For many years, Sharon Nelson and John Simek have hosted the Digital Detectives podcast to bring practical advice and much needed guidance to help attorneys protect their law firms. In this, their final episode, they finish off with yet another round of current stats on cybersecurity issues and the measures to take to ensure your data’s safety. Sharon and John’s good friend David Ries joins them for this last conversation, where they explain the latest threats and give advice for improving security practices to protect the future of your law firm.
Thank you, Sharon and John, for all the time, energy, and dedication you have poured into Digital Detectives. We wish the best for both of you in your retirement! Your parting words to us should be echoed back to you—please take care of yourselves and each other.
If you should ever need Sensei’s digital forensics, managed technology and managed cybersecurity services, find them at senseient.com.
David G. Ries is Of Counsel in the Pittsburgh PA office of Clark Hill, PLC, where he practices in the firm’s Cybersecurity, Data Protection and Privacy Group.
Special thanks to our
Intro: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 155th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises, a digital forensics managed cybersecurity and managed information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is 10 Startling Cybersecurity Statistics and What They Mean for the Future of Law Firms. Our guest today is Dave Ries, who is of counsel in the Pittsburgh, PA office of Clark Hill, PLC, where he practices in the firm’s cybersecurity, data protection and privacy group. He frequently speaks and writes nationally on legal ethics, technology and cybersecurity topics for legal, professional and higher education groups. As usual, it’s great to have you with us today, Dave.
David G. Ries: Thanks for inviting me. It’s always great to work with both of you.
John W. Simek: Let’s get started here with law firm brief statistics, Dave. They might come as an unwelcome surprise to many of our listeners, so take it away.
David G. Ries: Okay. There’s no definite and complete statistics, but it’s not a pretty picture. It’s scary. There have been a lot of reports and studies in the legal press, the technology press, even in the popular press, things that we exchange with each other, sometimes multiple times, daily. But at least for the past several years, there have been two things that I’ve seen going on. Number one is that the breaches of law firms are increasing at some times, and at other times they’re remaining high but steady. They’re not increasing but remaining high and that includes small and mid-sized firms and some of the recent things that I’ve seen this year have been increasing data breaches at small and mid-sized firms. Just to put a specific number, Law360 did a report last year where it did several different reports on law firm data breaches. It reported then that it was seeing hundreds of law firms being breached.
Sharon D. Nelson: I guess that makes sense, given what we’ve seen, too. I suspect what all law firms want to know is how much data breaches are costing these days. Can you bring us up to date on that, Dave?
David G. Ries: I can provide some information, like with the number of breaches, there aren’t definitive comprehensive reports, but breaches are expensive. You have legal expenses, digital forensics, restoring systems, sending notice when it’s required, a lot of different things. There was a recent report that I just saw that seems to be in the ballpark, and it reports for small businesses, for a relatively simple breach, it can be $25,000 to $50,000. Another report for small businesses, again, simple breaches, not the complex one, said around $39,000.
I think that’s in the ballpark, but just thinking it through, for a small firm that has a basic Microsoft 365 takeover, it can easily be $25,000. For firms that have cyber insurance, a lot of times that’ll be below the deductible and just to add something else to the mix, there was a report earlier this year, one of the first ones I’ve seen, where the New York attorney general assessed a $200,000 penalty against a mid-sized law firm for failure to protect personally identifiable information. It’s going to be a lot of money, and it can easily be over $100,000 if it gets complex.
John W. Simek: What about law firms? What percentage of firms have reported being breached? If you have any confidence in those numbers.
David G. Ries: The best number I’ve seen is in the American Bar Association’s Legal Technology Survey Report. That’s done by the Legal Technology Resource Center at the ABA, where it sends questionnaires to attorneys and asks them to report on various areas of technology. That report is comprehensive, it’s multiple volumes, and it’s very expensive.
To give the data to regular ABA members, they publish what are called tech reports and I know, John, you did the one on cybersecurity last year. The new survey is just completed, so we’ll probably be seeing a tech report on that.
