No lawyer wants a failing grade, but the fact that nearly one-third of law firms have experienced a data breach makes it apparent that cybersecurity preparedness needs some major work. Focusing specifically on smaller law firms, Sharon Nelson and John Simek welcome Tom Lambotte to discuss why lawyers fail to adequately protect themselves and what they should do to bring their cybersecurity measures up to scratch.
Check out Tom’s Stupid Simple Security Tips blog for quick & easy insights on protecting your data.
Tom Lambotte is the founder and CEO of Security+ and GlobalMac IT.
Special thanks to our sponsors CaseFleet and PInow.
Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon Nelson: Welcome to the 127th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises, a digital forensics, cyber security and information technology firm in Fairfax, Virginia.
John Simek: And I’m John Simek, vice president of Sensei Enterprises. Today, on Digital Detectives, our topic is why solo, small and mid-sized law firms get a failing grade in cyber security.
Sharon Nelson: Before we get started, I’d like to thank our sponsors, PInow.com and Case Fleet.
John Simek: Today. we are lucky to have as our guest, Tom Lambotte, the CEO and founder of Security Plus. The only turnkey comprehensive security solution built for solo lawyers and small to mid-size law firms. His methods based on over 15 years of research, testing and real-world refinement, provide leadership and direction to transform law firm operations, boost profitability and reduce the risk of getting hacked by leveraging technology. Tom has authored three books, the most recent, Macs in Law, was published by the ABA Law Practice Division. His work is published in numerous leading legal publications including Attorney at Work, Law Practice Today and Solo Practice University. His weekly blog for lawyers, Stupid Simple Security Tips, provides simplified recommendations to help stop law firms from getting hacked. He is a proud and active father of four kids and lives with his wife in Cleveland, Ohio. It’s great to have you with us today, Tom.
Tom Labotte: Thank you. I’m excited to be back again and always look forward to our discussions although I’m a bit nervous of living up to the bio. That’s a challenge of a well-written fancy sounding bio like that so I’ll do my best here.
Sharon Nelson: Well, I’m sure that will be just fine and I think the last time we had you on, Tom, was in June of 2018. So, why don’t you tell our listeners what you’ve been up to since then?
Tom Labotte: Yeah so, since then, I’ve continued to grow. My primary venture, Global Mac IT, so it’s a managed service provider specifically for law firms that use Apple computers. That’s going really well. Sable, steady, great clients. And the other big thing that I’ve been trying to solve was a problem that I kept running into. For 16 years, I’ve always met with solo and small firm lawyers even when I knew they weren’t a good fit. Even knowing they were too small for our managed services.
My motto was to help first and so I’d always strive to provide clarity and direction with the time I spent together but it happened so many times that I was just turning them away. Hundreds of solo and small firm lawyers and I knew that their options were really limited and I also realized that managing the day-to-day technology has gotten easier but that securities got more complex and so two years ago, I started asking myself, how can I help these people? How can I provide value and solutions?
And so, as a result, fast forward to today and now we’ve got Security Plus, that we’re just starting to spread the word and set up member benefits and doing all that fun stuff to get the word out.
John Simek: Well, Tom, a failing grade which we mentioned at the title of the podcast is kind of a bold statement. Is the state of cyber security protection for the solo, small, mid-sized firms — I have my own opinion but is it really that bad?
Tom Labotte: Sadly, it is and no lawyer wants to be told they’re failing, but according to the 2020 ABA Tech report, 29% of law firms have been hacked which is up from 26% in 2019 and I believe it’s important to humanize results so when talking to a lawyer the way I like to reframe it is I say, “Hey, imagine two of your colleagues. Now, look at one, look at the other one of you three has been breached and if you add on to this, the statistics that’s not often quoted from the same survey is that 21% of respondents don’t know whether their firm has ever experienced a security breach.” So, those two make up 50% respondents that have either been breached or don’t even know if they have or not. So, they get a failing grade
Sharon Nelson: Well, I think that’s fair. And in some respects, they’ve done a little bit better. The legal space and vertical has made giant strides in embracing the cloud over the past decade and even more so since the pandemic hit but while the ease of technology has greatly simplified. would you say that cyber security has done the opposite become more complicated and hard to understand during this time?
