Employees within your organization are likely a bigger risk to your cybersecurity than threat actors from without. Why? Because it very often takes an insider to let in an outsider. Sharon Nelson and John Simek talk with Mike Barnsback about prevention strategies for both internal and external threats. Mike explains common tactics employed by cyber attackers and how the right policies and training can protect your firm from a breach.
Mike Barnsback is managing partner of O’Hagan Meyer in Alexandria, Virginia, where he counsels employers on issues concerning internal monitoring and data breach response obligations and procedures.
Special thanks to our
sponsors and .
Intro: Welcome to Digital Detectives, reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 150th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity and managed information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice-President of Sensei Enterprises. Today on Digital Detectives, our topic is Threats to Your Law Firm: Insiders and Outsiders. Our Guest is Mike Barnsback, the Managing Partner of the Alexandria, Virginia, office of O’Hagan Meyer. Mike’s practice focuses on representing employers in all aspects of employment law issues.
His experience representing employers led him to concentrate on data privacy and security issues for employers. It’s been a long time Mike, welcome to the podcast.
Mike Barnsback: Well, thank you John. And Sharon and John, thank you so much for inviting me to participate in your podcast. This is a real – frankly, it’s an honor and privilege for me. I’ve known you guys for a long time and I look forward to spending the next 25 or 30 minutes with you.
Sharon D. Nelson: Well, that’s great. And we picked you for the 150th Edition of Digital Detectives. So that’s quite the honor there, Mike.
Mike Barnsback: It is.
John W. Simek: Well, Mike let’s get started here. Can you tell our listeners a little bit about what you do and some more specifics so they can understand why we asked you to join us on today’s podcast.
Mike Barnsback: Yeah so I am principally an employment attorney that represents employers. And as John mentioned, that led me into dealing with data privacy and security issues because I’ve seen so many circumstances where there’s been data breaches internally caused by an employee directly, maliciously or through an employee’s negligence. So I started getting involved in that.
Also to give you a little bit of ancient history background; before I was an attorney, I actually worked in the computer field. I ran a small mainframe computer that will date when I was doing this at a university doing research with it. So I had a computer background even though it was in the dinosaur days of computers. I kept that interest going so it was kind of a natural merger between my computer information and computer interests and then what I was doing as an attorney.
Sharon D. Nelson: Well, help us understand why and we find the same thing as I’m sure you do, people don’t consider insiders a cybersecurity threat as much as they consider outsiders. Why are they such a cybersecurity threat, Mike?
Mike Barnsback: Without insiders, the outsiders are going to have a much more difficult chance of getting in. So you’re going to have insiders that are going to create problems typically unintentionally, it’s through inadvertent actions or negligent actions that allows the outsiders to come in.
And I was looking at a study recently, it said about 63% of breaches are attributed to negligence due to insiders’ actions. So, I think our insider provides the greatest opportunity for our threat actors, the people on the outside who want to take advantage of our information to get into our systems.
You look at your insider, they have knowledge of where all of our important data is located and how to access it. They have authorization to access it and they have the access. So they’re the natural gateway into our systems and they are used quite effectively by outsiders to gain access that an outsider would not otherwise have the ability to enter into our systems.
John W. Simek: Aside from getting rid of the insiders, is there any way to reduce that insider threat?
Mike Barnsback: Well, yeah, we can’t get rid of our insiders because that eliminates ourselves. And if you look at the mitigation or threat mitigation efforts, a lot of its focused on the technical side and the technical side is absolutely critical, but it’s just one component of a comprehensive approach to deal with insider threats.
What’s easy and what most law firms should be focusing on first are the non-technical approaches to mitigating your insider risk, and that really starts with training and education of your workforce. If you’re not training your employees to recognize threats, to be aware of potential threats, you’re really missing an opportunity to plug a serious hole in your system. In addition to the threat training, you’re showing them examples of how outsiders try to gain access and what the employee should do to try to prevent that.
