Many lawyers fear the topic of cybersecurity simply because they don’t understand it. What developments do they need to know about? What protections to they need to put in place? In this episode of Digital Detectives, Sharon Nelson and John Simek offer guidance for lawyers with cybersecurity paralysis. They discuss the reasonable steps to take to improve security based on firm size and types of information held. Additionally, they encourage firms to invest in staff training and outline the steps to take if a breach has occurred.
Special thanks to our sponsor, PInow.
Mentioned in This Episode
Check out the free SANS OUCH! security newsletter recommended in this episode.
Guidance for Lawyers with Cybersecurity Paralysis
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 104th Edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity, and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, ‘Guidance for Lawyers with Cybersecurity Paralysis.’
Sharon D. Nelson: Before we get started, I would like to thank our sponsor. We would like to thank PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
Today, we decided to forgo having a guest because we have recently written and lectured on the topic of guidance for lawyers with cybersecurity paralysis. So John, let’s talk for a little bit about why lawyers are so paralyzed by cybersecurity and I think there’s a number of reasons.
The first thing is they don’t understand cybersecurity and we’re always saying, and we always try when we create our PowerPoints, we always try to bring the level down because if you talk like somebody who like John, who talks cybersecurity at a very high level, all you will get is a deer in the headlights kind of look. They just don’t get it and even really smart lawyers sometimes don’t get cybersecurity at all.
So that’s one reason. They don’t understand it, they’re afraid of it but they don’t understand it. Another reason I think is because they consult people, they consult these different experts and the experts disagree, and there’s a lot of disagreement among experts about exactly what you should do.
Now, there’s a core group of what we would consider national experts that are generally saying and doing the right things, but I understand where, if you’re going out and you’re looking for vendors of some kind, it’s very difficult for the lawyers to make any kind of determination because they don’t have any fundamental baseline for their knowledge.
John W. Simek: I think part of that though it reminds me of the e-discovery early eras, right, it was cool. So everybody jumped on it, right you say you got all these companies that did that. Cybersecurity I don’t know, I don’t know what your opinion is, but I’m kind of seeing that as well, it’s a cool thing now, and it’s very, very broad. So you’ve got all these people putting their fingers into it, a lot of them that don’t know what they’re talking about.
Sharon D. Nelson: Well, yes, I do agree with that absolutely. I mean anybody can call themselves a cybersecurity expert and that’s just unfortunate because you get a lot of people out there who have a little bit of knowledge and some of them who have the wrong knowledge or outdated knowledge and that just makes it worse for the lawyer who is looking for somebody to guide them.
But I think the biggest reason for the paralysis is maybe they just can’t seem to find the time to spend on researching this, talking about it, learning about it and they are terrified of the monies that are involved. So money is a big issue here and certainly the large firms, the AM Law 200, they’re spending, some of them, upwards of $7 million a year, and that’s just a scary number for somebody who’s sitting in a solo or small law firm.
You don’t have to spend that much and that’s one of the things they don’t understand, but that’s what they think.
Also, I think it’s hard because as you know John, you and I read at least two hours every day, that’s what we do for a living, we try to catch up. Now, lawyers have no opportunity to read for two hours a day about anything except the law. So –
John W. Simek: Especially if they’re not getting paid.
Sharon D. Nelson: Exactly, they’re not getting paid for this. And this is not what they’re going to do, they got other problems. So by and large they might read an article here and there, they might catch a CLE, but that’s all they know and there’s no way they’re going to stay up with the — it’s just so fast moving, fast breaking, they can’t stay up with all of that the way we can. So they get a summary, maybe once a year maybe twice a year if they’re lucky of current developments, and that’s all they get.
John W. Simek: Yep, I think you’re right. Well I want to talk a little bit about some of the statistics just to kind of put things into perspective for the listeners, and this really — a lot of these numbers are coming, the basis of us coming from the ABA’s 2018 Legal Technology Survey where they go out to thousands of lawyers and ask boatload of questions, and we get a lot of good information from that.
