Enhancing Law Firm Cybersecurity: The Ten Most Important Steps

Episode Notes

Transcript

[Music]

Intro: Welcome to Digital Detectives, reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 154^th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice-President of Sensei Enterprises. Today on Digital Detectives, our topic is Enhancing Law Firm Cybersecurity The Ten Most Important Steps. Our today is Mike Maschke, the Chief Executive Office at Sensei Enterprises.  He has been providing IT and cybersecurity support to clients for 20 years.

Mike holds a degree in telecommunications from James Madison University. He is an in-case certified examiner, a certified computer examiner, a certified ethical hacker and access data certified examiner and a certified information systems security professional.  As usual, it’s great to have you with us today, Mike.

Mike Maschke: Thanks John. Thanks Sharon, and thanks for spending the time going through all those acronyms. It’s just a way to say that about it. A die-hard geek at that hard, and I’m excited to have the opportunity to talk to you guys today about law firm cybersecurity and the measures that a law firm should be implementing.

John W. Simek: Let’s jump right into it, Mike. Let’s start with some cybersecurity policies and procedures that a law firm should have in place to protect their client data and their sensitive information. If you can start with those.

Mike Maschke: Let’s start with probably the most mundane aspect of cybersecurity. But I mean, in reality, you can’t have a good cybersecurity posture unless you have the foundation to build upon. You know, you’re not trying to build upon sand, you want some firm ground. And what that is, its cybersecurity policies and procedures.

Typically, it’s a series of documents or pauses that you follow to implement or enforce your cybersecurity measures and other things. Typically, you may see that in terms of like a written information security program or a wisp. But it’s a document that contains a bunch of policies.

Now, some of the ones that law firms should seriously consider drafting and implementing, of course now with the prevalence of data breaches, both in the legal community and elsewhere. In other verticals is an incident response program. What happens, you know, what do you do if you experience a potential incident? How do you respond? What steps does your law firm take? And it’s very important to have that document drafted and reviewed periodically so that when that happens and when that strike happens, you’re not running around like you know, like a chicken with your head cut off. You actually have a policy, you have a document that you can go step by step with your IT consultants and other vendors to carry out that plan so that you can respond in a quick and timely manner.

And one story I like to tell is that when you draft these documents, our one recommendation is, make sure you also have a paper copy. Because if you only have electronic versions of these files in your file server, your SharePoint site gets encrypted or attacked and is not accessible, well how do you respond? How do you find the document? So incident response plan is certainly right up there on the top and I would also say that with the mobility of lawyers and law firms still in a hybrid environment where staff is working from home or remotely still, it’s very important to come to a firm decision about what your employees can do with personal devices, you know. Does the firm allow personal equipment to access company data in your Office 365 accounts or not? And if you don’t, you know, does the firm provide laptops or computers for your staff to use.

So those are certainly the two that I would start with. And then of course, part of the bigger document, the written information security program, you might have employee onboarding, acceptable used policies, you know what your staff can do with the equipment, social media out processing guidelines to take, should you, should you have to move on from a staff member. So things like that solely lay the foundation for a strong cybersecurity program.

Sharon D. Nelson: How important is it, Mike, that employees are trained and aware of cybersecurity best practices? Should there be regular training programs in place?

Mike Maschke: Well, the short answer is it’s extremely important. I mean, the majority of cyber incidents are caused or a direct result of an action from an employee, a staff member, a human being.

(00:05:00)

You know, we can’t remove the human from the computer so we’re always going to have that risk. So, it’s important that your staff be trained at least, on an annual basis, regarding basic cybersecurity hygiene, steps that should be taken to protect their devices, their personal devices, you know. How to detect a phishing campaign or a targeted email message that has been spoofed and what to do when they see something out of the ordinary, who do they reach out to? It’s important to train your staff because the more the staff gets in the cybersecurity mindset, becomes educated on the topic, the stronger your overall cybersecurity defenses are.

