Jim Calloway is the Director of the Oklahoma Bar Association’s Management Assistance Program and is a recognized speaker on...
Sharon D. Nelson is president of the digital forensics, information technology, and information security firm Sensei Enterprises. In addition...
John W. Simek is vice president of the digital forensics and security firm Sensei Enterprises. He is a nationally...
In this episode of Digital Detectives, hosts Sharon Nelson and John Simek speak with Oklahoma Bar Association’s Management Assistance Program Director Jim Calloway about ways small firm and solo attorneys can improve their cyber security. Jim talks about the increased awareness of cyber security in the solo and small law firm community as a result of the recent news coverage of data breaches occurring in a variety of companies. This level of visibility and growing pool of attorneys who have personal experience with someone who has had a data breach or digital disaster has cultivated an understanding that a compromised database or dead computer can put the entire law firm out of business. He states that seeing these large companies being compromised can often cause small firms with much smaller budgets to question if there is anything they can do to protect themselves. Jim points out that attorneys running their own firms or small businesses have a duty to supervise their employees and provides his 5 top cyber security tips to help these very firms and solo lawyers protect themselves, their clients, and address the importance of physically securing company laptops and other mobile devices. He closes the interview with an analysis of the risks and rewards of utilizing cloud-based practice management tools designed specifically for legal professionals and his advice for law firms who feel that they can’t afford to adequately secure themselves.
Jim Calloway is the Director of the Oklahoma Bar Association’s Management Assistance Program and is a recognized speaker on legal technology issues, Internet research, law office management, and legal ethics. In addition to running the Law Practice Tips blog, he writes articles for noted legal magazines, including Law Practice Management and Law Technology News.
Cyber Security for Small Firms and Solo Practices
Intro: Welcome to ‘Digital Detectives’, reports from the Battle Front. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the ‘Legal Talk Network’.
Sharon Nelson: Welcome to the 70th edition of ‘Digital Detectives’. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, and we are coming to you today from the ABA Annual Meeting in San Francisco, so you may hear a little bit of background noise. And before we get started, we would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more about SiteLock at HYPERLINK “http://www.sitelock.com/legal” sitelock.com/legal.
John Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on ‘Digital Detectives’ our topic is “Cyber Security and the Solo Small Firm Lawyer”. We are delighted to welcome today’s guests, our longtime friend, Jim Calloway aka “The Cowboy” who is the Director of the Oklahoma Bar Association’s Management Assistance Program. Jim is also a co-host with Sharon on the Legal Talk Network’s ‘Digital Edge: Lawyers and Technology’ podcast, and he is a frequent author and lecturer on Law Practice Management topics.
Great to have you with us today, Jim.
Jim Calloway: Well, thanks for having me. It’s a little bit different experience to be the guest as opposed to the host. I actually had to do some research in advance to make sure I can cover the time.
Sharon Nelson: I have seen those scribbled notes so I can attest to that.
Jim, we all know that years ago solo and small firm attorneys were not paying too much attention, read sometimes none, to information security, how much has that changed recently and what’s driving the change?
Jim Calloway: I do think that there is a greater awareness in the solo and small firm community about this, and part of it is the media coverage in my view. We have seen a lot of major new stories about data breaches for all sorts of companies, but also I think a lot more people now know somebody that a digital disaster or a data breach or a ransomware has happened to, and so once it’s happened to somebody it’s much more important on your mind.
There is also an increasing understanding among all law firms that now a dead computer or a compromised network means the whole law firm is out of business, and so people are more aware of that where that hasn’t always been the case. And then finally, we have the new model rule that says that lawyer should be aware of risks and benefits of the relevant technology. So those are the main issues I would say.
John Simek: But Jim, I am glad to hear you say that, at least the lawyers are aware of the data breaches that are occurring because for sometimes they weren’t even aware of that, but since they are aware of this, what do you think most alarms the solo and small firm lawyer as they hear about these almost daily, data breaches?
Jim Calloway: You mean besides the fact they don’t know where to buy Bitcoin to unlock your computer? I can help with that.
John Simek: Hey! You have helped with that.
Jim Calloway: Well, again, it is the fact that every law firm is now reliant on computers, but I think the fear factor is really that most solo and small firm lawyers don’t have anywhere close to the background or technical expertise in their opinion to take care of these things or handle these things, and they have seen large companies; Sony, Target and all these well-publicized breaches, and if Target can’t protect their customers’ credit card information during the holiday shopping season, solo and small firm lawyers are, “What can I do?”
And so, I think there really is a fear, but I think we are paying more attention to it and I’ve even had small law firms actually call me and ask about data breach notification plan, so that’s a big step forward.