It’s kind of hard sometimes to determine whether or not the lawyers really understood the questions, but just to start off with as an example. 23% percent of the respondents they reported that the firm had been breached at some point. Now, I would — I don’t know if that number is higher, lower and the reason I say that is because there really is a difference between a data breach and a cyber incident, and I think part of the confusion is when you have a cyber incident; in other words, maybe ransomware is an example, where the data may not actually — it’s inaccessible, but it may not have been exfiltrated, in other words stolen from you, which if it’s taken from you, that’s a breach, but if it’s just inaccessible that’s an incident.
So I’m not sure the respondents if they really understand that but anyway 23% of them said that they have been breached at some point.
Sharon D. Nelson: John, can I jump in for a minute.
John W. Simek: Sure.
Sharon D. Nelson: Because I think one of the things that I hear people say about that survey all the time is that the number is very low, because in point of fact, most lawyers particularly the large firm lawyers never know that their firm has been breached, it’s unusual for them to know.
So although the confusion between cyber incidents and data breaches is absolutely there, I think the number is much higher and as you well know, when we have been at meetings with a number of AM Law 200 security and managerial folks, I mean they’ve all been breached and they’ve acknowledged it.
John W. Simek: Right, and a lot of times you don’t even know that you have been breached too as well, but for those that did report that they’ve been breached, the survey went in a little bit to size of firms, and so as an example, 14% were solos, 24% were firms 2 to 9 and 20 to 49 attorneys, 42% were 50 to 99 and then it fell off to 31% that had 100 or more attorneys. But I think is to your point Sharon that a lot of the larger firms, the attorneys unless they’re involved with the technology or the CIO or whatever they hold that hat, a lot of the employees don’t even know that an incident has occurred or that a breach has occurred, they’re just out there practicing law.
60% of the firms that reported their firms had not experienced a data breach, but it’s possible that they may have not detected it. So that sort of covers what we’ve been talking about the larger firms, they may not have known it. 9% of those that have been breached notified that clients and 14% notified law enforcement. I’ll leave that to you as to whether or not you think that they should have notified clients or not, that’s always a sticky, sticky subject right?
Sharon D. Nelson: It is. And I think that they are trying to abide as well as they can by the ethics and the laws, but on the other hand, if you can’t prove that data has been accessed you hang your hat on the fact that there’s no proof of it of whether or not you think it may have happened.
John W. Simek: Right, and of those that have been breached, 41% reported that they had some sort of a downtime or a loss of billable hours, 40% reported that they had to pay money to remediate the problems, 11 reported loss of destruction of files and 27 that they had to replace hardware or software.
So there’s some real definite measurable damage obviously as a result of these breaches. 40% reported experience and an infection with virus, malware those types of things occurring in firms from two to 49 attorneys and then the larger firms understandably had much lower numbers reporting those, because they’re spending a lot more than the technology, they have a lot more things in place to help cover them. So that they’re not experiencing that infection, but that’s one of those things where I would say that those type of events are cyber incidents, which is the malware type of thing as opposed to breaches.
Sharon D. Nelson: Yeah, I agree with that.
John W. Simek: So 34% reported having cyber insurance coverage and I think we did a whole other podcast on cyber insurance so I’m not going to go into that, but essentially, it’s during that that risk gap by using insurance to cover that gap. But the good news is that we’re seeing that growth and I think that’s a good thing, because more and more people are aware of it now and they’re actually investigating and looking at getting cyber insurance coverage.
24% reported using full drive encryption, which I really think is a low number these days, there’s absolutely no excuse why all of your devices shouldn’t be encrypted, fully encrypted whether it’s your phone, your hard drive, your laptop or any of those things, because it’s a lot of time — there’s no cost effect in some of these operating systems we’ll talk about that little later on, but it’s relatively inexpensive.
So I don’t know that there’s really any reason that we shouldn’t see a much higher percentage of full disk encryption and full device encryption. 29% reported using encryption for email of confidential privileged data, which I think is really low.