If you don’t know what a threat is, you can easily open the door to it particularly in our computer world. Also, we want this training to focus on reporting. It’s not enough just to recognize it. We need the employees to report to the proper people internally so they can plug that hole. We get threats on a regular basis and we’re trained in our firm to recognize them and then report them to our internal security people so they can one, send out a communication to the rest of the firm advising us that there’s this threat going on and two, enact the technological side to block that threat.
So it’s very important that our employees know how to do this. Another aspect of the training is your implementation of internal policies. If you don’t have internal policies that your employees can look to the deals with security issues, confidentiality issues of data, dealing with passwords and how the passwords should be regularly changed in the proper protocol for establishing passwords. You’re creating unnecessary problems. These are easy things that you can do to prevent the inadvertent or the negligent actions of your employees to allow outsiders to come in.
John W. Simek: What about the insiders themselves Mike? If they’re the ones that are the bad actor?
Mike Barnsback: Yeah. We always have to be concerned about that. I see that more in other industries. I don’t see as much bad actor insiders in the legal industry. That doesn’t mean it doesn’t happen, but there’s things that we have to do and this is more on the technological side and on our security side, we need to have a system that can identify and monitor what our employees are doing to make sure that they’re compliant with our security protocols.
We will have a system that will check and see if our employees are downloading significant amounts of data and it doesn’t make sense if they are doing it after hours, look to see if they’re logging onto known malicious websites. So we have to have this monitoring program and it’s not Big Brother looking but it really is a program to make sure that we’re spotting anomalies in the usage of our systems.
Sharon D. Nelson: That’s the big thing are those anomalies and certainly what we see most is the theft of proprietary data. Let’s move to outsider threats. What do you think the biggest threat is and how do you protect against it?
Mike Barnsback: Well, I think the biggest threat is the ransomware issue, where the outsiders are able to get access to our system, take control, and then completely control our data and prevent us from having access to it. When this happens, it will completely shut down organization and it’s critical if a law firm can’t have access to their data.
So I think that’s what our real focus has to be because again as law firms, we are not dealing with business espionage efforts unless an outsider knows that as a firm, we represent a large business and they want to get access to that data. I mean, we have to keep in mind as law firms we have a higher level of obscurity and we have a higher level of trust because we have an ethical duty to safeguard our client data.
So we’re not just worried about our own data, we have a higher level of security, we have got to keep in mind that we have got confidential information from our clients, we have an ethical duty to maintain that confidentiality. So I think that’s where we have kind of our greatest focus on making sure that we keep outsiders out of our system.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: The Digital Edge Podcast, where the law and technology intersect. I’m Sharon Nelson, and together with Jim Calloway, we invite professionals from all fields to discuss the latest trends, tips and tools within the legal industry. Stay up to date on the rapidly changing legal tech landscape with the Digital Edge on the Legal Talk Network.
Christopher T. Anderson: If you’re a lawyer running a solo or small firm and you’re looking for other lawyers to talk through issues you’re currently facing in your practice, join the Un-Billable Hours Community Roundtable, a free virtual event on the third Thursday of every month. Lawyers from all over the country come together and meet with me, lawyer and law firm management consultant, Christopher T. Anderson, to discuss best practices on topics such as marketing, client acquisition, hiring and firing, and time management. The conversation is free to join, but requires a simple reservation. The link to RSVP can be found on the Un-Billable Hour page at legaltalknetwork.com. We’ll see you there.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Threats to Your Law Firm: Insiders and Outsiders.
Our Guest is our friend, Mike Barnsback, the Managing Partner of the Alexandria, Virginia, office of O’Hagan Meyer. Mike’s practice focuses on representing employers in all aspects of employment law issues. His experience representing employers led him to concentrate on data privacy and security issues for employers.
John W. Simek: Well Mike, we’ve noted a big uptick in attacks that start with a conversation that seems innocent. In other words, there’s no links or attachments or whatever in these emails, et cetera. But what are some of the indicators can you let our listeners know, what you’ve seen that where, maybe this isn’t an innocent conversation.
