There’s no “set it and forget it” for your law firm’s cybersecurity. Effective security is a continuing process, and the start of a new year is a great time to see how your firm is doing. Sharon Nelson and John Simek talk with David Ries about how to give your firm a cybersecurity checkup. They outline what lawyers need to include in their assessment and where to find reliable information on the latest security tools, training, resources, and statistics.
David G. Ries is Of Counsel in the Pittsburgh PA office of Clark Hill, PLC, where he practices in the firm’s Cybersecurity, Data Protection and Privacy Group.
Special thanks to our
sponsors and .
Intro: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you can use in your law practice. Right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 145th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensic, manage cybersecurity and manage information technology firm in Fairfax Virginia.
John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is “It’s a Good Time for a Cybersecurity Checkup.”
Our Guest is Attorney David G. Ries who is of counsel in the Pittsburgh PA Office of Clark Hill PLC where he practices in the firm cybersecurity, data protection and privacy group. He has devoted his legal career to helping organizations traverse complexed environmental technology and data protection challenges. For over 25 years, he has increasingly focused on technology, cyber security and privacy. As usual, it’s great to have you back with us Dave.
David G. Ries: I’m glad to be here. Always enjoy working with both of you.
Sharon D. Nelson: Well, let’s get started and tell us Dave, why is it a good time for a cybersecurity checkup?
David G. Ries: Well, it’s the new year and I’d like to use that as a flag. As we know, effective security is a continuing process to protect technology every day all year long. It’s not just set it and forget it. So it’s important to devote continuing attention every day, but periodically to step back and take a look and make sure that everything’s being done correctly. For large firms, that’s more of an ongoing process and even for them it’s good once a year or more frequently to step back and say, “Are we doing things the right way?” For a small firm, sometimes they’ll only do it once a year and then the New Year is good time to do that. And there are a number of things they should look at which I’ll explain as we go along.
John W. Simek: That’s a great segue Dave. So, can you talk a little bit about this this whole checkup and what should be included in that for any law firm or a business?
David G. Ries: Yes. I think there are four things to look at and again, they should be looking at security on an ongoing basis. But the first question for a check-up is have there been any security issues or security incidents during the past year, and if there have been, are we adequately addressing them? And that that’s within the firm, that’s not generally worldwide. No. 2, have we added any technology during the past year and if we have, are we using it securely? Third, what are the current threats? What are the threats to us and to everyone else? Things like phishing, business email compromise, ransomware. Are we effectively addressing them on a day-to-day basis as we use our technology? And finally, are there new safeguards available? Things like zero trust and extended detection or response, if there are new ones available, is it time for us to look at them more or move to them? So, those are the, the four questions for a check-up that should be done a minimum of one year and in the larger firm more often.
Sharon D. Nelson: Well, when you got to do this set up, what sources of security information would you suggest for our listeners for having a check-up?
David G. Ries: For the check-up, there are two different areas, and I’ll be going into a little more detail on information sources in a later question. But first, there’s inside firm information. So, have we had security issues, and have we changed our tech, those are going to come from either the firm’s IT person, it’s outside consultant or both of them together. Vendors the general cybersecurity information from the outside, what are the current and emerging threats and what are today’s available safeguards? Are there new ones that we should look at? Those come from internal and IT, as well as from legal, government and tech industry sources. And those I’ll talk about in a later question.
John W. Simek: Do you have any specific recommendations of information sources?
David G. Ries: Yes, I do. There’s a lot of them. I mean, I want to qualify that was, you could spend a lot of time every day looking in like you Sharon and I do because this is a part of what we do for work.
But there are legal sources, government sources and tech industry sources. As far as legal, their blogs like Sharon’s Ride the Lightning and your IT Consultant, there’s ABA, news, emails from the ABA journal and other ABA groups. There’s podcast like this one and other Legal Talk Network ones. The law Practice Division has the Legal Technology Resource Center, Tech Show which is coming up in March, Law Practice Magazine, Law Practice Today and the free webinars that are put on several times a month. And of course there’s the ABA Tech Report, I know you wrote the cybersecurity one this year John, that’s a really good source for an annual checkup because it looks at what our attorney is doing in the area of cybersecurity and give some details and about threats, huh attorneys are addressing them, with a lot of things like that. There are State Bars, there’s the International Legal Technology Associations, InfoSec and the ABA Cybersecurity Legal Task Force that has a website with information focused on small firms.
There are government agencies like CISA, the Cyber Security and Infrastructure Security Agency. It has sources for small business. It has a shield up comprehensive website, the FBI and the National Institute of Standards and Technology provide information. And finally, there are tech industry things, online news like CNET, ZNET, CSO Magazine, Dark Reading. So there’s a lot out there and it’s important for firms of any size to look at at least some of these sources, what are the ones that we’re going to look at and someone should have responsibility for periodically reviewing them.