So what that says is that 71% of attorneys are sending confidential information via email without it being encrypted. That’s a big number.
Sharon D. Nelson: It’s really remarkable and maybe this is one other thing that points us to our next topic which is, why security assessments are so essential because you can’t fix what you don’t know is broken. And so, when you have the pros from Dover when they come in and they do these assessments. They’re going to talk about some of these things and let you know in a priority order what you need to get established.
So we’re at a point in time now when 11% of attorneys have received from a client, or a prospective client, a request for a security assessment. And 34% have now received some sort of client security requirements document, just a document saying what you have to do.
So while the survey that John referenced from the ABA didn’t ask about the assessments required by insurance companies in order to get cyber insurance, we know from our own clients that these are becoming more prevalent and the big problem is, number one they don’t understand the questions. So then when we explain with, it’s true you know that that when we explain what the question means and we tell them what the answer is, they look at us and they go but that’s not the right answer, that’s not the answer they want, and that’s true. It’s not the answer they want, and that’s because they haven’t up until that point done what we previously recommended that they do.
John W. Simek: I think the better — better phrase is that that’s not the answer I want to tell them.
Sharon D. Nelson: No, they don’t want to tell them that. So now all of a sudden they crowbar, open their wallet, and they open their minds to the fact that they’ve got to make some changes and that’s what happens. So even if there’s nobody requiring you to do an assessment, you absolutely have to have one, and in a perfect world it would be done at least annually but I know a lot of people that are listening haven’t done it at all and certainly you’re way behind if you haven’t done that.
And I think that most people who don’t have them done, and don’t have them done annually it’s because they fear the cost of the assessments. And the cost that they might incur if they have to fix whatever the assessment finds. So let’s try to allay some fears here. Now, if you’re a large firm, you’re probably going to seek a large cybersecurity company in order to do an assessment that’s a lot of money, nobody’s pretending otherwise.
But if you are a smaller law firm there are plenty of qualified smaller cybersecurity firms, you can go to those folks, and for the most part, and this is a good way to divide them up and say I want this one, not this one, most of them will give you a flat fee quote. So you can budget for what it’s going to cost, you know exactly what it’s going to cost.
And usually that quote will include the assessment and a report and recommendations and that’s what you’re looking for all of those things. So just like there are the whales among the law firms have well cybersecurity specialists, just make sure if you’re in the smaller market that you’re looking for people who are not IT people but true cybersecurity specialists and they should have true cybersecurity certifications. So take a look at that.
What you want is an end result is you want to get those recommendations and you want to say and the report it’s going to always do it this way, they’re going to say here’s a list of your critical vulnerabilities.
Well guess what? There’s a reason for the adjective critical, they didn’t just put that word there. So if it’s critical you got to do it and you’ve got to do it now, and of course, they should be giving you some sort of price, not that you have to use that particular company that did the assessment. Some people will and many people will because they’ve developed a relationship of trust with the company and think they did a good job. But at least, you’ll have a number for remediating those critical vulnerabilities, then they’re going to identify medium risk and lower risks.
Now the medium risk that’s something you want to plan for and budget for but it doesn’t have to be done right away. But you do want to get the medium ones squared away as soon as you can. The lower risks, it’s sort of less important. It kind of depends on how big you are as part of it. It’s what’s reasonable. That’s always the ethical benchmark here is what are the reasonable steps for you to take given the size of law firm that you might be, given the kind of data you hold, etc, etc.
So I think I think that covers it pretty wells so anything you want to add, John?
John W. Simek: Well I think I’d like to mention just at the end of the day, nobody, there is no perfect 100% secure solution. You’re never going to get there. So your goal is to get to good is to constantly improve your posture so and that’s what these assessments do for you. You don’t know whether you’ve gotten from A to B and improved your position unless you measure it, right?
Sharon D. Nelson: Right.
John W. Simek: But in addition to these assessments you don’t necessarily have to use technology all the time.
