Bad Tech Habits Your Firm Needs to Break

Episode Notes

Transcript

Intro: Welcome to Digital Detectives, reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 153^rd Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice-President of Sensei Enterprises. Today on Digital Detectives, our topic is Bad Tech Habits Your Firm Needs to Break. Our guest today is Mark Bassingthwaighte, Esq. who since 1998 has been a Risk Manager with ALPS, the nation’s largest direct writer of lawyers’ malpractice insurance. In this tenure with the company, Mark has conducted over 1,200 law firm risk management assessment visits presented over 600 continuing legal education seminars throughout the United States and written extensively on risk management, ethics and technology. It’s great to have you with us today, Mark.

Mark Bassingthwaighte: Thank you very much, John and Sharon. It truly is a pleasure to be here with you. I’m looking forward to our conversation today.

John W. Simek: So, Mark, as a Risk Manager with a legal malpractice insurance company, you’re concerned about the tech habits of lawyers particularly of those that practice in the small firm space. So, tell us why that is. Why are you so concerned over that?

Mark Bassingthwaighte: Well, you’re not beyond. When I first started with ALPS, everything I did was focused on helping lawyers. You don’t manage the risks that could lead to a malpractice claim or a disciplinary complaint. Of course, some of my efforts were geared toward helping lawyers improve their tech competency but that really wasn’t my central focus. It wasn’t until the frequency of cybercrime attacks started to explode in the early 2000s that really everything changed. Now, I had to do all I could do to help law firms manage this new risk and, unfortunately, this particular risk continues to evolve.

Let me share just a few stats to underscore of my current concerns. In 2022, the FBI’s internet crime complaint center, otherwise known as IC3, received 800,944 complaints from the American public regarding cyberattacks and malicious cyber activity. Now, the good news is this was a 5% decrease from 2021. The bad news is the potential total loss has grown from 6.9 billion in 2021 to more than 10.2 billion in 2022. Given that many incidents are never reported and that the majority of these victims were small businesses, I find these numbers quite concerning. Making matters worse at least in my mind, according to the CNBC SurveyMonkey small business survey for Q4 in 2022, only 4% of small business owners said that cybersecurity was the biggest risk facing their business. While 64% said they were confident that they could quickly resolve a cyberattack. These numbers just for me and my suspicion is if this survey was limited to solo and small law firms, the number would be the same if not a bit worse because, you know, most solo and small law firms just don’t believe they’re a target.

Sharon D. Nelson: Well, let me guess with this unfounded belief be one of the bad tech habits these firms need to break.

Mark Bassingthwaighte: Yeah, you bet. Indeed, it is because believing you’re too small to be on anyone’s radar quickly becomes the excuse for deciding to take a do-nothing posture at least when it comes to developing and enforcing policies that really could address various cyberattack vectors. You know, for example, if a firm were to implement a mandatory process whereby all wiring instructions need to be confirmed using previously verified contact information by way of an out-of-band communication channel prior to authorizing the transfer every time money is to be moved. The risk of becoming the next victim drops to almost zero. Yeah, making a change like this, too often seems to be viewed as being inconvenient and unnecessary.

John W. Simek: Mark, you used a term they’re out of band communication in your example and I’m very familiar with that and I know Sharon is as well, but can you define that a little bit for our audience who may not be aware of what that means?

Mark Bassingthwaighte: I need to start by sharing a real-world example of a wire fraud incident —

(00:05:00)

— and this is one of my favorite stories. A law firm relied on an online fax service to request and receive loan pay off statements via fax. The vendor would forward all incoming faxes to its designated firm email account. Unbeknownst to the firm, this designated email account had been compromised giving whoever did it the ability to monitor all incoming taxes. Any fax that did not contain wiring instructions was immediately forwarded by the hacker to the firm’s email account as a way to avoid being detected. Once the fax containing wiring instructions was spotted, however, the hacker quickly modified the payoff account information and then forwarded the altered fax to the firm. Now, since the incoming fax was expected came from a known party and there were no obvious signs of any fraudulent activity, the firm assumed the information contained in the altered fax was accurate which is why they ended up wiring substantial funds to the wrong account.

Now, the firm regularly works with the person who sent the fax and they know what this person’s correct or accurate phone number is. All they had to do was change the communication channel and place a call to verify the accuracy of the routing number. So, in short, out-of-band communication simply means change the communication channel. Here, the incoming communication was a fax. So, the firm should have used a different outgoing communication channel, for example a phone, to verify the accuracy of the incoming information.

Sharon D. Nelson: I wonder if compounding this problem, Mark, is a failure to understand that in terms of the internet, words like rural, small town and small business don’t have the same meaning as they do in the real world.