Mike Barnsback: Yeah, we actually probably see this once or twice a month, wicked emails that that look like they’re legitimate emails, asking for innocuous things like you’ll get an email from what appears to be the main partner asking if you’re in the office, that doesn’t trigger any instant response but those innocent communications you have to be careful about and you can’t ignore them. You really need to look at who’s sending that to you because the cybercriminals are becoming very, very clever in spoofing emails to make sure that they look close to the actual email. There maybe a letter off or a number in place of a letter.
So if you just scan it quickly, it looks like it’s coming from a legitimate source so you’ll have a mismatched email domain. Sometimes you’ll see these conversations it will have bad spelling or bad grammar, that’s an indication that there may be something off. Obviously, if there’s a suspicious link or an attachment, that’s something that everyone needs to be aware of and not click on the link but there’s a danger in just responding to these innocent conversations because one of the things that cyber criminals are doing is they’re taking your response, then they’re copying your signature line and using that to spoof other emails to people.
So when someone gets an email from you, it looks like it came from you because it’s got your signature line, it’s got everything there, but they obtained that because they engaged in this just kind of simple innocuous conversation from you. So there’s a lot of reasons why when something comes in, look at it carefully and don’t just automatically respond. When I get those, I don’t respond at all because I’m afraid that they’re going to do just that.
They’re going to take the information and my signature line, paste it into a spoof email and start sending out to other people in the firm. So those are the indicators and you have got to take your time and not just click respond to. And unfortunately, we get so many emails during the day, our instant reaction is okay, here’s an email for my partner. Joe, I’m just going to say okay, what’s going on? And then look at it later and find out, it’s not from him, it’s from some outsiders, the spoofy email.
Sharon D. Nelson: Well, we’ve certainly seen that business email compromises are a major threat. Could you explain to our listeners what BEC is and how to protect against it?
Mike Barnsback: Yeah, a business email compromise is, it’s an email that appears to come from a known source so it looks like it’s coming from someone that you know whether it’s inside the firm, whether it’s a vendor, whether it’s a client and the email just on quick glance looks like it’s one that you’re expecting, looks like it’s one coming from a known trusted source but it’s not.
And you’re going to get these in the situations where a vendor out of the blue is going to send you an invoice with an updated address or they’re going to send an attachment saying hey, we’ve got this new invoice. If you’re not looking carefully on that email domain address to make sure it’s from the proper party, you could be opening yourself up to downloading malware, opening up these links that will allow malware to come into your system.
Whenever I get — and this happens quite frequently, I’ll get an email from a law firm that’s on the other side and they’ll be sending me discovery through a share link. Even when I know that it’s coming, I still call the lawyer to confirm that they actually sent that link to me because sometimes you can have a bad actor in your system that’s monitoring what’s going on and they can take control of a conversation even when it’s a legitimate conversation.
So I always make sure when I’m getting an external link or file from someone, I take the time and I pick up the phone and call him to confirm that hey, did you actually send this link? Is this legitimate and they’ll say yes or is this a legitimate attachment and I’ve had a couple of occasions where we found that they’ve been hacked, that it was not legitimate and it’s as simple as that.
You get an email from opposing counsel, you’re expecting to get discovery from them. You automatically click on it. You find out that email has been spoofed and now you’ve downloaded a significant amount of malware and that bad actor is now in your system.
John W. Simek: I see that as a really Mike a great idea in the best practice. Do you get any pushback from the opposing parties when you do that all the time?
Mike Barnsback: No, I in fact they come to expect it from me.
John W. Simek: Oh okay.
Mike Barnsback: And sometimes now I’ve got — I shouldn’t say train but I’ve got the other side trained to give me a call and say, hey, we’re sending you the link now. So they expect it from me. Where I get pushed back John is internally. I get people in my own firm saying well, I know it’s coming why should I pick up the phone?
John W. Simek: Kind of like our children, right, they’re always pushing back.