Tom Labotte: Absolutely. I think it’s so easy to take the progress for granted. On the tech side of things, a solo or small firm now they can set up their email, file sharing case management software in one afternoon on their own and for only a few hundred dollars a month.
A decade ago, that was unheard of. It was tens of thousands of dollars just to get those things up and running. And so, they’ve made major strides in simplifying technology which has empowered a lot of solos and small firms however, as a great philosopher of the ‘80s band, Poison, Bret Michaels has stated, every rose has its thorn. And so, the flip side of that is that when it comes to cyber security, the threats have multiplied. 10 years ago, I used to brag that Mac users don’t need virus protection. Two weeks ago, an Apple executive testified under oath in court that malware on Mac is at an unacceptable level.
So, things have changed. Phishing emails, business email compromise, ransomware, every single type of cyber threat has become significantly more advanced and harder to tell. I mean I’m sure you guys hear of people getting phished all the time. I mean the tactics are getting better and more polished and more advanced, it feels like by the week, 10 years ago when your email was hacked the biggest concern was Viagra offers going out to your whole list which was pretty embarrassing. Today, bad actors lurk in the shadows. They search your conveniently indexed email contacts for the good stuff and they wait for opportunistic times to strike and to send emails impersonating different people with their own routing numbers and things like that. So, it’s gotten infinitely more complex I think.
Sharon Nelson: Yeah, we couldn’t agree more. It certainly has been very hard for the folks who are at the solo, small midsize firm and because they don’t have the budget to do some of the things that some of the big firms are doing.
Tom Labotte: Definitely. I think it’s hard — that’s again how I started doing this because so many of them wanted to do the right thing. I just got off a call with a friend of mine down in Boca Raton who also runs a managed service and they’ve got a 20-user minimum. For ours, we have a 10-user minimum. I’m sure you guys probably have minimums as well so it has to make sense financially but the ones that end up getting the short end of the stick are the ones that are small that are being proactive. They’re like, “Hey, I know it’s an issue. I know I got to do something can you help me?”
And the majority of well-established IT companies unfortunately, have to say sorry you’re too small, we don’t have a solution for you.
Sharon Nelson: It’s funny you should say that because I’ve told my folks over and over again if a solo comes, a solo comes. We will take them anyway.
John Simek: Out minimum is one.
Tom Labotte: Well, that’s great. You guys are the exception to the rule. Again, you know, the market and I’m sure you can name on your hand the number of people that have a one-user minimum.
Sharon Nelson: You’re absolutely right to be sure. I mean it is because of give back to the profession that I made that rule long ago and thank heavens, the folks who work with us understand why I made the rule and they honor it so I’m glad about that.
Tom Labotte: That’s great.
John Simek: Well, Tom, I’m glad you mentioned Apple and I know you primarily focused on Mac lawyers for years and years and years at least I think since we’ve ever known you but if we look at those lawyers, how do you think they would grade on cyber security?
Tom Labotte: Sad truth is here just as badly as Windows users and maybe a bit worse. So, I’ve always been a Mac guy since I started. Global Mac IT has and always will continue to be Mac-only. Security Plus expands that and the solutions for all Mac and PC users but you know, viruses and ransomware has not been an issue for Mac users but that itself creates an issue. What that ends up creating is that they have a false sense of confidence that because they use Macs and they end up being more lackadaisical towards their security measures.
So, the mindset goes like this and it’s an old mindset. 10, 15 years ago, again I used to have my nose up in the air and say I have a Mac. Macs don’t get viruses. I’ve never had a client get a virus. Therefore, I’m safe. But what they’re missing is that the cyber threat landscape has completely changed. It’s not what it was 10 years ago. It’s not what it was five years ago and outside of ransomware and viruses, the majority of cyber threats out there don’t give a hoot whether you use a Mac or not. If you get phished, you get phished. I don’t care if you’re on a Mac or a PC. If you have business email compromise, all these different things affect you just the same way whether you’re on a Mac or PC so I think they’re actually — I hate to use the word lazy but it’s true you.