Sharon D. Nelson: I certainly agree with you and I know John does too that CISA is one of the best sources. Particularly it’s a government resource but it’s written in easy-to-understand language and there’s no dog in the hunt, which is that’s a source of information you really want to pay attention to.
David G. Ries: Yeah, and I mean, you can even sign up for daily news letters from CISA. Sometimes you’ll get five or six or more a day, but they’re very easy to delete if there’s nothing in it that pertains to you.
John W. Simek: Then you have those surveys and reports that come out every year too, right? Like the Verizon’s data breach and Mandy and all those. So I don’t think there’s any shortage of information for us to try to digest is there, Dave?
David G. Ries: No, there’s not, and another one that I’m going to talk about is Microsoft’s Cloud Security Report that I’ll be talking about later. Those are comprehensive but I mean it’s good even for someone in a small firm to look through the executive summaries.
John W. Simek: Well, before we move on to our next segment. Let’s take a quick commercial break.
Female: As a lawyer, insurance is one of the last parts of your job you want to spend unbillable hours on. That’s why thousands of lawyers have switched to Embroker. Embroker offers A plus rated insurance for law firms. You can quote and buy instantly online. If you need help, they have experts on standby. Go from signup to purchase in 15 minutes by visiting embroker.com/law. That’s E-M-B-R-O-K-E-R.com/law.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is “It’s a Good Time for a Cybersecurity Checkup.” Our guest is Attorney David G. Ries who is of counsel in the Pittsburgh Office of Clark Hill PLC where he practices in the firm’s cybersecurity, data protection and privacy group. He has devoted his legal career to helping organizations traverse complexed environmental technology and data protection challenges. For over 25 years, he has increasingly focused on technology, cyber security and privacy.
John W. Simek: Before we went off to the break, we were talking about some of the resources and information places that are available for us. But are there any current statistics that you would consider to be important as part of this whole checkup process?
David G. Ries: Yes, there are and there are five that I have now regularly using when I teach CLE programs in this area. The first one is 23 to 25% and that’s the number of law firms in response to the ABA’s Legal Technology Survey Report that say they have been breached at some time, and it’s any kind of a breach from a minor loss laptop to a major data breach. But it’s been about 23 to 25% and that’s been pretty steady the last years.
So one out of four law firms has reported a breach. The good news is that — So that’s the bad news. The good news is that there’s some pretty high statistics on what law firms and businesses can do to protect themselves. So, the first one is from Verizon’s Data Breach Report and they report that 82% of security incidents involving human element. So if you can focus on the human element, you can really get strong protection if you can fight against that 82%. And that doesn’t mean that they’re all malicious attacks by individuals, they can be malicious but more often they are someone who’s tried to do the right thing who makes a mistake like clicking on the link or opening the attachment or something of that nature.
The next is from CISA and that is that 90% of successful attacks start with a phishing email. So, if you want to know where to focus both technology and training and security awareness, phishing is critical. Next is from Microsoft’s Cloud Security Report that they’re actually two informative stats for Microsoft. From the Cloud Security Report, 90% of attacks can be stopped with basic cybersecurity hygiene. So if you employ what Microsoft define its basic security hygiene today, it’ll protect against 98% of attacks. And finally, another 98% number, Microsoft just reported that 98% of credential-based attacks can be stopped by multi-factor authentication. So those are just credential-based attacks if somebody gets a username and password or uses credential stuffing trying to guess usernames and passwords. But those are high numbers, so focusing off on these high numbers, it’s a good place to make sure that that you’ve addressed them in your security program.
Sharon D. Nelson: Well, I know we’re always preaching about the importance of training, so I’ll bet you would like to talk about that too.
David G. Ries: Sure. Because training is one of the core ways of protecting against the 82% of incidents that involved the human element. So, the goal is to make sure that all users understand the current threats and how to protect against them, and very importantly, that they have constant security awareness every time that they’re using technology. The biggest enemies to me of security are people who are untrained, distracted, rushed, multitasking, that’s when people make mistakes. So it’s a critical focus. And I’ve seen report after report that suggests it’s really important to have reminders and if you have formal training yearly or quarterly or semi-annually, it’s important to have short reminders in between.
John W. Simek: You made reference to Microsoft’s basic security hygiene. Can you go in a little more detail about that and what does Microsoft consider that to be?
David G. Ries: Yes. Now it considers some things that are emerging and for a lot of particularly smaller firms are new, but the formal name of it is the 2022 Digital Defense Report. It has several items that it considers to be the basic security hygiene. And again, Microsoft filed that it will protect against 98% of attacks. So the first one is enabling multi-factor authentication, and I think most people understand that by today. Second is to apply zero trust principles, and zero trust is an emerging approach to authentication and access control. And I’ll be talking about that later. Next is to use extended detection and response. Again, that’s an emerging security approach and it’s basically using advanced security software, but even though the zero trust and the extended detection response are somewhat emerging, Microsoft now considers them to be basic defenses. Next is the keep everything up to date. That includes the operating system, firmware, browser and all applications. And the Final one is protect the data. And that’s kind of broad but it’s knowing where your data is located and to make sure that it’s appropriately protected wherever it is. So those are what Microsoft considers to be basic security hygiene. Again, protecting against 98% of attacks.