Mark Bassingthwaighte: Sharon, I really do think you’re right about that and, unfortunately, believing that they do have the same meaning, you know, that can lead for years to becoming complacent about the true level of risk they face. Now, this actually gets me to the next bad tech habit firms need to break. A belief that you’re too small to be on anyone’s radar because of the size of the firm where it’s located in the types of matters you handle also leads to what I like to call the false sense of security problem, which is assuming that your IT support can protect your firm from just about every thread out there. I know the two of you will agree with me when I say IT simply can’t for two reasons. The first is this, every day, every user of tech is a potential victim of every new and unknown or unidentified cyber threat in the wild until the fix is in. Yes, most law firms have deployed internet security software suites, intrusion detection systems, firewalls and the like, and this really does make a huge difference and I want to underscore firms should trust that the efforts of their in-house IT staff or outside IT consultants will keep them safe as safe as they can. Just understand that while IT support can do quite a bit and their toolbox of solutions continues to get ever better, they simply can’t protect you from unknown or unfix security vulnerabilities that hackers take advantage of.

Making matters worse, the second reason is there’s one significant vulnerability. IT support will never have a patch or update for and that vulnerability is the people who use whatever tech any given firm has in play. Too many firms still fail to fully appreciate the level of risk any internal training staff member truly represents. Every person at a firm is part of the security equation and none of them can be secured with a software patch or hardware upgrade.

Here’s the harsh reality. Any individual’s actions can unintentionally circumvent any security tool IT supports deployed. All someone has to do is open an infected email, click on a malicious link or unwittingly verified password for a cybercriminal and it’s game over. Unfortunately, these things often happen because the individual simply didn’t know any better got caught off guard or sometimes just doesn’t care. There are times where people sit and think it’s not my responsibility.

(00:10:00)

That’s my employer’s responsibility, you know. So, and they just don’t care.

John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.

[Music]

J. Craig Williams: Today’s legal news is rarely as straightforward as the headlines that accompany them. On Lawyer 2 Lawyer, we provide the legal perspective you need to better understand the current events that shape our society. Join me, Craig Williams, and a wide variety of industry experts as we break down the top stories. Follow Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.

[Music]

John W. Simek: The ABA Journal Legal Rebels Podcast features the men and women in the legal profession who aren’t satisfied with good enough. These are the people who are changing the way law is practiced and setting the standards that will define the profession in the future. Each episode, we share their story. To hear insights from those with an eye fixed towards tomorrow, follow the Legal Rebels Podcast, part of the Legal Talk Network.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Bad Tech Habits Your Firm Needs to Break. Our guest is Mark Bassingthwaighte, Esq. who since 1998 has been a Risk Manager with ALPS, the nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the company, Mark has conducted over 1,200 law firm risk management assessment visits presented over 600 continuing legal education seminars throughout the United States and written extensively on risk management, ethics and technology.

John W. Simek: Mark, before our break that we had, you started talking about the biggest risk factor, the firm’s face and whatever these things that are called carbon units, otherwise known as people, and we deal with that every day as well and they do. You know, they are unintentional in some of their actions and hopefully they’re not malicious, right, in what they’re doing to their firm, but they are an enabler, you know, pretty much on a daily basis and they really need to understand what’s going on with cyber. But what do you think that the firms can do to help, let’s say, lessen that risk?

Mark Bassingthwaighte: It’s a great question. You know, first, firms need to accept reality and see the situation for what it is. Becoming and remaining cyber secure is an all-hands-on-deck proposition that really never ends. Everyone has a role to play and it starts with ongoing mandatory social engineering awareness training for every single person who works at a firm, everyone. I truly believe the vast majority of people want to do the right thing. The problem is, how can they if they don’t know what the right thing to do is. In my mind, social engineering awareness training addresses that problem head on. It’s the only way I know of that keeps everyone apprised of what the various attack vectors look like, how the attacks work, how the attacks are evolving, and what to do if they recognize a cyberattack is underway. The goal is to give everyone at of firm the ability to know how to not unwittingly helped an attacker circumvent the security solutions IT have deployed.

Sharon D. Nelson: I wish we could all figure that out, but we are all trying. We’re all rowing in the same direction. Mark, you’ve shared that things change for you professionally in the early 2000s as a result of the explosion in cybercrime. I’m curious. In your world, did the COVID pandemic alter the cybercrime threat landscape yet again?