Sharon Nelson: Wow!
John Simek: Oh great! Great!
Sharon Nelson: That’s a great advance.
John Simek: Yeah.
Sharon Nelson: So, as a law practice adviser, have you seen more instances recently of law firm data breaches or ransomware because I know we have — and especially ransomware?
Jim Calloway: Well, Oklahoma is a mandatory Bar Association where I work there from a Bar Association, and so we also handle discipline against the lawyers. So I think sometimes I don’t hear as much about data breaches because they are concerned about that they may have breached some ethical obligation. But certainly, I would guess that a fair percentage of the lawyers in Oklahoma who have had ransomware attacks have contacted me, and we have discussed that.
And I will say, the first thing I tell them, they may have less-than-perfect activity on their end, but I say, I am not going to blame the victim, let’s pay attention, you are the victim of a crime here. But I think it’s still — I felt really uncomfortable having those conversations because the bottom-line often is, if the ransom is very small, even though none of us want to pay a ransom in any level, at some point if $500 would get your law firm back up and running, that’s what a lot of them ended up doing. I think you have talked with me. Now, I think we are going to see an escalation in the prices in the very near future, and that may no longer be an alternative.
John Simek: We are already seeing escalation in some cases. Jim, how do you educate your lawyers about information security, any particular programs the Bar has in Oklahoma?
Jim Calloway: Well, we try to provide information in both bite-sized and larger form basis. We have an electronic newsletter that goes out monthly to our members, and so I try to include some tips about that, sometimes about security, sometimes about law practice management.
We are having some leading national experts; Sharon Nelson and John Simek are doing a webinar for us in the fall on cyber security.
Sharon Nelson: I heard they are pretty good.
Jim Calloway: Nice people too I hear.
John Simek: That was a good plug, Jim.
Jim Calloway: Oh, that would be for Oklahoma Bar members and we are excited about that.
Sharon Nelson: Thank you. Well, if I had to press you for giving us your five best cyber security tips, what would they be, Jim?
Jim Calloway: That’s really a tough question, because there are — at some level you could do a 100 hundred tips and at some levels it’s hard to figure out the top 5, but I would say the first one particularly for solo and small firm lawyers because they sometimes don’t have the program, they don’t institutionally do this type of thing is staff training and constant education to the staff about what to do and what not to do.
And the thing about this type of training is you just can’t tell somebody that the day they are hired and then expect they will remember it a year or two later. So you need to talk about the threats. You have a duty to supervise your employees and that certainly extends to cyber security.
The other main thing, again, quoting at least one, if not both of you, that we can no longer be assured that no matter what we do it will be sufficient and there won’t be some sort of data breach, and so a backup with multiple copies of your data is really important for solo and small firm lawyers in particular.
I like the automated online backup that’s stored off-site. We are all aware — we are all aware anyway, I don’t know that our listeners are that if you are using the cheap method that a lot of lawyers like to use, having a hard drive plugged into your machine for the backup, if you do get something like ransomware, it will encrypt that at the same it encrypts the computer.
John Simek: If it’s plugged in.
Jim Calloway: If it’s plugged in, right. So I think multiple backups is really important.
And finally, talking about client information and security, you need to be able to encrypt on-demand now, and a lot of lawyers still don’t know how to do that, and I tell them, if you have an emergency and you haven’t planned, then at least the idea of password protecting a Word document or a PDF file and then calling the person on the phone, that may not be the best military grade encryption, but it’s certainly better than doing nothing to password protect your documents.
We have got a new member benefit of a product called Citrix ShareFile that has a nice little Outlook plug-in that you can click anytime you want to encrypt an email and set different levels, and so we think that’s really a great tool.
Fourth, I would say use a password manager, anymore, you have to have long passwords and they are just — to be good passwords they should be too long or we can’t remember it, and you shouldn’t use the same password all the time, so having a password manager considering also for — especially for secure data, two-factor authentication; I have heard some discussions that now they are able to try to hack cellphones to get to the text message, but I am still — if they have got your password and then they have got enough to hack your cellphone, that’s a pretty extreme case.
So two-factor authentication for our readers that don’t know means that it’s a password and then it generates — it needs some other information; it could be a token you carry on your key ring; it could be biometrics like your fingerprint, we don’t really recommend fingerprints now because we are afraid of the data being lost. The most common one is they text a number to you that you enter in, in addition to your password on your mobile device.
I always tell you though, if you set up two-factor authentication, please print off on paper and store carefully the idea of what I should do when I lose my cellphone, otherwise you will lock yourself out of everything.
