. We do not support things like Internet Explorer. Internet Explorer has not been a browser for more than 10 years. So I will just say in as kind and soft of a way, as I can say, if you have those guys on your team or in your firm, which many, many, many firms do, and so what’s typically happening is those guys are getting close to retirement, they’re bringing in a new group, but they are the cleanup crew first. Then they’re going to kind of come in and build their own thing, but first there’s usually a lot of cleanup that needs to be done, and the cleanup involves conversations around number one, internet Explorer is not a browser anymore.

We’re not going to ask her why it’s not working on Internet Explorer, things like this. But everything that kind of goes along with that, why are we using this? Oh, because Larry says if you have that kind of firm, which I’m not trying to be judgmental or critical, I am a little on the critical side, but it’s normal and it’s common, but there’s threats there, there’s problems, and it’s a thing that you come in and recognize, okay, we’re not going to keep doing things just because the only reason is because Larry says anymore. We’re going to take a look and have someone come in and maybe do some sort of an audit and say, okay, this is a serious threat. This could potentially do X, Y, and Z, and we’re going to present that to Larry and say, Larry, we’re going to stop with this.

Jonathan Steele:

I think that Covid did a good job of weeding out some of those generation of it because you had to pivot quickly to remote work, which required some skillset outside of that conventional Microsoft, this is how you do everything and have always done everything, You needed to replace that with Zero Trust or VPN solutions and get some of the older partners to start using Zoom and multifactor authentication to log into things. That was a real struggle that I witnessed in a law firm of the older generation, not only of it, but of the lawyers that needed to go through all these steps. It started to weed out some of the people that just could not keep up with that change,

Karin Conroy:

But if those are still in the leadership positions and maybe they’re on their way out, there is kind of a mindset and that has to happen first before you do any of this stuff. So if they don’t even realize kind of what the threat is and that these hacks and these attempts and the phishing, this is not just like maybe there’s a real possibility that you’ll witness at least some version of this and then there’s an absolute need for just being protected and having systems in place and thinking about this ahead of time. It’s just insurance. It’s like I haven’t been in a car accident in a long time, but I still have car insurance. I’m going to not do that because I haven’t personally seen it recently. So what else kind of legal implications do you have? I know that usually, and correct me if I’m wrong, usually when you’re having this conversation, are you talking to your clients more about their potential issues and that kind of stuff?

Jonathan Steele:

I have the conversation. I’d say in terms of frequency, it would be more often with clients. I lobby to my firm sometimes for changes and things that make more sense, at least in my mind. And so there’s an equal split there, but for the most part it is trying to counsel clients through security issues, privacy issues.

Karin Conroy:

So out of curiosity, what’s the difference that you see in terms of personal security and digital problems and threats as compared to your law firm?

Jonathan Steele:

I think privacy is more applicable to the personal level. People trying to keep where they live off of the internet, their social security numbers, hidden, things like that, keep control of their social media accounts. So I think cybersecurity as a concept is going to be a little bit more applicable to the business end and privacy is going to be a little bit more applicable to the personal.

Karin Conroy:

That makes sense. So what kind of legal implications, I mean just to maybe if there are those people who are having a hard time getting on board with this idea, maybe some of those more legacy partners and things like that, what are the legal implications of not addressing any of these potential issues?

Jonathan Steele:

I don’t know that the first one that comes to mind is a legal implication necessarily a more of a business implication, but I think if you get your reputation diminished by the fact that you suffered a data leak and all of your clients information is now on the dark web for sale and their social security numbers and everything about them, your reputation as a law firm is going to take a very significant hit.

It’s going to spread quickly that the reason that happened is because you were using an outdated system more because you didn’t train your employee or you didn’t train your employees, you didn’t do phishing training often enough, and it’s negligent to not do that. So I think that it’s a reputation problem first, but there are legal implications depending on the kind of law firm and the type of data that you store. If you’re a medical malpractice firm or you’re a family law firm and you have people’s medical records, if you’re not safeguarding them properly, if you’re not storing them in an encrypted way, you can find yourself in some HIPAA problems. And similarly, if you’re not storing people’s tax returns and their financial information in an encrypted way and then you leak it, you’re going to have some pretty unhappy clients that may have suffered tangible losses and you’re going to have some explaining to do.

Karin Conroy:

Yeah, okay. Awesome. I feel like that’s something that at least the lawyer audience can associate with and that’s like, oh, okay, that makes sense to me and that actually gives me a little bit of a motivation to maybe think about it in a more serious way. It’s kind of vitamins. I feel like a lot of people know that it’s a good idea, but it’s like maybe next week. And like I said earlier, if you don’t have the time and you feel like you’re maxed out and you don’t want to do all this, just hire the right person to get it done. And that’s probably the best case scenario in most firms, to get someone who actually knows this and knows what they’re doing and knows how to set everything up and evaluate what you need because it’s probably a bit bigger project than you realize.

