As technology continues to become ever more integrated into our daily lives, the challenges that law firms face grow and evolve. Many tech savvy clients are not only concerned with a lawyer’s ability to represent them but also their ability to protect their files and privileged communications. With more instances of data breaches and hacking being mentioned in the mainstream media, what can a law firm do to shore up their cyber security?
In this episode of the Digital Detectives, hosts Sharon Nelson and John Simek sit down with LMG Security Founder and Senior Security Consultant Sherri Davidoff to discuss cyber security and the audits that are currently available for law firms. Sherri gets the conversation started by breaking down some of the more complex cyber security terminology into easy-to-understand language. The group then ponders factors, such as the loss of client data and law firms being hacked, that prompted this cultural shift within the profession and some of the elements that made it difficult for the industry to justify investing in cyber security until now. The focus then shifts to an analysis of the options available to law firms that are seeking to improve their security standards and ways to prepare lawyers to better interact with clients that might ask to see a firm’s cyber security audits. Sherri then caps off the conversation with a discussion of risk assessment, risk management, and how you present these plans to your clients.
Sherri Davidoff is a nationally-recognized cyber security expert who is a founder and senior security consultant at LMG Security. She has over a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing, and web application assessments. Davidoff is an instructor at Black Hat and co-author of “Network Forensics: Tracking Hackers Through Cyberspace”. She is a GIAC-Certified Forensic Examiner (GCFA) and Penetration Tester (GPEN), and holds her degree in computer science and electrical engineering from MIT.
Digital Detectives: Cyber Security Audits and Options for Your Law Firm – 4/7/2016
Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 67th edition of Digital Detectives, we’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.
John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is Cyber Security Audits for Law Firms. We’re delighted to welcome as today’s guest, Sherri Davidoff, who is the CEO of LMG Security and the co-author of “Network Forensics: Tracking Hackers Through Cyberspace”. She has over 15 years of experience as a cybersecurity professional, specializing in digital forensics, penetration testing and security awareness training. Sherri is a GIAC-Certified Forensic Examiner (GCFA) and a Penetration Tester (GPEN), and holds her degree in computer science and electrical engineering from MIT. Sherri was also a recent speaker at ABA TECHSHOW where Sharon and I got to meet her. Welcome, Sherri.
Sherri Davidoff: Thanks, John, it’s always a pleasure to get to hang out with you guys and we have fantastic discussions. I’m looking forward to it.
Sharon D. Nelson: Why don’t we start at the beginning and ask you to define for us what a cybersecurity audit is, because I’m suspecting many listeners don’t know at all.
Sherri Davidoff: Well, I think as you know, that is a trick question. I’m not sure anyone is precisely sure what a cybersecurity audit is. If you ask five different security companies, you will get five different answers and probably five different reports. We are in a very new industry right now. But typically, what you would get if you ask for a cybersecurity audit or if someone asks you is what we would call a controls assessment or a gap assessment. So you would go through a cybersecurity framework which is basically a checklist of the things you need to do for cybersecurity and determine whether or not your organization is in compliance with each of those items in the checklist. I’m curious to know from your perspective is that what you’re seeing in the industry as well?
Sharon D. Nelson: A lot of questionnaires, I think, as well. The funny part about getting those questionnaires – which are really self assessments – is that the clients don’t even understand the questions, which means the answers aren’t going to make much sense.
Sherri Davidoff: Right, and that’s where third party providers come in to help attorneys understand exactly what’s being asked and to help interface between IT and law firm management.
John W. Simek: So, Sherri, tell us a little bit about what your thoughts on what’s driving these audits.
Sherri Davidoff: Well, first and foremost, as we were talking before the podcast, you’ll notice that there’s data breaches in the news. I believe just this week there were articles in the Wall Street Journal and some other major publications about the fact that law firms are getting hacked and we’re starting to see public postings like the one on DarkMoney.cc where hackers are offering their services to phish law firms. And you and I and other security experts know that this has been going on for years, but it hasn’t really been in the public spotlight until much more recently.