John W. Simek: Let’s put our propellers on our heads a little bit here, get a little geeky and talk about access control measures, like authentication and authorizations in order to safeguard our sensitive data that is entrusted to the attorney. And I assume, you’re probably going to touch upon zero trust architecture as well, correct?

Mike Maschke: Yes. So, absolutely, you got it. But that’s coming, that’s coming down the pipeline. All, you know, maybe not as fast as propeller heads wanted to be here. You know, the government tells you they’re going to be online with ZTA in the next year, end of next year, we’ll see,. You know, we know how the government is.

But as far as law firms and small businesses, yes. I mean that is the future, it’s coming. And essentially, what zero trust architecture is, its trust and verify before access is granted to the data or the service or the system or the application. What most law firms are now using is the standard, the traditional you login with the username and password to your computer. So therefore, you’ve authenticated, now your computer trust who you are and it stays that way until your computer locks you out, or you power off your computer. Applications if you’re using cloud-based applications for your legal services, as vendors, they may have a separate user ID password and multi-factor authentication to access that data.

Zero trust architecture really is going to up in the way that we all are used to authenticating. Essentially, anytime you are accessing your computer, a file on a network share or a shared folder within SharePoint, 365 or any of these other legal specific applications, the systems the services are going to ask you to re-authenticate on a periodic basis. Again, they’re not going to trust your computer saying that says you know I logged in three hours ago when I access a sensitive file on a network share it’s going to prompt me to authenticate again.

And what we are seeing is really the first step and to protecting your staff’s authentications is enabling multi-factor authentication wherever it is available. And your vendors typically are now providing it at no cost to protect your accounts. And at this point in time, it should be enabled wherever it is available.

Sharon D. Nelson: I know that what we see a lot is people not updating when they need to update, which is quickly. So, what processes should law firms have for keeping software including operating systems and applications up to date with security patches and any other updates that may be applicable?

Mike Maschke: Well, the first step, any law firm should do, is remove the user out of the process. Take the human out of the picture. You’re in a much better state already, right? Because we know staff members, they want to minimize that little bubble, you know, if they going to restart or to power off the computer, they’ll skip the option that installs the updates because it takes it merely another four or five minutes, you know. They don’t want to be inconvenience. So, the the solution is using software that helps you to manage your endpoints, your computers, your laptops, your servers or virtual servers, that install, they push out the windows feature packs, security updates to both systems and servers automatically. And usually, those products will actually test the patches in a test environment before allowing you to push them out. So, you’re talking, you know, maybe a week, 10 days after patch Tuesday. But again, you know something in a manner that’s in terms of a timeline it’s fast enough to make sure your systems remain protected. But anything you — I mean, the first step again, remove the human element from the picture and find some sort of automated process to force the install of critical updates, zero-day patches on your systems and third-party applications.

John W. Simek: You have options available for pushing the Mac OS devices too, right Mike?

Mike Maschke: Yes, yes, you can do it for Apple devices too, not just Windows-based computers.

John W. Simek: Well, before we move on to our next segment. Let’s take a quick commercial break.

[Music]

Christopher T. Anderson: If you’re a lawyer running a solo or small firm and you’re looking for other lawyers to talk through issues you’re currently facing in your practice, join the Un-Billable Hours Community Roundtable, a free virtual event on the third Thursday of every month.

(00:10:03)

Lawyers from all over the country come together and meet with me, lawyer and law firm management consultant, Christopher T. Anderson, to discuss best practices on topics such as marketing, client acquisition, hiring and firing, and time management. The conversation is free to join, but requires a simple reservation. The link to RSVP can be found on the Un-Billable Hour page at legaltalknetwork.com. We’ll see you there.

J. Craig Williams: Today’s legal news is rarely as straightforward as the headlines that accompany them. On Lawyer 2 Lawyer, we provide the legal perspective you need to better understand the current events that shape our society. Join me Craig Williams and a wide variety of industry experts as we break down the top stories. Follow Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Enhancing Law Firm Cybersecurity The Ten Most Important Steps. Our guest today is Mike Maschke, the Chief Executive Officer of Sensei Enterprises who has been providing IT and cybersecurity support to clients for 20 years. Mike holds a degree in telecommunications from James Madison University and he is an NK certified examiner, a certified computer examiner, a certified ethical hacker, an access data certified examiner and a certified information systems security professional. You got a lot of certifications Mike.