Mark Bassingthwaighte: Absolutely, it did absolutely in a very big way. The best way for me to describe it would be to share another bad tech habit firms need to break which is allowing the unfettered use of personal mobile devices for work. Now, I’ve been telecommuting for 14 years. So, this, you know, work from home movement that got its start as a result of the pandemic wasn’t a big change, a big deal to me personally. My concern stems from the apparent lack of concern of the use of personal devices for work, however. For example, far too many seem to believe that mobile devices pose little to no risk. Now, I know you will agree with me when I say these folks are all woefully misguided. Smishing is particularly problematic because people are more inclined to trust a text message than an email and are less aware of the security risks surrounding text messages. What happens is cybercriminals obtained phone numbers that are available on the —

(00:15:00)

— dark web after a data breach or they use web crawlers to gather numbers from social media sites or they may even just use a random number generator. Then, they start sending up text messages trying to trick recipients into clicking on a link or calling a number all done in the furtherance of identity theft to capture login credentials or to have the recipient unwittingly downloaded a malicious app. Making matters worse, the number the text message appears to originate from may be a spoofed phone number, meaning it appears to be coming from a reputable source when it actually isn’t. What few realize is just how effective smishing is. In fact, I recently learned here in the United States $330 million have been stolen in mobile device attacks just in 2022. As I see it, that’s not chump change.

John W. Simek: We certainly agree with you and if you’ve heard me lecture on the topic of personal devices, Mark, you know, that I consider BYOD as bring your own disaster, but identifying the problems, that’s just the easy part though. What can the firms do responsibly address some of the concerns that you’ve just raised?

Mark Bassingthwaighte: I don’t want to minimize the importance of the basic, you know, such as properly securing home routers, making sure all mobile devices have a robust security app installed and are current in terms of security patches and updates in addition to a number of other security steps one should take. Really more and more I’m coming to believe that social engineering awareness training that also focuses on the cyberattack vectors directed toward personal mobile devices is every bit as important due to how successful things like smishing, vishing and phishing attacks are. The reason I say this is due to the reality that many of us take a more, shall we say, lacks a days ago view in terms of worrying about cybersecurity risks when using personal devices and the attackers know it. Couple this with the fact that these devices often our network connected devices that also store all kinds of valuable data such as passwords, personal and financial information, location data, documents, photos, and even client information and the reason these devices are such an attractive target becomes really self-evident.

Sharon D. Nelson: Well, we can certainly see that your concern over how successful smishing, vishing and phishing and that’s they all rhyme.

Mark Bassingthwaighte: It’s the -ishing trio.

Sharon D. Nelson: It’s the -ishing trio. You know, it certainly warranted given all that we see too. But here again, I think it would be helpful to briefly explain to our listeners what smishing, vishing and phishing are, and would you also share a bit more on why you think firm should place a component that focuses on attack vectors directed toward personal mobile devices and any social engineering awareness training that the firms do.

Mark Bassingthwaighte: Let’s start with phishing. You know, phishing and focus P-H-I-S-H-I-N-G is a cyberattack vector whereby intended victims are contacted by an email disguised as trusted contact or organization with the hope that the intended parties will react without thinking first. The ultimate goal is to try to trick individuals into giving out sensitive information like passwords or credit card numbers or taking a potentially dangerous action like clicking on a link or downloading an infected attachment. Smishing is basically the same type of attack except that occurs via text message. The word comes from combining the term SMS texting with the word phishing. Vishing stands for voice phishing. It is a form of criminal phone fraud whereby the scammer uses social engineering techniques during a call to try to gain access to personal or sensitive information often for the purpose of financial gain.

The real reason why I feel so strongly about this training component has to do with my next bad habit firms need to break, which is running with an assumption that everyone at a firm is smart enough to recognize most phishing, smishing and vishing scams. If a firm isn’t conducting mandatory ongoing social engine engineering awareness training and they really aren’t. For example, and now, I’m going to speak directly to our listeners here. Suppose you receive a call from someone claiming to be from your bank. The caller is going to be quite pleasant and very professional. She’ll tell you there has been some suspicious activity in your account and she will also accurately —

(00:20:00)

— provide a little personally identifiable information, all of which is available on the dark web. Now, here’s a typical script. “Hello. I’m calling from Wells Fargo” or whatever your bank happens to be. “Someone has been using your debit card ending in 8774. I’ll need to verify your Social Security number which ends in 3006. Is this correct?” and it will be. If you say yes and allow this to continue, you’re going to hear, “Now, if you will provide me with your full debit card information, we can stop this unauthorized activity.”

Now, if you were to receive such a call, how do you think you might respond? Let’s change the facts just a bit. The call will be placed to an employee at your firm and the account of concern will be your firm’s trust account. Call me skeptical, but I think more than a few would be caught off guard absent the kind of training we’ve been discussing here.

John W. Simek: Before we move on to our final segment, let’s take a quick commercial break.