Mike Barnsback: Yeah I mean it’s a 10 second effort that can potentially prevent significant problems. We rely too much on electronic communications. I’m still a big fan of picking up the phone. I have trained my associates in my office why are you emailing me with a question, I’m right down the hall for you.
John W. Simek: You know, we must be so old school. I have the same feeling Mike. Let’s move on to something else. What do you advise a business that’s been breached? So, let’s assume one of your clients has been breached. What do you tell them to do right after they’ve discovered that and what are the steps after that initial action?
Mike Barnsback: Well, John, I really hoping that that first conversation that I have with them isn’t them telling me that they have a breach because I’m hoping that that client has a response plan in place that they’ve thought about what happens if a breach occurred, who’s going to be involved. So that’s what I’m really hoping that they’ve got that in place. Now –
John W. Simek: So the risk response plan isn’t call Mike.
Mike Barnsback: Yeah. Well, I’m part of that response plan, yes. I really hope that they have everything in place, so it’s just a reaction to it. You’re not thinking of who am I calling, what am I going to do? I mean, really the first thing put aside the response plan, the first thing that they need to do is secure the operations, secure the data, secure the computer systems. And this is why the response plan is so critical because if you’re just now scrambling at the last minute and someone finds out, there’s a breach, they don’t know who to call.
Whom am I going to reach out to, I’ll call my internal IT people. Chances are they’re not the security people you need to talk to, you need to have a response plan that’s going to involve information security, forensics, information technology, your operations and management are going to be involved. Your legal team is going to be involved for all the legal implications, but the first step is secure your operations, secure your computers, make sure that that reach is not going to expand. It’s not going to expand outside to other systems and then fix the vulnerabilities.
And once you do that, then you have all of the other steps that you have to look at. You have to find out what data has been affected. Who do I have to notify? Am I notifying clients? Is there data been affected? Am I notifying law enforcement? Yes, you should notify law enforcement, but I don’t think law enforcement is going to be your first call because they’re going to be reactive. They can’t help you secure your systems. They can’t help you fix the vulnerability.
So that really has to be your focus. So unless you have a response team already set up, you’re already behind the eight ball and you’re already losing valuable time and that’s why I said having that response plan in place where you can go to the plan, open to the page where it says breach, and here’s a list of the phone calls, you reach the people you have to call right away.
I’ve got to call John, I’ve got to deal with my security issues. I got a call in my forensics issues. I’ve got to make sure that not only am I securing my systems, fixing the vulnerabilities but I’m not stepping on all the data and destroying the forensic so we can figure out what happened and who did it to us and where this data may have gone.
Sharon D. Nelson: They have big boots, don’t they? Stepping on these things.
Mike Barnsback: Yes, they do. I mean, I’ve been involved in situations where I guess they had kind of a response plan because they knew if there was a problem, they call their outside IT vendor and fortunately outside IT vendor was very good because they have a complete backup, but what they did is they took down the system completely and in the process, wiped all the data and all the evidence of what happened.
And then they actually had a backup hardware system and the backup data and got it all up and running in a hurry. So that preserves their operations. So there is no disruption in what they’re doing in a business. But in the process, they lost all the evidence of what actually occurred during the breach, and that’s as important to keep that because that will let you know exactly what was taken because they destroyed everything in the process of securing their systems. They weren’t sure what was taken so we had to assume everything had been accessed and that’s a dangerous assumption.
In this case, we actually were fortunate because it was a ransomware situation and bad actors played their cards and started posting stuff on the dark web and what was posted was just innocuous. So it was clear they had not got to any of the real significant information. So they were fortunate that the bad actor started putting stuff on the dark web that was not a serious data breach, but we still had to act as if everything had been compromised and had to make all of the notifications to the clients, to the federal government because it involved, in this case, it involved medical data and then to the state authorities.
So it was a real mess. It didn’t have to be that way if they had a better response plan in place in the beginning, we could have really mitigated that part of the loss.