John W. Simek: Another thing to help augment that, I think are policies, and policies can have some, and should have some enforcement to all the people. But things like acceptable use policies and social media, backup policies, remote access policies, those types of things, I’m not going to run through, there’s a — there’s a boatload of them you could do.
Maybe you have a policy about communications with your clients and that you should be using encrypted email as an example or a portal or secure portal to communicate whenever you’re dealing in the matter with the client.
Some folks depending on the sensitivity of the data they may even want to do secure voice communications, that might be what your policy is, I mean that’s kind of an extreme, but it depends on the type of law you’re practicing, the type of clients you have. But don’t forget about the policies, about employees using personal devices and connecting them to the network, have some rules around that. You can enforce some of these policies using technology, but you don’t have to all the time, because that’s certainly where the cost gets driven up etc, etc.
But don’t forget about the policies, and another important piece is review those, because technology changes. You would have never seen a social media policy what 15 years ago, right?
Sharon D. Nelson: No, that’s — well just starting — just starting 15 years ago, pretty much with Facebook, right, that was about the day.
John W. Simek: But nobody had a policy. They didn’t have a policy for years, you know that because Facebook was wide open. They didn’t know what the impact of all this stuff is going to be.
Sharon D. Nelson: Well that’s for sure.
John W. Simek: It’s very common though now to at least have a social media policy.
Sharon D. Nelson: Well and you need to enforce those policies and that’s something else people don’t monitor and enforce. And so the policy becomes — it grows old and moldy and nobody knows about it, nobody trains the new people on it, nobody checks to see whether anybody is doing anything they’re not supposed to be doing.
So yes, policies are important to have them, but certainly to monitor and enforce them as well. And that I think brings us to training your employees, that’s another thing that can help your security tremendously. They say that a single one-hour training session can up your security level or reduce your risk I should say by 20%. So that, that’s pretty significant.
Your most valuable asset without question is your employees, but they’re also your greatest threat. They move too fast, they’re easily duped by things like phishing emails and phishing emails very often are the way people successfully get into law firms. So what you want to do is you want to perform phishing simulations where employees receive very carefully constructed emails, kind of specific and customized for your firm.
So if they don’t see the red flags there and they click on a link or an attachment or they answer say an email but because a lot of times what they do today is you get an email saying do you have time to talk, it’s signed by them, what seems to be the senior partner or something and ultimately it becomes a conversation in which they’re asking for monies, gift cards, things like that.
So training and retraining is constantly needed, annually is very good. It changes like we said so much that I don’t think we’ve ever given the same presentation, although we do this kind of training. I don’t think we’ve ever given the same presentation twice in a row because we’ve always been updating the presentation, and I know I’ve got a whole folder of stuff that already needs for the next update.
It’s really not too expensive and to be candid, I mean we do it for the very cheap price of $500 an hour for the two of us. And the reason you do it that way is because of course, you hope that people go, gosh these people really know something and I’d like to hire them. Now that may or may not actually happen, but it does happen a fair amount, and so you’ll find that a lot of the smaller companies will give you a very reasonable price.
So that’s something you really want to try. I would ask friends, who they know that might be good to come, clearly if they’re geographically remote you’re going to have to pick up expenses and so forth. But if they’re in the area then you don’t have anything but whatever the price you negotiate is. Some people I think would probably even come out for free just to try to get the business.
I wouldn’t ever use in-house folks, it’s just Jane, or it’s just Joe, they know those people, they don’t carry as big a stick as somebody from the outside. The biggest thing is to get trainers who are people who educate well, but also entertainers, because cybersecurity can result in that deer-in-the-headlights look, so you want to make sure you get somebody who is going to tell good stories, stories are wonderful ways to help people learn. They really do a great job with that.
And then everybody is awake and now they’ve got something to laugh at and in the meantime you’re actually teaching them but it’s kind of painless. So we’re seeing more and more firms of just all sizes invest in training.
So it might surprise you to hear that audiences actually enjoy the training and they feel more confident afterwards in their ability to spot phishing emails and to recognize social engineering attacks, they know what wire fraud is and how to defeat it or W-2 fraud.