John W. Simek: Yeah, and I’m going to do that one, too, Dave.
David G. Ries: Okay. Last year’s reported that 27% of law firms reported that they had been breached at some time. Not just in the past year, but at some time in the past and it defines a data breach very broadly. It can be anything from a lost or stolen laptop to one computer being infected with a virus to a major breach. Also, 25% reported that they don’t know, which is scary. One of the sayings that we hear all the time in cybersecurity is that there’s two kinds of companies, those that have been breached and know it, and those that have been breached, and they don’t know it. I think that’s true for law firms, and hopefully there are not a law firms that have been breached but don’t know it.
Sharon D. Nelson: I got to tell you, Dave, I’ve been absolutely amazed at how class action law firms have suddenly discovered a new target, namely breached law firms. I think I’ve seen seven or eight breached law firms have a class action lawsuit filed against them in 2023 as if data breaches and their costs weren’t costly enough. What can you tell us about this recent phenomena, Dave?
David G. Ries: There have been a lot of reports in the press about law firms being sued. The other thing that we see is that plaintiff’s class action firms will often send out press releases that they’re investigating a particular data breach and now we’re starting to see them for law firms as targets. A Bloomberg Law article in July of this year reported that there were, I believe, eight class actions against law firms that it reported and what we’re seeing are law firms by clients that typically aren’t class actions against the law firm that suffered a breach and then we’re seeing the class actions by individuals whose personally identifiable information has been compromised and those individuals can be clients, client’s employees, law firm employees, adverse parties in their employees, or even people like witnesses. There can be a lot of potential plaintiffs out there and again, in this environment, cyber insurance is sometimes almost a necessity to pay for these kinds of third-party claims.
John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.
Jared Correia: They say the best things in life are free, which either means the Legal Toolkit podcast is pretty awesome, or we’re totally committed to the wrong business model. You’ll just have to tune in to find out which it is. I’m Jared Correia, and each episode I run the risk of making a total ass of myself so that you can have a laugh, learn something new, and why not? Maybe even improve your law practice. Stop believing podcasts can’t be both fun and helpful. Subscribe now to the Legal Toolkit. Go ahead, I’ll wait.
Adriana Linares: Are you looking for a podcast that was created for new solos? Then join me, Adriana Linares each month on the New Solo podcast. We talk to lawyers who have built their own successful practices and share their insights to help you grow yours. You can find New Solo on the Legal Talk Network or anywhere you get your podcast.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is 10 Startling Cybersecurity Statistics and What They Mean for the Future of Law Firms. Our guest is Dave Ries, who is of counsel in the Pittsburgh, Pennsylvania office of Clark Hill, PLC, where he practices in the firm’s cybersecurity, data protection and privacy group. He frequently speaks and writes nationally on legal ethics, technology, and cybersecurity topics for legal, professional, and higher education groups.
John W. Simek: Dave, I want to ask for a little bit of your insight in what the numbers tell us about firms that do or don’t have cybersecurity programs and policies.
David G. Ries: All right. That’s difficult to tell because the Legal Technology Survey Report doesn’t ask about comprehensive cybersecurity programs. It does ask about a series of specific technology policies. For 2022, it reported that 89% of reporting firms have one or more tech policies, and that was up from 77% the year before.
In my view, law firms, instead of just having a series of isolated policies like records retention or acceptable use and things, should have a comprehensive cybersecurity policy that brings together everything and that’s for small and large firms. It should be appropriately scaled to the size of the firm and to the sensitivity of the information that it has. You may have a very small firm that, for instance, does estate planning for celebrities that may need the same kinds of program as a larger firm, but from speaking and teaching and talking to folks in law firms, I think that the number that have a comprehensive program is growing but particularly in solos and small firms, I think most of them do not have formal programs.
Sharon D. Nelson: I think we can validate that, right, John?
John W. Simek: Oh, yeah. And now they’ve got to worry about AI policies.