Sharon D. Nelson: What exactly is a cybersecurity framework? That’s another thing that perplexes people.
Sherri Davidoff: Yeah, again these are very new terms. When you’re doing a cybersecurity audit or even just when you’re figuring out where to start, you don’t have to reinvent the wheel. There are many very smart people around the world that have created these cybersecurity checklists for you. And some examples of those are the NIST cybersecurity framework put out by the National Institute of Standards and Technology, or you may have heard of the ISO 27001 information security management framework. So again, don’t reinvent the wheel. Take a look at some of those checklists. They’re very useful and informative.
John W. Simek: So, Sherri, a little bit more of the framework. I know a little bit about it and I know yourself and Sharon and I we kind of live and breathe this stuff on a weekly basis. But I kind of sense that some of these frameworks scare law firms, especially the solo and small market. So can you talk a little bit more about the frameworks of the details and where it fits into what part of a law firm as a good starting point?
Sherri Davidoff: Sure. As with anything, what you get out of it is going to depend on what you put into it. As Sharon alluded to, sometimes you can use your cybersecurity network as almost a questionnaire or you can have someone come in and do an in-depth technical and non technical audit of your organization and go through all of your policies and procedures. The checklists have a lot of different items in them and so they can seem daunting, and it’s important not to be afraid of failure. When Sharon and I were speaking at the ABA TECHSHOW, the title of our talk was passing your cybersecurity audit. And we kind of joked around because there really is no such thing as passing. And right now in this moment in the industry, it is completely normal for attorneys, law firms, even other kinds of corporations to go through an assessment and find that they come out with a 29% compliance right or a 39% compliance rate. Now if you were in college, that would be an F. But when it comes to your cybersecurity roadmap, that’s okay. And think of it as a good place to start. It’ll mean if you’re at a 29% compliance this year, that’s great because next year you can show how much progress you’ve made just in the course of a year. And a lot of times it’s really just about documentation. That tends to be the biggest missing piece that people have. And I also really want to help people feel comfortable with cybersecurity frameworks because a lot of attorneys are getting this pressure from their clients to adhere to cybersecurity controls. And you might get a list of ten different points and say we’re going to address this list that one client sent us. And what you’re going to find is six months later, another client is going to send you a different list and then you’re going to have to adhere to that. And then in another few months, another client is going to send you another list. So it’s a good idea to stick with a framework because that’s going to be something that people are going to accept across the board rather than trying to hit this moving target as different clients decide what’s important to them and then send it to you. So in the long run, you’re going to save money, you’re going to save time and effort if you pick a commonly accepted framework and standard and start with that and then provide those results to every client that asks you.
John W. Simek: Can you comment a little bit, Sherri, on the costs of it? I know within the last week I just read an article where at least some of the major law firms were complaining about the costs of complying, especially with the NIST cybersecurity framework and about half of them said that they weren’t going to go down that road because it was too expensive.
Sherri Davidoff: Well, it is very expensive and it’s kind of like when you’re building a house making sure that you have a strong foundation. Nobody sees it but in the long run it’s better for you if it’s there and if it’s solid. I think up until this point, it’s been really hard for the legal industry to justify the expense of cybersecurity. And frankly, this may be a little controversial, but I don’t think there has been the incentive there. It hasn’t hit the bottom line. With financial institutions, they invest in cybersecurity because if a financial institution gets hacked, they will lose money and it’s easy to convey that to upper management. At law firms, if you lose client data, who finds out and who gets hurt? You might never even know about it. It’s not the same as losing $50,000 and it’s hard to figure out what you should invest when you can’t quantify the cost of something. Ransomware is changing that. Now that law firms are getting hit with ransomware and they’re seeing operational outages, that is something we can quantify. So for the first time, we’re seeing attorneys really pay attention to security to roll based access control, to setting proper permissions and proper authentication, meaning verifying people’s identities, and making sure that your backup’s in place. So all of these things are really just good security hygiene and that other organizations have been forced to practice for years are just now coming back to attorneys who are finally seeing direct incentives for investing in cybersecurity.