This is just a great way of creating within a law firm a culture of cybersecurity.
John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Guidance for Lawyers with Cybersecurity Paralysis.
John W. Simek: Well Sharon, before we went off to the break, you gave a really good run down to some of the topics to cover in the employee training, but I want to mention a couple of other ones; phishing certainly is becoming more and more sophisticated, you touched on that. But password changes and password policies as you know the guidelines have shifted here in the last couple of years, where people are running, they’ve got this password and security paralysis right.
They’re just tired and the fatigue of changing passwords all the time, well you don’t have to do that anymore. The new guidelines from NIST really say that you should only have to change your password if you know it’s been compromised, because the problem that we’ve got is since everybody has to change them all the time, they’re using the same darn password for everything, which is no good, that whole password reuse is bad news.
But a couple other things to address with your employees is physical access and I know you’ve seen this and I — we both have is, if you’re coming into a secure environment and you need to have some sort of a card or an ID in order to get in, then we’re very helpful folks. So people will come by with a big box or something, something that’s really bulky waiting for somebody to open the door and they’ll just scoot in behind him with them.
So that whole physical access and they may not be authorized to go in there. So things like that to teach those folks, but those are some of the additional things that I think you should be bringing to the employees’ attention and certainly wire transfers, I think you talked about that a little bit, but the end of the day, this is really largely financially motivated and what the bad guys are doing.
And you should have some procedure in place to deal with wire transfers and as you know, we always tell the folks there’s is really, really archaic invention called the telephone, and you should be calling the person just to confirm that yes, they sent those wiring instructions.
Sharon D. Nelson: Let’s move on to incident response plans and just gosh, it moves so fast it was just yesterday we did an ABA CLE for 400 of our closest friends. It was called Headless Chickens and Zombie Data and it was an ethical guide to what you have to do after disasters or after data breaches.
So incident response plans are — they’re truly something you must have and only about 25% of law firms have them, and that’s just despicable. There’s no excuse for that. These are not hard things to devise but you need to have one. And if you don’t have one, what happens is you get an incident or you have a breach and you are running around like headless chickens because you’ve got no flipping plan.
So everybody is just agonized and suffering all this anxiety but they have no idea what to do. So the elements of the plan, they’re really not that complicated and I’m just going to go through a few of them, there’s a lot more but you need to know the contact info for your regional FBI office, you’ve got to have contact information for a data breach lawyer and God knows, they’re all over the place now.
You need contact information for a digital forensics company to investigate and remediate the breach, your insurance company’s contact information because you may be required to report a breach or incident in a given period of time or you lose benefits. You need contact information for your bank, in case you need to warn them to be wary of suspicious transactions.
And don’t worry, banks are very accustomed to this. If you’re big enough, you might want contact information for a public relations firm, you need a list of who needs to be informed if there’s a breach, client, third-party vendors, the State Attorney General, don’t forget that one, all of the states, all the territories now have data breach notification laws.
So that should be right there with your plan as well and you want a plan to preserve all the information to assist in the breach investigation. So you’re going to gather all the log data and try to determine what went wrong, what was impacted and the steps to resume operation, and review that doggone thing every year because that too changes.
John W. Simek: Well you know Sharon, you mentioned earlier in the first half about that there are things that that attorneys can do that aren’t real expensive and/or potentially free. So I’m going to cover a few of those. You certainly want to have some sort of security solution, some endpoint solution and that’s going to be your security suite, your semantics of the world, Trend Micro’s whatever, your antivirus, whatever label you want to put on it.
But that security suite that endpoint solution and that typically is not real expensive, on an annual or monthly basis, but certainly you need to have that patching updates. Number one reason as to why folks get compromised and why they have a security incident, and it doesn’t cost you anything. When a patch is released, apply the patch. It might cost you a little bit if your IT folks are doing that, but it certainly should be done on a very timely basis.