Sharon D. Nelson: Yeah, that’s freaking them out. But to follow up on your question, John, how many law firms do or do not have an incident response plan? And why are incident response plans so darn important?
David G. Ries: First of all, I’ll discuss what firms have them, and that is covered by the survey and it reported that only 42% of law firms overall reported that they have an incident response plan. That ranges from 9% for solos to 72% with firms with over 100 and it’s my view that all law firms should have an incident response plan and for a solo or small firm, that may be a short outline. Do they have insurance? Where’s the contact information? Who to call for what breach attorney, a digital forensics firm, other IT support if you need it, things of that nature and part of it is having an inventory or a data map so you know what data and technology you have and where it is, because responding to an incident without that really becomes a fire drill. It’s enough of a fire drill to begin with, but if you don’t know what’s there and where it is, it becomes even more of a challenge.
I think experience has shown across the board that law firms and companies that have effective incident response plans, particularly if they’ve tested them, will save a lot of heartburn, and they’ll generally have a more effective and less expensive response.
John W. Simek: Dave, let’s shift gears a little bit here. Can you talk a little bit about phishing statistics and how the law firms can combat successful phishing attacks?
David G. Ries: Sure. Phishing is one of the greatest threats to law firm as well as other businesses and organizations today. CISA, which is the cybersecurity and infrastructure security agency, part of the Department of Homeland Security, has consistently reported over the last several years that over 90% of successful attacks start with a phishing email. If you want to look at the threats and defending against them, phishing is one of the really big ones and a big part of the defense is training and making sure that all your users have constant security awareness.
One of the biggest enemies of security is multitasking and distraction because users really have to pay attention. The lesson, think before you click or act, should be in the forefront of all of our users, including us, whenever we’re dealing with emails, also having technology like spam filters, secure configuration of computers and networks, security software, and those kinds of things, but the training and awareness is really important.
Sharon D. Nelson: There’s certainly a human element in most data breaches. What did the numbers tell us — I know you mentioned training. You might want to tell us more about that or what else can firms do to reduce the risk?
David G. Ries: The phishing is part of the human element. That’s 90% of successful attacks along with the statistic on phishing. There’s a similar number for the human element in data breaches. It’s a little bit lower, but Verizon has an arm that does cybersecurity consulting and incident response, and it publishes a data breach information report every year.
It’s one of the things that we share with each other and discuss, as other folks in cybersecurity do and over the last few years, it’s reported that there’s been a human element in 75% to 85% of breaches that were covered in the report. This past year, it was about 74%. Just below that. Again, training and constant cybersecurity awareness is really important but because there are sometimes malicious insiders that cause data breaches but in the big picture, that’s a very small percentage. The biggest risk is people who are untrained, inattentive, distracted. Doing whatever we can through training and reminders to do the best we can to control that is just a major part of effective security.
John W. Simek: I think one of them, too, Dave, though, is that what we see is upon departure, they leave those credentials for those employees still active. Whether it’s the ex-employee themselves or whether it’s somehow their credentials got compromised, they’re used to come into the environment even though they’re no longer employed.
David G. Ries: There was one that was pretty well known where a major law firm had fired someone in IT, and he had his credentials to get back in, and he basically wiped all the data on all their servers. That can happen. Dealing with former employees is important, particularly if they have administrative accounts. If they’re in IT and they have the keys to the kingdom, not just as users, it’s really important to close those credentials when they leave. It is for all users, but particularly for administrator users.
John W. Simek: Before we move on to our last segment, let’s take a quick commercial break.
Craig Williams: Today’s legal news is rarely as straightforward as the headlines that accompany them. On Lawyer 2 Lawyer, we provide the legal perspective you need to better understand the current events that shape our society. Join me, Craig Williams, and a wide variety of industry experts as we break down the top stories. Follow Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is 10 Startling Cybersecurity Statistics and What They Mean for the Future of Law Firms. Our guest today is Dave Ries, who is of counsel in the Pittsburgh, Pennsylvania office of Clark Hill, PLC, where he practices in the firm’s cybersecurity, data protection, and privacy group. He frequently speaks and writes nationally on legal ethics, technology and cybersecurity topics for legal, professional and higher education groups.