Jonathan Steele:

I think part of the problem too is that people get wedded to this is the way we’ve always done something, and so that’s the way we should continue to do it. And it’s important just to understand that the threat landscape is not static, and so if you’re applying static defense to an evolving threat, you’re behind the eight ball.

Karin Conroy:

Yes. I had this cybersecurity expert on last year and he had some quotes and stats and I can’t remember the numbers and all of that, but he basically said, assume you’re going to be hacked. I mean, just assume that’s going to happen because from my side, when we’re protecting all of our clients’ sites, we have a security thing that we add onto every single site, and it’s constantly monitoring and shutting down attempts, whether it’s a malware, whether it’s through the contact form. There’s a handful of different ways they’re trying to get in, but it’s constant. It’s sometimes eight, 10,000 attempts a month. So first of all, this is not going to be handled manually. That would be stupid. And second of all, you just want to have it set up in a way where it’s addressing all of that and it’s doing it in a updated way because the thing that we use is constantly looking at where they’re coming from as opposed to let’s just say the TSA where we still are taking our shoes off for something that happened 20 years ago. You want to have protection that’s looking at what they’re doing today, what is happening today.

Jonathan Steele:

I think a good example of that is endpoint protection. So if you put an antivirus software on somebody’s computer, most likely that is doing signature based analysis, so it’s trying to see are any of the files that are on your computer known viruses, viruses that we’ve seen before, and then we’ll get rid of them and they do a good job of that, but that’s not the threat landscape anymore. You’re not really downloading viruses, you’re clicking phishing links or you’re getting your files encrypted with ransomware, and that’s the threat landscape. It’s zero day clicks and things like that. And so you can have this static antivirus and it gives you, if anything, a false sense of protection.

Karin Conroy:

Then when it comes to your website, that’s not even happening on your computer. That’s something that has to be handled in a different way. There’s all these different avenues that need to be protected. So speaking of that, it’s time for the Thought Leaders library. Our website has a whole curated collection of the book picks from all of our guests. So Jonathan, what’s the one book you think every layer should have on their bookshelf?

Jonathan Steele:

I like Michael Basel’s Extreme Privacy. I think he’s on version five now and every version’s better than the last one.

Karin Conroy:

What happens in each version? Is it just like what’s happening now in cybersecurity and kind of an update?

Jonathan Steele:

Yeah, so that’s the point is that this is an evolving thing, and so he can give spot on advice of how to configure your email or your mobile device today, and then that can be completely changed tomorrow. He’s gotten smart about it. He doesn’t push as much paper copies because of that. He does PDFs that up update as new things come out.

Karin Conroy:

That’s good.

Jonathan Steele:

So I think that was a smart pivot for him, but the book does sort of an excellent job of how to protect yourself, how to erase as much publicly available information as is possible and keep that data from resurfacing.

Karin Conroy:

I haven’t read this book, but I took a quick look at it. We’ll obviously link to it to the Amazon link and all of that stuff, but I will add just one other little sort of tangential tip is if you haven’t Googled your own name, first of all, I think everybody does that. We all have our own egos, but you need to do that from a privacy standpoint too. You need to know what’s out there. And usually there’s all these directories that are listing lots and lots and lots of private information and there are ways of getting that all removed and I recommend it. It’s really not a good idea to have that level of information out there for people to dig around in. A lot of damage can be done, especially from an identity theft perspective, so I highly recommend that. As another side tip is figuring out, just do a Google search of how to get your name off of these directories. I also recommend finding a service that will do it thousands of them, and you don’t want to do it manually.

Jonathan Steele:

You’re referring to data brokers. It is a crazy industry. Why it’s legal is shocking to me, but there are something like a Join Delete Me will automate the process of removing your information from all these data brokers, and there’s a lot of threats with the data Embroker disseminating your information. If you are a lawyer and your home address is Googleable, that could be a problem and you’re making yourself an easier phishing threat. The more information is out there about you, you’re easier to relate to. And so there’s a thousand reasons to,

Karin Conroy:

And it can be like they’ll be listing your date of birth, your mother’s name, your mother’s maiden name, all of those things that we all know are used in security hacks also, it’s just kind of creepy. Just nobody wants that level of data out there about themselves. So yeah, I wouldn’t be surprised if in the next few years some of that stuff gets shut down. It does seem very borderline, not legal.

Jonathan Steele:

I think it’s going to take, unfortunately, I don’t want to be the one that predicts this, but I think that it needs to take a member of Congress being doxed and having all their information disseminated something bad happening. All of a sudden you’ll see legislation saying, wait a minute, these data brokers aren’t a good idea.

Karin Conroy:

Yeah, yeah, a hundred percent. Alright, so what’s one thing that works?

Jonathan Steele:

Encryption?

Karin Conroy:

Yeah.