You can get solutions too these days, Firewall, Slash, we said earlier, you don’t — a lot of times you don’t know when you’ve been breached, so that whole intrusion detection, intrusion prevention systems, those features now are being built into firewalls.
One of our favorite is the Cisco Meraki product line, it’s only a few hundred dollars for the hardware and it’s done the subscription basis a few hundred dollars a year. So let’s say for a solo small attorney, you’re going to walk out with maybe $1,100-$1,400 for over a three-year period, which is not a heck of a lot of money to get firewall secure wireless and intrusion detection, intrusion prevention systems. So those — that’s a good alternative to take a look at.
Something that really doesn’t cost you anything and something that’s extremely, extremely important when we’re talking about data breaches is logging. You need to know the information, you need to know what happened so that you can go and investigate the incident.
Logging is available in all kinds of softwares, in all kinds of products, but a lot of times it’s not turned on or when it is turned on, it’s turned on in a very minimal fashion. So as an example Windows out of the box has the Event Viewer which does things like application logs, system logs, security logs, but they’re not kept for a long period of time and they might not be logging a lot of events. That’s the default configuration.
So if you know how to do it or you get your IT folks to go in there whether it’s do a global policy or at least you’ve only got two or three computers, you can do it manually, is to increase the logging capture, time, and what the events are and that doesn’t cost you anything.
And so if you do have an incident, you can then go out and gather that information and do a really, really credible job of determining whether or not data really was exfiltrated or whether it truly was a breach or a cyber incident.
Sharon D. Nelson: Well that sounds like a great piece of advice there, but we know that logging is frequently not done. So make sure, if you don’t understand it and in that CLE we did yesterday John, we had a bunch of questions about what is logging, what does it mean? How do I do it? So if you don’t understand those answers talk to your IT or cybersecurity people and they will know and they will explain it to you.
So real briefly, I’m going to talk about what to do if you’re in a firm where the stopping point in cybersecurity is the C-suite or a managing partner who just won’t listen. It’s really hard when you know and they don’t know and they’re the ones who get to make the decisions. They live in an ivory tower, they don’t understand cybersecurity or the threats, they say it’s not going to happen to me, that’s very often where their mindset is.
So you really need to make your case financially, what could happen, what it would cost. You need to talk about ethics, they need to be worried about failing to follow their ethical duties of the duty of confidence, the duty of keeping their data, client data confidential, you need to use some statistics that like the ones that John cited earlier from the ABA. You need to talk to them about the reputational damage and the fact that there might be clients who if they got breached, it got public, you know might walk out the door.
And of course, who ultimately will be blamed. It will be the C-suite. So this is one of those cases where fear is good. Put a little fear into the C-suite and I think that that’s practical sound advice.
Sharon D. Nelson: And John, I know we’re just about out of time here, but we had one favorite tip. One favorite final thought from this year’s ABA TECHSHOW, you want tell us what that was?
John W. Simek: Yeah, it basically said store less and delete more. So, if you don’t have it you can’t lose it, right? So, don’t keep that data all around, especially if it’s not needed anymore. Let’s get back to that the policy thing I talked about earlier, have some sort of a data retention policy or data/data destruction, a lot of folks call it data — right data retention, but you really should be destroying it as well, so that it’s not there potentially to be had in a breach scenario, that one.
Second one that I want to throw out there is stay informed, stay informed and have the security awareness right about, about what’s changing and if I can throw one resource out there for folks and it’s free. I know lawyers love free and it’s called a SANS OUCH! Newsletter, so you just go, just do a search for that SANS OUCH! Newsletter, subscribe to that free and you’ll get delivered in your email and it’s really a security awareness thing.
SANS does an excellent job of telling you these are the current trends, these are current things that we’re seeing, you know, the latest ransomware attack, maybe they will even tell you when Baltimore is going to come back on line from their ransomware attack, but anyway, it’s a really, really good free resource.
Sharon D. Nelson: And in fact that goes back to my C-Suite topic, the OUCH is what you want to convey to the C-suite.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology, and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.