Sharon D. Nelson: How do you advise attorneys to prepare for clients who might ask to see cybersecurity audits?
Sherri Davidoff: Well again, I think being proactively prepared to deal with that is very important. And we boiled it down in our presentation to three different steps. Number one, make sure you’ve already picked a cybersecurity framework – one of the most popular ones like the NIST cybersecurity framework or the ISO 27001 – and have a cybersecurity audit done so you don’t have to scramble when you’re asked because again, this is going to happen. So be prepared to provide those results. You don’t necessarily have to give your clients a full report of every single issue in your law firm. Instead, you can give them a letter of attestation or a summary from the security company or person conducting the audit that just says you’ve done it. And if you need a summary, then you can give that to them as well. So that’s the first thing. The second thing is your risk assessment and risk management plan. If you don’t have a risk assessment and risk management plan, you haven’t really complete the cybersecurity planning process because you’re going to come out of your cybersecurity audit with way more than you can ever possibly do. There’s no such thing as perfect security. In fact, you’re not going to be able to correct every single issue or every single vulnerability and make it perfect. Instead, you do a risk assessment where you identify your threats, you identify your vulnerabilities, and then you prioritize so that the things that are the greatest risk are the ones that you address first. And your clients are not going to expect perfection. That’s another thing to remember. I’ve worked with many different organizations that are being requested to do this and I had one client of a client actually say to us on the phone, “If you were to send us a perfect cybersecurity audit, we wouldn’t believe it was true because it’s just not possible.” So instead, what your savvy clients are really looking for is a plan. One or three or five year plan, more typically a three to five year plan that shows how you’re going to push the ball forward on cybersecurity and how you’re going to manage those risks over time. And then the third thing is your technical test results. So make sure that you have cybersecurity testing done. You need to make sure that what is on paper actually does match what’s in reality. And if you have some major security flaw, you want to discover that right away and your clients need a level of comfort with your testing processes.
John W. Simek: So, Sherri, take that out a little bit more. What kind of practice cybersecurity testing should they be doing?
Sherri Davidoff: That’s a great question. And again, we’re really just starting to come to convergence on this as an industry. A penetration test is very common and that’s something that my company actually does. It’s where hackers break into your network and writes reports about it, ethical hackers, your testers. And that’s very important because you want those flaws to be discovered by people who are on your side before real hackers discover them. And I’ll give you an example. We did a test last year for one of the top law firms in the nation and it was a penetration test of their internet facing systems. It included a web application penetration test and they had a client portal so that clients could log in, see their billing information, see their case notes, so they could see their files, everything, it was super convenient. And we found that from the internet, without any login credentials whatsoever, no username, no password, we were able to bypass the authentication and download all of their client files. So all of their notes, all of their billing records, every file that they have ever uploaded, we were able to access. And it’s so important that we discovered that on their behalf. It’s not the kind of thing that you want to read about in the newspaper or because someone posted that information on the internet. So it may seem like an investment up front, but an ounce of prevention is worth a pound of cure.
John W. Simek: Well, before we move onto our next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhre in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up to date on the latest technology, and have extensive experience in many types of investigation, including workers comp investigation and surveillance. Find a prescreened investigator today. Visit www.PInow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Cybersecurity Audits for Law Firms. Our guest, Sherri Davidoff, is the CEO of LMG Security and the co-author of “Network Forensics: Tracking Hackers Through Cyberspace”. Sherri, can you explain why it is so important to keep track of your data and so challenging?