Jonathan Steele:

For now, there’s a caveat there about quantum computers and that’s sort of the unknown of the day, but even post quantum encryption that it works, that it keeps your data secure, whether you’re talking about text messages back and forth or emails or cloud storage, all of that is made secure by encryption. And so it’s a math thing. You trust the math, the math works, and it keeps your data secure.

Karin Conroy:

Well, pulling it back to your conversations more with your clients, you were saying that is the conversation you have more frequently anyway. I think it’s another recommendation to just people in general that when you’re going through whatever kind of issue you may be going through that requires you to reach out to a family lawyer. Think about the amount of data that’s out there, the amount of damage that can be done when you have some kind of conflict and someone’s really mad at you for whatever reason. And so thinking about this stuff ahead of time for them to not be able to make things worse is a better place to be.

Jonathan Steele:

Most people, I say this reluctantly because I know that password 1, 2, 3 is one of the most common passwords and that people don’t pay attention to cybersecurity like they should. If someone is secure, they’re most likely secure to outsiders. They’re outside threats. They’re not really thinking about is the person sleeping in the bed next to them that has access to their devices and has access to their data and might share an iCloud plan. And all of those attachments of data

Karin Conroy:

And passwords, they oftentimes no passwords,

Jonathan Steele:

Passwords, and they share a ring account or a Nest cam account. And so they’re very attached. And so people in a family law dispute face sort of a heightened threat.

Karin Conroy:

Yeah, because it’s one thing when we compare how my car was broken into this weekend, these are complete strangers, they’re not coming for me. They just wanted my credit cards as compared to that, a family loss situation where the’s so much more emotion involved and it’s personal and they are coming for each other. And so the motivation is different and the access to information is different. And so all the more reason you should be protecting this stuff at a even higher level than just thinking about these hypothetical strangers who are hacking into your website. And that does happen, but they have a different motivation. And if your website is set up well and also assumes that it could be hacked and has backups and plans in place for recovery, then they move on once that’s done. But your personal situation, it’s a whole different situation.

Jonathan Steele:

No, that’s right. And that I think hopefully if people are listening and they’re interested in some level of security or some level of privacy, I think it’s important for people to understand that it’s not a light switch. It’s not one day you’re secure and the next day you’re not or vice versa. It’s a continuum. It’s not a sprint. It’s like a marathon. And you can do little things in your daily life that make a big difference and those things are worth doing because the cleanup on the backend is much more painful. So if you have to deal with a little bit of friction and you have to type in an extra code when you log into your email, it’s going to be worth it instead of having yourself locked out of your email.

Karin Conroy:

Yeah, I was going to add as my last kind of takeaway that to just repeat what you were saying about how it’s an ongoing process and like I was saying earlier, if you set this stuff up and haven’t touched it in four or five years, you’re not secure anymore. It’s not a one-time thing. So it needs to be an ongoing process and things are changing on a daily basis and you need to kind of keep it in mind that it’s something that you need to be, either you need to be paying attention to and staying on top of, or you need to have someone else who is doing that for you. But what would you say your biggest takeaway that you’d like listeners to get from this episode is?

Jonathan Steele:

I think at the beginning you mentioned that people think it’s not going to happen to me, and I think that’s an unfortunate and very common thought process. Somebody else has more money, so they’re going to be a more valuable attack target, and that may be true. Maybe they have more money, but maybe they’ve put more energy and money into their cybersecurity, and so maybe they’re a harder target and it is just a numbers game. If somebody’s hacking or trying to hack, they might be trying to hack a hundred thousand people and if you’re just easier, you’re the one that’s going to be a victim of that attack. It may be limited reward in terms of what you had in your checking account, but multiply that by a thousand people when it becomes worth it for them. So they’re not necessarily trying to hack Bill Gates and Elon Musk. They’re going for easier targets. Yeah,

Karin Conroy:

Right. Can you imagine the amount of security those guys have, even just actual security guards and all of that stuff. I mean, I wouldn’t pass up a couple billion, but at the same time, I would not prefer to have to have physical security around me 24 hours a day. That sounds gross. Yeah, I think that’s a really good point, and I think that’s a good kind of takeaway endpoint to leave it on where just assume that you probably have holes and that you need to stay on top of it and that it changes so often. Thank you so much for being here. Jonathan Steele is a family attorney and partner at beerman LLP in Chicago and does a lot of work with cybersecurity and obviously talking to your clients and being on top of and in front of all of that. So that was a really great and helpful conversation. Thank you so much.

Jonathan Steele:

Thank you.

Karin Conroy:

Thank you for listening to this episode of the Counsel Cast podcast. Be sure to visit our website at Counsel Cast dot com for the resources mentioned on the episode and to give us your feedback. If you enjoyed this episode, I would appreciate if you could rate and review the podcast on Apple and subscribe to your favorite podcast platform. See you on the next one.

Continue Reading