Mike Maschke: Sorry about that. They drag it on their sharing.

John W. Simek: Well Mike let’s pick up kind of where we left off a little bit and can you talk a little bit about what law firms can do with encryption, how they can use encryption to protect the confidential data and kind of where that encryption would apply? You know, in transit and at rest, you know all those kinds of things and kind of boil it down for, for our listeners.

Mike Maschke: Absolutely, John I can do that. So, encryption is, you know, again, it’s a very basic cybersecurity step that law firms can take to protect sensitive information. So right off the bat, when you’re starting with laptops, devices that are mobile, you know, you want to enable encryption whether it’s FileVault 2 on Mac devices or BitLocker on Windows devices. It’s provided at no cost, it’s free embedded with the operating system, you need to turn it on, it doesn’t come on all the time automatically. If you have mobile devices, you want to make sure those are encrypted as well by setting a pen or pasteurize upon first configuring and setting up the systems. Now, that protects your data at rest on your systems. Now, what about in transit or, you know, in storage in the cloud, dealing with the file sharing programs.

First and foremost, with file sharing, you want to make sure that you’re using a service that provides zero knowledge encryption, meaning the vendor does not hold the decryption key. The decryption key is actually stored with the client or the end user. That way, if the file sharing vendor gets a subpoena or search warrant. All they have is encrypted data. There’s nothing they can do to decrypt it. Even if they were to experience a cyber incident, the attackers wouldn’t have the ability to get that decryption key.

But when it comes to law firms, you know, protecting confidential and sensitive information, often takes place in transit or typically we’re talking email. So there are email protection solutions whether it’s through Microsoft or a third-party product like Proofpoint that allows you as the sender of confidential information to actually on a one-by-one basis or an on-demand basis, encrypt an email message from the sender to the recipient. And most often that recipient will get a notification that they received an encrypted email and they’ll be required to create an account a log into your secure portal. If you use Microsoft solution for email encryption offered in defender plan one or plan two, again the user, the message may be delivered to their inbox, but having received many of those messages before, the sender can dictate what the recipient can do with it. Can they copy and paste? Can they select or drag with the mouse? So, there are definitely ways, affordable ways that lawyers and law firms should Implement encryption within their information systems to protect that sensitive data.

Sharon D. Nelson: And how do you secure mobile devices used within the law firms, especially those that may access or store sensitive client information?

Mike Maschke: Well, the first step is enforcing through your mobile device manager or if you’re using Microsoft Office 365, enforcing security you know, basic security hygiene, requiring a pan or a passphrase on the device. Making sure that the device is encrypted, that after a period of, you know, seven incorrect attempts, that the device will wipe itself.

(00:15:04)

That you as the admin or the law firm can remotely wipe a device, a mobile device, should it become lost or stolen. And then lastly again, educating your users about how to install updates to the iOS or Android operating system software as to release. Again, there are maybe some software out there that will notify the user to install it. But again, it’s taking that additional step of walking the user through the process and the importance of keeping those systems also up-to-date as security patches are released.

Sharon D. Nelson: You know, one of the things I’ve seen a lot recently talked about, Mike, is attorneys will often download some sort of app without even thinking about it. They give it permission to access their contacts. Not a good idea, is it?

Mike Maschke: No, no, no. And again, it’s all in user training, you know. People will just, you know, without thinking or hesitation, they will prove no matter what access the application wants. Your downloads, your files, your contacts, your email, your pictures and photos, your camera and microphone, they need to take a step back and have an understanding of what the purpose of that app is and need to consider, do they want that app to track them across various applications? They want to give it access to the GPS or other sensitive data on the phone.