I was just on a podcast with someone recently who was a Mac user and talking about Security Plus and I got an email at the end of the day actually admitting to me he’s like, “Yeah, I just got phished and I gave up my credentials and I didn’t even realize it.” So, it happens to everybody and the Mac users are — 10 years ago, it was different. They didn’t get viruses. That was good but it’s a different world today than it was 10 years ago.
Sharon Nelson: Well, and of course, the market share has gone up too.
Tom Labotte: Definitely, yeah. The market share continues to go up and you know, cyber criminals are like, “Hey, the market’s big enough, it makes us — it’s ROI. It’s a business.” Cybercrime is a very well-run, very efficient, very well-funded business. It’s not some tech geek that’s living in his you know grandmother’s basement eating Cheetos with a hood. It’s organized crime. You guys know this very well. It’s funded and it’s like, “All right, how many Mac users? What kind of data and assets do they have? It’s a simple business game. So, they’re developing, they’re targeting Mac users just as well.
John Simek: An account takeover attack on a Microsoft 365 account, doesn’t care what you use to get to it.
Sharon Nelson: No, it does not. Tom, I think it’s safe to say that lawyers are concerned. We certainly see that when we lecture and they know that cyber security is a problem which is why they’re trying to understand it better so why do you think so many lawyers are getting a failing grade on a continuous basis in cyber security?
Tom Labotte: Yeah. Why hasn’t it changed? Why isn’t the trend shifting to improve? And I think lawyers’ failure to adequately protect themselves is rooted in four main causes. So I’ve created this framework called the Lacking Framework and so, it’s made up of four things. And so, the first is a lack of awareness. They underestimate the cyber threat. “It’s not going to happen to me, I’m just a solo, I practice family law, they’re not going after me, they’re going after the IP guys.” So, they underestimate or misunderstand the threat.
The second is a lack of time, especially for solo and small firms which are the ones I’m really passionate about helping. They have so many responsibilities. It’s impossible to perform all of them at a high level. A solo small firm lawyer is doing lawyering, they’re also doing HR and finance and marketing and security and technology and all these things and some things are okay to get behind on like your books. Sometimes, we get three four months behind and then we power through it over the weekend and get caught up. But getting behind on security, the penalty for that is having a data breach. Now, you’re filing a notice of a data breach. In my opinion, that’s just as bad a mark on your record as a criminal record or a bankruptcy. And so, it’s important. So, they lack the time to do it properly.
The third lack is lack of clarity. Like we’ve seen it before. They’re even the ones that are trying to do the right thing reaching out to an IT provide, many of them are turned away. If you Google and try to find IT security solutions, there are hundreds, if not thousands, of different security solutions. The ones that come up on Google searches are the enterprise grade, the big larger ones. And so, it’s like do I need a sock, do I need a security operations center as a solo with a paralegal? So, they don’t even know where to start what to do, what do I need, what’s too much, what’s too little? And so, the easiest action is inaction at that point.
And then, the last one is a lack of implementation. Lawyers have a recurring pattern of not addressing their main problems. And I think to me, that was really pointed out in the annual Thompson Reuters State of the U.S. small firm survey, I don’t know if you guys read those closely but what really stood out this year is that year after year, they’ve identified the biggest problems and they break them down into three different groups. So, we know about the problem and we’ve addressed it. We know about the problem and what to do but we haven’t done anything about it yet. We know about the problem and we don’t know what to do about it. And overwhelmingly, I mean it’s 80% consistently — about 70% to 80% for most of the main problems that end up not being addressed from year after year.
And so, lack of implementation is again, it doesn’t matter if you know what needs to happen if you’re not doing it, you don’t get the benefits.
John Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one-of-a-kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up to date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.PInow.com.
What could be more important than knowing the facts of your case inside and out? Case Fleet’s powerful software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full-text search and built-in document review, Case Fleet makes fact management easy. Sign up for a 14-day free trial at CaseFleet.com/digitaldetectives and get 10% off your first subscription.
Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is why solo, small and mid-sized law firms get a failing grade in cyber security. Our guest is Tom Lambotte, the CEO and founder of Security Plus, the only turnkey comprehensive security solution built for solo lawyers and small to mid-sized law firms. His methods, based on over 15 years of research, testing and real-world refinement, provide leadership and direction to transform law firm operations, boost profitability and reduce the risk of getting hacked by leveraging technology.
John Simek: Tom, before we went off to the break, you were talking about the four lackadaisical things, I guess, to kind of paraphrase everything there. And out of curiosity, which do you think of those is really the most important?
Tom Labotte: I think the biggest one is implementation. I always think that the commercial on — I think it was on PBS. The more you know, and you know, knowledge is power.
John Simek: He sings, too.
Sharon Nelson: I think he should stick to technology.
Tom Labotte: Yes, not well, not well. My kids would agree. So, knowledge is not power. It’s only potential power. Knowing what to do but doing — you don’t get a gold star for “Yeah, I knew that I was supposed to have 2FA active. I knew that I was supposed to do these things.” Implementation is where traction where the rubber hits the ground and you actually get results to show for your actions. So, implementation is the biggest thing and I think it’s the hardest one as well because of the lack of time and just being pulled in so many different directions and if you don’t have certainty in what the action is, it’s impossible to take that action and move forward.
Sharon Nelson: Yes, well I certainly agree with you. Implementation is a big problem and part of it is budget, too but you’re right they’re also struggling for time because they’re very busy at the smaller level. What do you think is the single best cyber security protection solution that’s out there?
Tom Labotte: That’s a tough one. I hesitate to even give an answer as it would be misguiding. That’s like asking “What’s the single best car safety measure? Is it the seat belt?” I would say the basics, maybe using unique passwords and two-factor authentication but those are just the bare minimums in the same way that you would wear your seat belt in your car but you’d still rely and depend on all the other safety measures. And so, if I can update that answer, I think the best protection is a multi-layered security approach.
If you want to imagine the good old classic heist movies, there’s a series of tests they have to go through to get to the jewel. You’ve got the video cameras, the armed bodyguards, the laser beam scene is always the funniest one and then you know, we’ve got the Indiana Jones where he’s got the bag of sand and you’ve got to put it on there at the same time. So, the best approach is multiple different solutions. So, for one fault — if one fails, the other ones are there to protect you. So, that’s my answer. I’m sticking to it.
Sharon Nelson: Oh, no. That’s a good one.
John Simek: So, Tom, what advice would you would you give our listeners right now realizing the risk posed and that wants to do the right thing? You already talked about lack of time that folks have, et cetera, but what about — and as well as the ability for them to protect themselves? What advice would you give them?
Tom Labotte: I would say find a who. And what that means to me, there’s a book called “Who, Hot How” by Dr. Benjamin Hardy. And the whole concept — it’s written for entrepreneurs but again, the market that I serve really solo and small to medium-sized law firms, I believe, are highly entrepreneurial. And the main concept is that when an entrepreneur finds, decides they want to do something, the next question they usually ask is, “Okay, how do I do this? We’re problem solvers. How do we get this done?” But that’s the wrong question. The right question is who can get this done? Can you find an expert?
And so, he actually says — I have this quote here in front of me. “When you’re trying to accomplish something challenging or difficult that you’ve never done before, you probably need a who.” Let me say that another way. You absolutely need a who if you’re trying to accomplish something new and challenging unless you’re fine not getting the result you want in the near future.
So, finding a who means accepting, “Okay, I’m not going to wake up any day soon and be a security expert. I’m not going to wake up as a solo and know exactly what I need to do to take care of the security thing so I can sleep at night, not worry that I’m going to become another statistic.” There are so many people I talk to they’re like, “Oh, someone in my building just went through a data breach and they talk about all the stress” I wonder if it’s them talking about themselves in the third person but you’ve got to take action. Don’t wait until something happens.
The sad truth is it’s happening to way more people than you can think.