Another person in that response plan, another group, you need to have a communications plan. This is, you can have some serious, particularly as a law firm, representational harm when you have a breach. So you need to know how to deal with that. What information are you going to disclose to the public to start dealing with the reputational harm? So you need to have a communications plan that may involve depending on the size of the firm, PR firm.
So this is a comprehensive response and if you haven’t thought about this in advance and have the plan in place, and you’re going to be behind, you’re going to forget to do things and it’s going to make a significant mess.
Sharon D. Nelson: Well, we know from talking to you Mike that you wish that entities would consult you before they have a breach, but that doesn’t seem to have a lot of appeal to clients. So why do you think that is? And can you do anything about it?
Mike Barnsback: It’s another thing that we have to worry about and don’t we have a long list of things as attorneys that we already are worrying about and now I’ve got to worry about my computer data ail, don’t I pay my IT people to deal with that, aren’t they going to be sufficient in case there’s a breach, or aren’t they providing the proper level of security?
It’s another expense, it’s another time commitment that we have to take and that’s the real challenge for us is to trying to convince people that convince attorneys that we have to take the time to do this. And I think the best way to get it across the attorneys is talk about our ethical obligations to maintain the confidentiality of our data. There’s plenty of opinions, ABA opinions, and local bar association opinions, State Bar Association opinions that talk about that.
And I don’t think we’re getting that through to our attorneys well enough. Once we realize that we do have that ethical obligation, we start paying more attention to what our — kind of our technical obligation is to try to secure our data, try to secure our client information. I mean as an attorneys we know, it’s a confidential communication. I am not going to post it on the Internet. I’m not going to send it to the wrong people. It’s going to breach attorney-client privilege at a minimum that could disclose highly sensitive information.
But we don’t think about what we need to do to maintain the security of our own internal databases, our own internal systems and I want to get it across to lawyers that we have to do this. We have to take the time to understand what data we have, that’s a starting point. Most of us don’t know what our data is. We don’t have a data map that shows where everything is, what type of data and who has access to that data.
So it really involves convincing the management, the thought leaders in a firm that this is an exercise that we must engage in. We have to take the time to make sure that we’re doing the right thing to preserve our clients’ data. It’s just like we really worry about our clients’ funds when we hold them in trust. Well, their information is just as valuable, if not even more valuable, than the client funds that we hold.
John W. Simek: Well, before we move on to our final segment, let’s take a quick commercial break.
Adriana Linares: Are you looking for a podcast that was created for new solos? Then join me, Adriana Linares, each month on the New Solo podcast. We talk to lawyers who have built their own successful practices and share their insights to help you grow yours. You can find New Solo on the Legal Talk Network or anywhere you get your podcasts.
J. Craig Williams: Today’s legal news is rarely as straightforward as the headlines that accompany them. On Lawyer 2 Lawyer, we provide the legal perspective you need to better understand the current events that shape our society. Join me Craig Williams and a wide variety of industry experts as we break down the top stories. Follow Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Threats to Your Law Firm: Insiders and Outsiders. Our guest is Mike Barnsback, the Managing Partner of the Alexandria, Virginia, office of O’Hagan Meyer.
Mike’s practice focuses on representing employers in all aspects of employment law issues. His experience representing employers let him to concentrate on data privacy and security issues for employers.
John W. Simek: Mike, early on, you mentioned putting policies in place. Can you tell our audience what kinds of cybersecurity policies they should have?
Mike Barnsback: We are looking at cybersecurity policies that are again directed to our staff to deal with our computer hygiene and our security issues. One of the policies that we should have is dealing with passwords, talking about what appropriate password is, then our password security, making sure that our staff doesn’t write their password on a piece of paper or a sticky note and put it on their monitor so if they forget.
As part of the — we talked about insiders, some of the insiders are people that have access to our office. At night, our cleaning crew can come in and gain access to our credentials if people are not properly securing their user names and their passwords. I also like to see policies to talk about external storage devices. I want to prevent my staff from loading external storage devices onto our system because now that creates another outlet for my data to migrate out of the system that we have no control over.