So there needs, you know, if it’s a personal device or a business device using the access confirm information. This goes back to the, bring your own device or the personal device policy. You know, what steps are or what security steps must that user take when installing an application on the phone that may give that application access to sensitive information. You know, in that same policy, you will also want to dictate if they are traveling with that phone. Can they — they shouldn’t use open or hotel or conference center open Wi-Fi access. They should use a VPN, VPN app on their phone if they need to access company resources.

So, there just some really basic fundamental steps that employees and staff should take to protect data, sensitive data on their mobile devices.

John W. Simek: So, Mike can you talk a little bit about backing up data, with law firms should have in place and you know, kind of how often they should do it, but some of the options might be for them?

Mike Maschke: Yeah absolutely, absolutely John. And if you were ever to experience a cyber incident, you know, what keeps your firm going and alive is a solid backup solution. One that is not accessible to the attackers. So, no longer are we talking about the days of you know keeping external hard drives plugged into servers or USB flash drives plugged into your computers or, please help you if you’re still using backup tapes. But you know, we’re now in an environment where, you know, law firms should have both encrypted on-premise backup appliances that are encrypted and not accessible, they’re agent-based, as well as, you know, having a copy of their most recent backups off-site encrypted in the cloud that would be available or accessible to the law firm should their building catch on fire, some other physical or natural disaster scenario. And by having a copy in the cloud that’s encrypted, it’s not connected as a network drive, it’s not accessible for a computer system. You know, if your system were to be compromised with ransomware, those backups would be inaccessible to the attackers, allowing you to fully recover and not have to worry about paying a ransom or dealing with the attackers, trying to get your data back.

And nowadays with the bandwidth that’s available to businesses, and the low cost of cloud storage and sometimes, depending on the provider, you know, they don’t set a limit or cap. I mean, you could have backups running every hour on your critical system, your servers, your file server. Whether it’s still within your network or in the cloud with Amazon or Azure. So, the backups now are being can be run as frequently as every 15 minutes, seven days a week but you know, you would want to work with your IT provider to figure out what the best schedule and path forward for you for a backup solution is.

Sharon D. Nelson: Well, here’s a question that confuses a lot of attorneys that we talked with. What network security practices, including the use of firewalls, intrusion detection systems and intrusion prevention systems should law firms implement? It is very difficult to explain this to them.

Mike Maschke: Yes, I mean, gone are the days where you could just get up a Linksys or a firewall from your local electronics store for 100 bucks, slap it in and and be confident that your internal network is protected.

(00:20:02)

It used to be that these intrusion detection or IDS or intrusion prevention systems, IPS features were only available in really high-end multi-thousand-dollar firewalls that only the larger law firms and corporations could afford, let alone subscribe to and implement. Now Cisco has released the product called Cisco Meraki firewall that includes these features. And for a couple of hundred dollars, you can purchase the firewall and then you have to pay another few hundred dollars a year for the subscription with these features that keep it updated and it monitors incoming and outgoing traffic from your network for these type of events for ongoing attacks, cyber incident cyberattacks. And if it detects something, it can immediately stop that connection and alert somebody.

So, because attorneys and law firms have the duty to monitor for ongoing data breaches or cyber incidents, having a firewall in place at your office location to protect and monitor incoming and outgoing. internet traffic is vital and it provides law firms even the solos and small firms with the same protection that the larger firms implement. The same features at a much-reduced cost than it used to be.

John W. Simek: Well, before we move on to our final segment, let’s take a quick commercial break.

[Music]

Jared Correia: They say the best things in life are free, which either means the Legal Toolkit podcast is pretty awesome or we’re totally committed to the wrong business model. You’ll just have to tune in to find out which it is. I’m Jared Correia and each episode, I run the risk of making a total ass of myself so you can have a laugh, learn something new and why not, maybe even improve your law practice. Stop believing podcast can’t be both fun and helpful. Subscribe now to Legal Toolkit. Go ahead, I’ll wait.