Sherri Davidoff: I think this is maybe the most overlooked part of any organization’s security plan. A lot of people come in and they have cybersecurity audits done and whatever comes out of it comes out of it. But sometimes they’ve forgotten to take that first step of really accounting for all of their data. And the biggest hole that I see are firms or corporations where employees work from home. So the problem is all of a sudden that means someone’s home computer is then functionally part of your corporate infrastructure and it could potentially have your client information on it. And what happens if their teenage kid is on there or the computer gets malware or the computer gets stolen or god forbid the employee is terminated and you can’t get that computer back. That means that your client information is also something that you can’t get back. So a lot of times people try to not think about this or we don’t like to think about the problem but you need to track the flow of your data and think about all the different places that your client data could end up. And there’s a couple of different steps you could take to manage it. Number one, it’s a good idea to restrict the flow of data wherever you can because wherever it goes, there’s liability associated with it. So you can do that with technical countermeasures making it technically difficult to impossible for people to download client data onto their personal devices. Or you can check email from home but you’re not allowed to download things and I would make sure that you have everybody sign that and train them carefully depending on the level of technical investment that you want to have. Also think about how client data may end up on thumb drives, USB devices or on people’s phones. If somebody leaves their phone in a parking lot at Best Buy, is your client data there as well? If they lose their USB at the gym, is that your client data on it? So think about those issues.
Sharon D. Nelson: They often think, Sherri, if that if they lose their phone they think that there’s nothing on the phone because they have it saved in attachment that they viewed to the phone or they have it deliberately saved to voicemail and they listened to the phone. But as you and I know, that is fallacious.
Sherri Davidoff: Well yes, and actually Sharon that’s a really interesting point. I’ve quite a bit of work in the past for hospitals. And of course, hospitals have laptops on rolling carts and iPads and tablets and they’re constantly being moved throughout large organizations. So as you might expect, these things walk out the door. So at various points, my job has actually been to do a technical analysis of those devices to determine what exactly is cached. And the fact is if you just view an attachment, even if you don’t download it or you just view a webpage, even if you don’t download it, that information can be cached somewhere on that device either on a temporary folder or somewhere else. So it’s important to have a technical person look at your setup to verify that there is actually no client data stored on those devices or to advise you if there is.
John W. Simek: That’s another reason why we call it BYOD, bring your own disaster.
Sherri Davidoff: Oh, I like it! And I want to sidetrack for a moment, we touched on healthcare organizations there. Do you mind if I take a moment just to talk about some of the drivers going back to our earlier question. May I speak for a moment about some of the big changes in the industry that are driving security audits?
Sharon D. Nelson: Absolutely, help yourself.
Sherri Davidoff: So as I mentioned, I do work with law firms but I also work with a lot of financial institutions and health care organizations and SCC regulated organizations. And there have been sweeping changes this year in the ways that those organizations are being examined and audited themselves. So right now, law firms and attorneys are seeing requests – and other types of organizations – are seeing requests from their big clients from the financial industry or health care. And these requirements are being pushed down on them as vendors. And there are a few key changes this year. Number one, the office of civil rights, for the very first time, is going to be auditing a selected group of business associates. So if you have signed a HIPAA BAA, they’re not just auditing organizations that are directly regulated by HIPAA, your health care organizations. They are also picking the business associates that work for those organizations and auditing them. So if you have a healthcare organization as a client and you are a business associate, potentially you could get randomly selected. Now again, this is the first year and so it’s going to be a fairly small group. But still, that is a big first step.
John W. Simek: Wow.
Sherri Davidoff: Yeah. And speaking of the shot heard around the world, I read your article, Sharon, and I think that this is another one. Financial institutions also have undergone big changes this year. So in June, the FIC published a cybersecurity assessment tool for financial institutions and that’s a specific document that talks about the different maturity levels that there are for cybersecurity programs and also what each financial institutions and checking to see if the maturity level of the cybersecurity program is in line with the inherent risk of the institution. And what that means for us, for anyone who serves these organizations is that there are now formal requirements where that financial institutions require vendors to adhere to specific security practices. And financial institutions are also required to do some kind of diligence and oversight, make sure that their vendors are producing security reports and conducting security tests. So in these two industries alone, we’re seeing a real shift of attention to vendors and to service providers that handle sensitive information. And of course, attorneys handle a lot of sensitive information on behalf of our clients.