[Music]

Jared Correia: They say the best things in life are free which either means Legal Toolkit Podcast is pretty awesome or we’re totally committed to the wrong business model. You’ll just have to tune in to find out which it is. I’m Jared Correia and each episode I run the risk of making total ass of myself. So, you can have a laugh, learn something new and why not maybe even improve your law practice. Stop believing podcast can’t be both fun and helpful. Subscribe now to Legal Toolkit. Go ahead. I’ll wait.

[Music]

Christopher T. Anderson: If you’re a lawyer running a solo or small firm and you’re looking for other lawyers to talk through issues you’re currently facing in your practice, join the Un-Billable Hours Community Roundtable, a free virtual event on the third Thursday of every month. Lawyers from all over the country come together and meet with me, lawyer and law firm management consultant, Christopher T. Anderson, to discuss best practices on topics such as marketing, client acquisition, hiring and firing, and time management. The conversation is free to join but requires a simple reservation. The link to RSVP can be found on the Un-Billable Hour page at legaltalknetwork.com. We’ll see you there.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Bad Tech Habits Your Firm Needs to Break. Our guest today is Mark Bassingthwaighte, Esq. who since 1998 has been a Risk Manager with ALPS, the nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the company, Mark has conducted over 1,200 law firm risk management assessment visits presented over 600 continuing legal education seminars throughout the United States and written extensively on risk management, ethics and technology.

John W. Simek: Well, Mark, there’s obviously a thing going on here that the reason behind every one of these bad habits that you’ve explained so far in our session really has something to do with a failure to provide this social engineering awareness training and focusing on that, and I know that’s your intent you know certainly as well, but we know you and in terms of helping the first become cybersecurity, this training thing hasn’t always been a primary focus of yours. We’ve known you for many, many years. But so, we’re curious as to why the shift and concentration there.

Mark Bassingthwaighte: Well, and again, you know, it’s a great question. The reason really is best explained by my sharing another bad habit firms need to break. In short, when it comes to providing mandatory ongoing social engineering awareness training, first, stop making excuses before it’s game over and I really am not trying to be melodramatic by saying this. I need to say it because, in various ways, I’ve been involved in the aftermath of a firm that fell prey to a cybercrime to include a few firms that no longer exist. The sad part is most of these situations could have been prevented if they had just conducted some basic social engineering awareness training and develop, enforce a few policies that would have addressed a common attack vectors. In other words, this didn’t need to happen.

Sharon D. Nelson: Well, you know, Mark, you’re singing to the choir.

Mark Bassingthwaighte: Well aware.

Sharon D. Nelson: I mean, this is what we go through every day when they tell us, you know, I can’t afford it. It would be too disruptive. We are too small to be a target. I mean, the list goes on and on and on. We’ve enjoyed all of this talking with you. Do you have any final thoughts you’d like to share with our audience?

Mark Bassingthwaighte: Well, let me close with my final bad habit firms need to break. Stop assuming social engineering awareness training is expensive.

(00:25:00)

Here’s the problem with that line of thinking. Compared to the cost of falling prey to a scam or having your network breached, the cost of training are minimal. Trust me, folks. Some training resources are even free. For example, there’s a company called KnowBe4 and they have a blog. That’s K-N-O-W-B-E and the number 4, KnowBe4’s blog, or the Sans Institute and their @sans.org. They have a newsletter called Ouch. These are free resources that are quite valuable. Perhaps, you could ask your own IT support person to provide periodic training. I mean, if nothing else, this would be a place to start. Of course, there are a number of companies that provide security awareness training as well. I’m partial to know before and, of course, I can highly recommend my two favorite digital detectives, the two of you, and folks I just strongly encourage you to check out our good friends, Sensei Enterprises, and their senseient.com. So, with that, I will stop my quantification and how about we call it a day.

Sharon D. Nelson: That’s how it sounds good to us. I want to thank you so much for being our guest today, Mark. It’s always a pleasure. We kind of do much of the same things. It’s like having our brother with us here today. So, we really appreciate you taking the time though, very kind words and I hope people will listen to these bad habits they need to break because they do need to break them and they’re not safe many of them preceding the way they are. I know, it feels to them like it’s a lot of money. It’s not a lot of money. You want to see a lot of money? Get breached. Thank you so much.

Mark Bassingthwaighte: You’re welcome. Thank you, John and Sharon. It has been a pleasure and I look forward to seeing you sometime again back out on the road somewhere. Stay well.

John W. Simek: Well, that does it for this edition of Digital Detectives.

[Music]

And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. If you enjoyed our podcast, please rate us on Apple podcast.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology and managed cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]