Sharon D. Nelson: I know that whenever we talk to audiences and we talked about extended detection and response, I mean, you kind of get a deer in headlights look.
People do. Really understand what it is and why it’s so important. So could you explain that to them?
David G. Ries: Sure, and basically all it is is advanced security software. So, years ago we started with antivirus on individual desktops and laptops and that evolved over the years to stronger protection, but on the individual endpoints, but it added protection against rootkits and sometimes against on the programs running at things. So what the extended detection response does is it has highly advanced detection and on each end point that automatically blocks an attack, but it also provides information for reporting and monitoring. So it both provides the advanced protection on each laptop, desktop or other item, but also gathers the information so whoever’s running this security, that can be someone in-house, for a small firm it can be their security service provider. I know it’s one of the services that your company provides and that is that who will actually do the monitoring on an ongoing basis so that you don’t come in the next morning and find that you’ve had all kind of problems overnight.
So I mean. that’s basically what the XDR is, it’s becoming more common, it’s really been pushed for several years for federal agencies, midsize and large sized firms and companies are moving into it, and there are now OSHA’s becoming available for small firms.
John W. Simek: Dave, I would also add to that not what I’m seeing and I’m sure you’re seeing it as well is we are seeing questions about, EDR, XTR Solutions, MDR Solutions on cybersecurity insurance forms as well. So the insurance carriers are interested too.
David G. Ries: That’s one of the things that carriers are looking for. They’re becoming more sophisticated in their underwriting because of the large losses from ransomware, so that they are looking for specific technologies and that’s one of them.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is, “It’s a Good Time for a Cybersecurity Checkup.” Our guest is Attorney David G. Ries who is of counsel in the Pittsburgh, Pennsylvania Office of Clark Hill PLC where he practices in the firm’s cybersecurity, data protection and privacy group. So Dave, why don’t we talk a little bit more about zero trust architecture and why it’s so important to law firms going forward.
David G. Ries: Again, it’s not a particular product like the extended detection and response can be, it’s actually an approach or architecture for security. There’s no uniform definition but it’s beginning to gain meaning as federal agencies have been pushed to use it. But it basically involves four areas. No. 1 is strong authentication for a user to identify himself or herself, second segmentation of sensitive data. So in the system, sensitive data is classified and stored separately from others. Next, it applies the principal of least privilege so that user is identified himself or herself. The sensitive data has been put in a particular part of the system or network and then the user can only get access to it if it’s something that he or she needs. So you can take something like if you have a law firm that does tax work or estate planning, you segregate data that have bank accounts and social security numbers and things and when a user logs in, they only get access to it if it is something that they need for their business. So the receptionist can’t get social security numbers of things.
And those are concepts that have been used in the past, but you’re drawn in with a fourth area which is what makes it zero trust, and that’s a continuing verification of the users and the devices as they move throughout the network so that you don’t just login once and you can get access to everything within the network, you login and as you move within the network, the network tests requires to make sure on a continuing or periodic basis that you are user and device that has access to that information. Now it would be very cumbersome if a user had to log on every time they move or arrive to a network or frequently had to do it again. But there are automated tools to do the continuing verification.
And that’s why zero trust is so effective because it is continually verifying that the user and device and wall have legitimate access to what they are accessing in the system.
John W. Simek: For our last question here, do you have a suggestion for some cybersecurity New Year’s resolutions?
David G. Ries: Yeah. I have several. First is at least once a year and more frequently for larger firms, update your cyber security program including your incident response plan. And certainly if you don’t have them even for a solo or small firm, develop and implement one. Second, commit to do periodic reviews. Looking at the four things that I’ve mentioned should be in an annual review. Set a schedule and make sure you follow it, and finally review and update your training program. Make sure that it is focusing on everything that needs to be done. Also, promoting constant cybersecurity awareness and I think that that takes some kind of reminders. And one of the approaches I’ve seen is once a month or so you have something, it might just be five minutes, it might just be a page to read that goes beyond periodic, a more formal training.
Sharon D. Nelson: Well I think that this was an excellent podcast in advocating that It’s a Good Time for a Security Checkup and you’ve done a really good job as always Dave in kind of putting it out in a format that people can understand and digested in 25 minutes or less which is what these podcasts are. So I think they have a clear roadmap. And as always, we’re delighted to have you with us. Thanks for joining us.
David G. Ries: Well, thanks for having me.
John W. Simek: And that does it for this edition of Digital Detectives and remember, you can subscribe to all the additions of this podcast at LegalTalkNetwork.com or on Apple Podcast, and if you enjoyed our podcast, please rate us in Apple Podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology and managed cyber security services at senseient.com. We’ll see you next time on Digital Detectives.