[Music]

Adriana Linares: Are you looking for a podcast that was created for new solos? Then join me, Adriana Linares, each month on the New Solo podcast. We talk to lawyers who have built their own successful practices and share their insights to help you grow yours. You can find New Solo on the Legal Talk Network or anywhere you get your podcasts.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Enhancing Law Firm Cybersecurity The Ten Most Important Steps. Our guest today is Mike Maschke, the Chief Executive Officer at Sensei Enterprises who has been providing IT in cybersecurity support to clients for 20 years. I would list you again all of his degrees and all of his certifications that he has but there’s just too many. So, we’re just going to say, he’s highly, highly certified.

Mike Maschke: Thank you, Sharon.

John W. Simek: Well Mike, I want to ask this one of you because I think as we move more and more you know you mentioned it early on talking about ZTA and you know the hybrid you know law firms and mobile workforce and all that stuff but. We’re using more and more third-party services. You know, we’re doing virtual servers, you know, you mentioned Azure and AWS and those kinds of things. So how do you manage that cybersecurity risk when you’re using these third-party, you know, vendors or service providers, especially those that are, you know, predominantly cloud-based?

Mike Maschke: The first step that I recommend is the entity that’s making this decision about whether to engage this third-party vendor, first and foremost, they need to be educated, right? They need to know what questions to ask when it comes to protecting their data, their sensitive information. So, before I give you access, whether it’s to my internal network, my computer or to our firm’s client files, what questions should I be asking you, the vendor, about how you protect our sensitive data. What cybersecurity measures have you taken? What do you do to protect our information?

And some of that goes to from the vendor standpoint, do they use encryption, do they require offer you the ability to enforce multi-factor authentication on your user accounts? Do they hold the decryption key or is the encryption key zero knowledge? Is it held with your firm? You know, under what circumstances can staff or engineers or employees of the vendor, the cloud vendor, access your data? Are they U.S. citizens and more importantly, where’s your data being stored? Do you have the ability to dictate or determine, you know, we’re in the United States the data stored or is it stored oversea somewhere and you have no option? So it’s important from a cybersecurity process we when you understand the risks of putting your data with a cloud-based vendor, you have to have a foundation of what questions to ask and what those answer, you know what the potential answers are.

(00:25:06)

So, you you have the knowledge and information to make an educated decision about whether that vendor is doing what they should or everything that they should to provide you with a level of confidence, to store your your sensitive information with them.

Sharon D. Nelson: What are some of the most recent updates since cybersecurity that law firms should be aware of but many of them aren’t, and consider implementing?

Mike Maschke: I would say, if I had to pick one thing, I would say that what’s coming down the pipeline in the next year is probably going to be the security information and event management solution. We have, you know, talked about zero trust which is coming. But now it’s implementing a sim, is essentially at a high level, taking all of your information systems, your computer’s, your virtual servers, your firewall, your cloud-based vendors, whether it’s Google Workspace or Microsoft 365 or your cloud-based file sharing applications, and integrating them into a single monitoring solution that goes through the alerts, the logs the events everything that is set up to forward to this provider sort of like a log aggregator. But it’s backed by a security operations center or artificial intelligence or a combination of both to go through these events for patterns, behaviors, malicious traffic in real time, and alert the client or the IT provider of the law firm that something is happening. Or that an action took place that needs to be looked into further, and it is now allowing law firms at a very minimal cost to be able to respond and detect potential, cybersecurity incidents, in a matter of moments, in real time, versus after the fact. Meaning, historically the attackers get into a network. They are inside the network for several weeks before they’re detected. And by that time, they could have exfiltrated data, deleted information, et cetera, and it’s too late. But now the sim solutions have become with the prevalence of cloud-based applications and services, have become affordable for solos and small firms to be able to implement these types of solutions that may ultimately be the difference of detecting and preventing an ongoing cyberattack before it’s too late.

Sharon D. Nelson: I’ll second that there certainly has been a rush of sims being installed across the law firms that we know. Mike, I want to thank you for being our guest today. The depth and breadth of knowledge that you have on the subject is truly impressive. And one of the best things that ever happened to John and I was finding you.

Mike Maschke: I say the same. Absolutely.

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. And if you enjoyed our podcast, please rate us on Apple podcast.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology, and managed cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]