When someone is going to use an external storage device, I want to know about it. I want to give them specific authority for that and make sure that they’re using external storage device that’s properly encrypted. I don’t want to have someone put confidential client data on a USB drive, take it over to a client and then just lose that USB drive, that’s a data breach and if it’s not encrypted, that’s a significant issue for us.
Other policies again talk about how we maintain our confidentiality, how we set up our access to certain information so we want to limit an employee’s access to that information that they need to have, not everyone in a law firm needs to have access to all the financial data. I’d like to see and we have it enacted here in our database that we have limitations even on the cases that you can have access to.
So if you’re assigned to a case, you’re limited in our database to the information related to that case. If you need something from another case, you have to go to the either attorney involved or the database administrator to pull that information out. So it’s all types of policies dealing with access to information, securing the information, confidentiality of the information and our password use.
We want to make sure that our policies say don’t share your credentials with anyone internally. That’s another way that you can lose your access and lose your credentials. While it seems natural, we are going to say, I’m going on a vacation, I’ll let my secretary or my administrative assistant have my credentials and can access to my system. Now there’s a better way to do that and a more secure way where your assistant can have access to your say email without actually giving them your credentials because we want to make sure that we know when it’s being accessed, how it’s being accessed, by who it’s being accessed.
Sharon D. Nelson: Well, businesses Mike tend not to worry about data stored through third-party software such as enterprise management software, but when a breach does occur and I’m staring here at the outline or the headline, legal tech firm Casepoint has a breach. So when a breach does occur, they don’t typically know how the data was stored or protected or what recourse, if any, the business has with the vendor.
So what should businesses do to protect themselves in cases like this?
Mike Barnsback: Well, the first thing that you have to do is look at that contract. I mean and frankly, it’s a painful event because if you ever looked at these contracts, they are very, very difficult. There’s a lot of boilerplate and it takes a while to get to that language that talks about how the data is being stored, what the vendor’s liability is and most of them try to disclaim all liability for breach.
So you have to make sure that you’ve got a contract that’s not going to let the vendor be off the hook and you’re making sure if you’re storing your confidential client information on a third-party system that that vendor is taking actions to secure that data just as you would secure that data. It’s difficult and a lot of us when we’re trying to price out and look at these vendors, we look at the price, we look at the capabilities, but we don’t think about what’s going to happen if there’s a breach.
Now, who do we contact within the vendor to get a response to the breach? Can the vendor help us, can the vendor identify even the information, can the vendor identify the source of the breach, what are their breach notification requirements to you? Because sometimes they’ll take their time in notifying you and that’s very dangerous.
So it’s all a matter of getting into the details and unfortunately, a lot of those details aren’t going to be found in the boilerplate contracts that you get from the vendors.
So you are going to have to pry and talk to the right people when you’re trying to negotiate one of these contracts.
Sharon D. Nelson: Well, I certainly agree with all of that and we’ve seen more than one legal tech vendor who has been compromised. So that’s excellent advice. And I really like the fact that you go through this in a way that this entire podcast you’ve been talking to people in terms that almost anyone can understand as opposed to some of the highly technical or highly legal things that they might not be as familiar with.
So that’s very useful and I really appreciate. You’ve been a friend for a long time. I love that you came into this area so that we could invite you on the podcasts legitimately and we both want to thank you so much for being with us today.
Mike Barnsback: Well, again, I think both of you, and let me just comment on trying to talk this through in a way that people can understand. A lot of computer security and privacy professionals get caught up in the technical jargon and you lose your audience. So that’s one of the things that you have to make sure that you’re talking to the law firm managers, the partners, their IT people in a way that they can understand what’s going on and why they need to be concerned.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all of the editions of this podcast at legaltalknetwork.com or an Apple podcast. If you enjoyed our podcast, please rate us on Apple podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology, and managed cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.