And finally, written policies, procedures, checklist, and I mention that specifically because a lot of solos and small firm lawyers don’t do that as much as the larger firms. If you have only got one employee, you don’t have to have as much information like that in terms of policies and procedures, but this is one area, it’s so important, and that way when something changes you can update your policies and procedures.
So that’s five quick tips.
John Simek: Well then, Jim, we have been talking about policies, procedures, software, all that other kind of stuff, but what do you tell your lawyers about physical security, not just securing the data, but physically?
Jim Calloway: Well, I think there’s actually some port part of physical securing the data. I think your server needs to be in a locked room at all times, and laptops, if you are leaving them around need to be also in a locked room.
Yeah, we have seen more and more situations of law firms having intruders that have presented a danger, and I think at some point we are going to have to look. I have seen small firms now that do have cameras outside and cameras in the waiting room so they can get an idea about that.
I think most lawyers aren’t quite ready for that, but certainly the basics of security of your home, I mean, it’s foolish to have a law office that doesn’t have a deadbolt, and I have seen lawyers in small converted houses don’t even have a deadbolt.
So I think having a plan. There are some really good videos, police department, I think Houston put out on what to do if there is an active shooter; that’s kind of scary to do. But I don’t know, it certainly makes people more aware, because in the legal profession we deal with people who are often unhappy because they are in the system and unhappy with the result of the system.
Sharon Nelson: And sometimes also besides unhappy, unhinged.
Jim Calloway: Absolutely correct. People with mental problems tend to have more legal problems.
Sharon Nelson: That is true.
John Simek: Before we move on to our next segment, let’s take a quick commercial break.
Sharon Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digital%20detectives” sitelock.com/legal/digital detectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigations, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit HYPERLINK “www.pinow.com” www.pinow.com.
Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is cyber security and the solo small firm lawyer. Our guest is Jim Calloway, the Director of the Oklahoma Bar Association’s Management Assistance Program. We are recording today live at the ABA Annual Meeting in San Francisco, so if you should hear a little bit of background noise that will explain why.
John Simek: And the forklift backup —
Sharon Nelson: Yeah, apparently there is one forklift here that’s only operating in backwards, with a lot of beeping noises, so it has been an interesting podcast to record.
Jim, what do you tell your lawyers about mobile security, which I think is one of the greatest dangers to lawyers; they don’t seem to understand it at all?
Jim Calloway: Well, first of all, if you use a laptop, and I encourage solo and small firm lawyers to use a laptop as their primary device, it makes it easier to work at home and other things, but your laptop should without doubt have a password, and also, you should look at encrypting at least part of your hard drive, if not all of your hard drive, so if your data is lost.
I have been talking a lot about data breach notice and also HIPAA requirements, and in many cases if you lose data that’s encrypted, it’s not really considered to be lost and you don’t have any obligation to report, so I think that’s important.
But let’s face it, the real action here is these ubiquitous phones that we call carry in our pocket and you definitely want the PIN on your mobile device enabled and you don’t want to just use the standard four digits, you want to go ahead and expand it to 8 at least or something like that. I think the newer devices actually are set that way, but my phone is still —
Sharon Nelson: 6.
Jim Calloway: Okay. Also, you really want to understand and set up, you don’t have to test it necessarily, but you want to understand and set up how the remote wipe devices work.
John Simek: You wouldn’t want to test that.
Jim Calloway: Well, you can when you first set up your phone I guess, and the location of the devices and whatever. But I think the main thing is concerning, we see a lot of lawyers trying to save on their data plan by logging into hotspots and Wi-Fi hotspots, and that’s just really a scary area.
In fact, if you find yourself doing that all the time, I know it’s not a cheap item, but I really recommended you get one of those MiFi cards so you can just carry your own encrypted hotspot with you, based on the cellphone network.
But certainly, anytime you log into a hotspot you think, well, Starbucks would be safe, but if the guy in the line ahead of you is a hacker and he gets the Starbucks password, he can set up something that’s called Starbucks Faster, Starbucks Two or something, and then all the people that log in behind will log into that network.
So I think really be careful about Wi-Fi hotspots. I know there was a recent news item at the Republican National Convention about how many people logged into fake Wi-Fi hotspots, and I see John managed to —
John Simek: Over 1,200.
Jim Calloway: 1,200. And I see John managed to even pull that off with the very sophisticated audience at ABA TECHSHOW. So I think being careful about your mobile devices, obviously you want to treat them carefully, we are all pretty careful about our phones and now losing your phone has become one of the great traumas of the 21st Century.
John Simek: Well, Jim, one of the arguments that we hear a lot is, “I just can’t afford it”, how do you counter that argument?
Jim Calloway: Well, it’s kind of the old argument of — if you think it’s expensive — you are hiring a professional, try hiring an amateur and if you think it’s expensive not doing it, it’s going to be a lot more expensive when something goes wrong.