John W. Simek: Let’s go in a little bit of a different direction here and can you explain to our listeners what a risk assessment is and why it’s so important?
Sherri Davidoff: Yep, so we briefly touched on that when we were talking about how to keep your clients happy. Your risk assessment is a list that you or a third party puts together that describes – to the greatest extent possible – all of the cybersecurity risks that you face, all the stuff that keeps you up at night and makes it hard to sleep and then you evaluate what is the likelihood of this occurring. And if it occurred, what is the potential impact. And based on those factors, you then rank them so that you can address the highest risked items first. And that’s how you prioritize and that’s how you come up with your three to five year plan and that’s how you know where to invest your resources. Don’t waste time on the stuff that’s low risk. Instead, invest time on the stuff that’s most important.
Sharon D. Nelson: You and I, when we talked at the ABA TECHSHOW, we kept saying there’s only so much you can do and the smaller you are the more that tends to be the case. So we called cyber insurance away to fill the risk gap. So can you tell attorneys what they should be looking for in a cyber insurance policy?
Sherri Davidoff: Yes, absolutely. First of all, it’s going to depend on exactly what you want to insure for. So think about the types of information you handle. Do you handle medical information? If so, you probably want to get an insurance policy that has coverage for HIPAA violations. You can even get an insurance policy that covers negligence in the event of a HIPAA breach. If you handle a lot of money on behalf of your clients – let’s say you’re managing trust accounts – you might want a policy that covers loss of cash or wire transfer fraud, things like that. And in some cases, that might already be included in some of the insurance you have. You might not necessarily need cyber insurance. We’re at a point where cyber insurance is so new that a lot of times insurance agents don’t really understand it at the level that they themselves would like. So make sure that you’re involving your IT provider. Make sure if you need to, if it’s a complex case, you reach out to a third party security expert that really understands the ins and outs of it so that the coverage you get is the coverage you need.
John W. Simek: Well,Sherri, I think we’re probably at the time where we’re in a breach a day world. It seems like every single day you hear of a new breach. But can you tell us a little bit about how and why attorneys should be preparing for a data breach?
Sherri Davidoff: Well breaches happen every day and I’m actually writing a book for Prentice Hall right now on data breaches. And you say it’s a breach a day. I suspect it’s more than that. Right now we see breaches coming out in the news all the time but that doesn’t necessarily mean that there are more of them. It means that there are more breaches getting reported and I think that’s a good thing because as a society, we’re becoming honest with ourselves. I know, John and Sharon, that all of us have been in the industry for many, many years now and I’ve handled dozens if not hundreds of different cases. And yet, I can still count on one hand the number of them that have actually been reported in the news. So people are afraid to report. Often they’re even afraid to look. People are afraid to monitor their networks because they’re worried about finding something that they don’t want to see. So I think it’ll be better and healthier when we get to a point where as a society we accept that everybody gets viruses, they’re aptly named. And information wants to be free. It’ll get out there but we have methods of dealing with them and methods of reducing the risks to the greatest extent possible. So I don’t know if that answered your question, John, but I think it’s a really interesting topic and one that I hope you talk more about.
John W. Simek: Well, as I think we hear more and more about law firm breaches and the recent ones that just hit the news, the two big AmLaw 100 guys, I think it’s going to be on the radar for a lot of attorneys.
Sherri Davidoff: Yeah, absolutely, and again I hope we come to a point as a society where people don’t have to be scared and we have standard ways of dealing with it and standard ways of preventing it because unless we’re honest with ourselves and we actually look for breaches and we report them, that’s how we’re going to start to be able to quantify them and then to manage them.