There’s way more lawyers out there that are experiencing data breaches that are not reporting it because they don’t want that black mark on their record and it’s not this like rare thing that might happen. It doesn’t just happen to the big law firms that you hear about. The big law firms get the headlines. Just like you only get a headline if you have 250 million credentials breached or more, that small 10, 20 million that doesn’t even make news.
And so, it’s the same thing in the legal world. It’s happening to everybody so you’ve got to take action. So, find a who.
Sharon Nelson: It’s hard to find those who’s. There are all kinds of people with their hands up in the air saying they’re an expert so it does take some work. We’ve always said talk to your colleagues, they’ve had good experiences with folks and a lot of times, that’s the best way to get some sound advice. But let me ask you another question. What’s the best book you’ve read this past year that you think all law firm owners, managing partners and legal administrators should read?
Tom Labotte: I actually just gave that one up and it’s “Who, Not How” by Dr. Benjamin Hardy. I mean I love this book. It’s been a significant game changer for me. It’s helped me break through a lot of complexities, things that I was trying to move forward and whenever I find myself kind of kicking the can down for something that’s important but it’s not making progress consistently. I stop and I say, “Okay, I need to find a who. I’m trying to do it but I’m not an expert at this thing whatever it is I’m doing at the time.”
In fact, I like this book so much when it came out, they had a special — I bought 50 copies of the kindle book just to give out to clients and different people and prospective clients. And so, I wasn’t planning on this but I’ll just throw it out there. The first 10 people who shoot me an email at [email protected], I’ll go ahead and hit reply and I’ll send you a copy of the book so just put “Who, Not How” in the subject line or something like that. It’s a really good book. It’ simple, it’s not just based on theory and research but it’s really useful especially for solo and small law firms who are in charge of doing so many things on their own and when you’re split in a hundred different directions, it’s hard to make any real progress. So, who, not how.
John Simek: Well, Tom, what haven’t we asked you yet that we should have and do you have any final like really killer tip that our listeners could use right away?
Tom Labotte: Yeah. Security Plus, it’s built to be a turnkey solution. It’s kind of created to be one more arrow in the overly busy lawyer’s quiver but that’s not the first step. I think it’s important to get those security layers in place but for most people, the truth is they’re not even doing the basics. The things you have control over. I like to think of the club. Do you remember the club back in the ‘90s? The carjack protection device? That big red metal bar?
John Simek: Clamped on your steering wheel, yeah.
Tom Labotte: And so, the big red thing. You clamp it on there. I always thought of the car thief who’s going through a parking lot and he’s looking, he’s peeking in in windows. If they saw the club, they didn’t waste their time, they just moved right on to the next car. I don’t care how nice the car was. It’s not worth the extra effort right of trying to defeat the club.
So, your club, as a lawyer, is two-factor authentication. It’s one of the simplest to activate that nets you I believe one of the highest immediate increased security. So, make a list. If there were five services that got breached today, which ones would stress you out the most? Case management software, email, file sharing, banking, accounting, are usually the top five. You might have another but make those top five and ask yourself, “Do I have two-factor authentication enabled and active for those five services?” If not do that tonight. Just spend half hour, one hour. It’s one of the best hours you can invest to get that up and running and increase your security.
Sharon Nelson: You know, it’s funny we mentioned that in a lecture we gave for the South Carolina Bar just an hour ago. But then, of course, you knew you were preaching to the choir. We want to thank you, Tom, for being our guest today. It’s always fun to talk with you. You’re a very colorful person which is wonderful because listeners love that and you have a lot of interesting and great advice to give folks in a simple way that’s easy to understand without all the tech speak which they hate.
So, thanks so much for taking the time and being with us today.
Tom Labotte: My pleasure. Thank you so much for giving me the opportunity to be here and kind of share the word on my latest passion project here.
John Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple Podcast and if you enjoyed our podcast, please rate us on Apple Podcast.
Sharon Nelson: And you can find out more about Sensei’s digital forensics, technology and cyber security services at senseient.com. We’ll see you next time on Digital Detectives
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.