The most important thing you can do or one of the most important things you can do, is free, is make sure you always accept the automatic updates, the security updates particularly when one comes up because if you don’t do that, you are at risk, particularly some of them, you may be at risk immediately, they may have learned of a new exploit and so — and once you get behind on them, I have talked to lawyers about it, it becomes very painful to then try to do multiple updates.
Password managers are a great tool, those don’t have to be that expensive, I think last past was a buck a month for each mobile device and some of them were 50 or 60 or something like that. I recognized that many solo and small firm lawyers are dealing with consumer clients, the middle class that’s being squeezed and it’s harder to make a living, but when you compare your hourly rate just about what it would cost to do a few minor upgrades and to pay a little bit of attention to security and to make sure you’ve got a Firewall antivirus, all those type of things, you just owe it to your client and yourself to do that because your clients could suffer if their information is compromised, but you also could suffer if your law firm is shut down or if you get some negative publicity.
So you’ve got to spend the money sometimes.
Sharon Nelson: What are your observations concerning lawyers moving to the cloud? Are you seeing a lot of law firms with no interest, considering, but only for some functions or a lot of them that want to be totally cloud-base and how do you advise them?
Jim Calloway: Well, the cloud has been a challenge for all of us in the legal profession because we’re all essentially control freaks to get into this. And so, the idea for giving my data to someone else and I saw a great little sticker on a computer that said, “There is no cloud that had a crying face, it’s just somebody else’s computer.
But for solo and small firm lawyers, I am probably a bigger fan of the cloud than maybe the two of you are, because so many solo and small firm lawyers are in towns where there is not even really expertise to help them set up and maintain things, and so, one view would be to say, this is my personal view, of course, but one view would be to say, I am pretty data in the cloud so it’s a risk, and equal view would say, I can’t do security so I am outsourcing my security to an outfit that has engineers, security experts and actually pays attention to something new happens everyday.
If I am in court for three days and I am doing my own security, some new exploit may have reached the webs that we know nothing about.
Sharon Nelson: You know, Jim, when we do our security presentations we actually have a photo of you in the presentation as the person who brought us to the position that maybe if they can’t handle the security they ought to help.
Jim Calloway: Well, I didn’t know that. Thank you for the honor.
John Simek: We are not going to ask you to autograph the slide though. So Jim, are there resources that you can recommend for the solo and small lawyers to kind of help them along in this area?
Jim Calloway: That’s really challenging because of their — many lawyers don’t feel like they have the expertise to fully absorb the information. Certainly, I hate to give you two plugs in the same podcast but you have recently published the ABA book ‘Lockdown’ for information security and also ‘Encryption Made Simple for Lawyers’, it’s something else you’ve given a lot of effort to.
There are the National Institute of Standards and Technology (NIST) standards if you want to get down into the weeds and read those type of things that’s a HYPERLINK “http://www.nist.gov” www.nist.gov. We are really happy that the Legal Cloud Computing Association because that’s actually one of the other reasons I promote cloud computing, it’s not just a matter of storing your data in the cloud but there are some really great practice management tools that are based in the cloud.
And I am much happier when lawyers use a cloud-based tool that was designed for the legal profession at least it was designed with security in mind as opposed to consumer applications that are often designed more with convenience and simplicity in mind.
So you just have to — my blog, your blog, there’s lots of information, you just have to do some Internet research, you have to devote the time, and if you don’t think you have the knowledge in the background, you just have to spend a little bit of time developing it.
Sharon Nelson: Well, thank you as always for joining us, Jim, that you have a wealth of knowledge, you have a colorful stock that we all enjoy, and best yet, we get to enjoy for the rest of the evening because we’re taking you out to dinner, but thank you much for being our guest on our podcast today.
Jim Calloway: Well, I appreciate you. It’s been a few years as I have actually been the guest on the podcast as opposed to the host. So thank you very much for inviting me.
Outro: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.
Sharon Nelson: And you can find out more about Sensei’s Digital Forensics Technology and Security Services at HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.
Craig Ball shares what it’s like to have the lawyers of the President of the U.S. use your words in one of his preservation...
Sophia Cope talks about the EFF and ACLU challenge against the government’s warrantless searches of cell phones and other devices at the border.
David Ries talks about whether Kaspersky Lab is safe for lawyers to use, diving into where the controversy started and what the results have...
This legal technology podcast covers the Equifax breach including who was affected, the resulting lawsuits, and whether or not the hack was preventable.
Ben Kusmin talks about the proper handling and format of spreadsheets.
In this legal technology podcast, Brian Wommack talks about the correct way to handle a data breach.