Sharon D. Nelson: Where do you think all of this is going with these two AmLaw 100 firms having acknowledged that they were breached suddenly last Summer? To quote from a Tennessee Williams screenplay. There were other law firms breached as well, they simply were not named in the article and the source of the information about the breaches was not identified and then shortly after this, we hear that another class action law firm is planning on filing suit against some of these law firms for losing client information. That sounds like one hell of a firestorm recipe to me. What do you think, Sherri?
Sherri Davidoff: Well, I certainly agree and I was fascinated when you were telling me about this earlier. I know in the recent Home Depot case, Home Depot was required to put aside – I think it was $19 million or $19.5 million to help customers that have been affected because of the breach they had in which they lost 56 million credit card numbers. But the interesting thing that came out of that case I think was a reinforcement of the fact that you have to show that there has been harm in order to receive the funds. So I am not an attorney, I’m a geek, but I thought that was interesting and I’m curious to see where this is going. Because again, there’s such a disincentive for reporting right now because people are scared of what the results will be and nobody knows exactly what might come out of a lawsuit. But if we have standard methods of having to demonstrate harm, then that might help people to feel a little more comfortable about what the risk level is. What are your thoughts on that? On the most recent case.
Sharon D. Nelson: I don’t think we’ve ever seen anything like this. I think Pandora’s box – the cover has just been blown off of it. And a lot of people are going to be doing a lot of hard questioning of the law firms and lord knows what they’ll say. If they ask them to say absolutely, that they haven’t been breached, I think they would be lying – most of them – if they said that they haven’t been breached. So I think there’s a hot, white light shining on the larger law firms now and I’m sure that they are all scrambling to position themselves in such a way that they can answer clients the way that clients want to be answered. Given the fact that we know from Mandiant, which is a division of Fireeye and which has done a lot of data breach investigations of law firms. We know that they say 80 of the AmLaw 100, 80% of them have been breached. Well if that’s the case, there’s a lot that they have to answer for – I’m sure – in the eyes of their clients, unless they’ve told their clients about these breaches. And I’m not sure that most of them have. So I’m not sure they’re abiding by their ethical duties, I’m not sure they’re abiding by the data breach notification laws. I’m not saying they’re not, but my eyebrows are up and I’m certainly wondering and I hope somebody is paying attention to the rules of ethics here. Because I’m afraid that they’ve been honored in the breach, so to speak.
John W. Simek: Well you’ve got a lot of things to worry about here. The FTC, the clients themselves, the state bar disciplinary boards. There’s everybody that’s going to start looking at you.
Sherri Davidoff: Do you think that coming out of this, the public is going to question why these weren’t reported sooner and maybe even take a harder look at the notification laws?
Sharon D. Nelson: There’s already been news articles on that and it’s just gathering steam. So we’re in a bad place and I think that our cybersecurity presentation has been stood on its head and everybody wants us to open with this information now. So we’re in a new place, a very different place and it has only taken about 48 hours for us to get here. So we’re just waiting to see what happens next and to duly report it. So it’s about time, I guess, that we close. But Sherri, it was such a pleasure and honor to speak with you at TECHSHOW. We had a great time, I know the audience had fun. We thank you so much for agreeing to join us today on the podcast. There’s so much that you know about the audits and the cyber insurance and things like that. Thank you for sharing your expertise with our audience.
Sherri Davidoff: Sharon and John, it is always a pleasure. Thank you for having me.
John W. Simek: Well, that does it for this edition of Digital Detectives; and remember, you can subscribe to all of the editions of this podcasts at LegalTalkNetwork.com, or in iTunes. if you enjoyed this podcast, please review us on iTunes.
Sharon D. Nelson: And you could find out more about Sensei’s digital forensics, technology and security services at www.senseient.com. We’ll see you next time on Digital Detectives.
Advertiser: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwork.com and in iTunes.