John W. Simek: Dave, can you talk to us about some basic cybersecurity hygiene? Like how many attacks could be prevented by having basic cybersecurity hygiene, and mention a little bit, if you would, about smaller firms? And can they really achieve that kind of posture?
David G. Ries: There have been a number of reports over the years about the effectiveness of what are identified in them as basic cybersecurity measures. I remember there was one, one of the first ones in that group that came out, and it was by the Australian Signals Directorate, which is their equivalent of the NSA and it came out with the first five, and then there was another one that came out with the essential eight and another one with the top 10 and the idea was, these won’t give you perfect security, but they’ll go a long way toward protect you, particularly minimizing the risk as if you didn’t do them.
Microsoft came out a couple of years ago with a report, and it found that the basic cybersecurity hygiene can protect against 98% of attacks and that’s a pretty high number obviously. The five that it listed were multifactor authentication, applying a zero trust principle, using modern anti-malware software, keeping everything up to date and protecting the data. Those are things that firms of any size can do with two exceptions. The zero trust architecture is an emerging area. Just for a quick explanation. It has very strong authentication when a user connects to the network and to the user’s device.
It’s looking at both of those, and it’s not just single sign on. Once they’re in, it continuously monitors where they are, what they’re doing to make sure that everything is authorized and it’s done by authorized users and devices. That’s something that, for small and mid-sized firm, is something that’s starting, but I don’t think there’s many that are actually doing it. And the last one, the data protection, there’s some things along those lines that smaller and mid-sized firms can do with things like extended endpoint protection products, encryption, and things of that nature but what Microsoft considers is basic there in all of these. It’s certainly moving that way for mid-size and large law firms and companies, but some of them are still growing.
I did an article for Law Practice Magazine last year. It was the May-June edition of 2022, and it has a discussion of starting with the basics. It goes through in detail what I’ve just been talking about but at least gives some ideas for firms of all sizes, but particularly for small and mid-sized firms to talk to their IT and cybersecurity consultants. Should we be doing this? And if it’s not necessary for us, why isn’t it necessary?
Sharon D. Nelson: The one thing we haven’t talked about yet, specifically, is the fact that I think we’re all astonished at how many law firms are resisting the adoption of multi-factor authentication, commonly known as MFA. Dave, why don’t you tell them why the statistics make it abundantly clear that all firms should adopt MFA?
David G. Ries: This is an area where the published statistics are actually pretty good but from talking to people in small and mid-sized firms a lot like you guys do, we hear that a lot of them aren’t doing it, and we actually hear some resistance. I think everybody pretty much knows what multi-factor authentication is today. It’s having something beyond a username and password, a different factor. The ones that are commonly used are a text message or an authentication app that confirms that you’re the user. Another Microsoft statistics is that it reported that 99.9% of credential-based attacks can be blocked with multi-factor authentication. That’s not all attacks, it’s credential based ones. It’s where someone tries to guess typically using automated tools to guess the username and password, or a username and password is compromised and the attacker uses it to get in. Multi-factor authentication will block that almost all the time.
One word of caution, and that is that using SMS text for multi-factor authentication can be problematic because it can be compromised, particularly in a targeted attack. Using text MFA is much better than not using MFA, but using something like Google Authenticator, Microsoft Authenticator, Duo Security, or hardware tokens like YubiKey has is much safer than text codes. Some of the statistics I’ve seen has been for mid-size and large firms, and they’ve actually been pretty good. A couple of years ago, I saw a survey. This is firms with over 50 attorneys. Majority of them reported using MFA, and in firms with over 100 attorneys, it’s over 90% but that doesn’t cover the solos and small firms, and from what I read and hear about that, it’s really just starting to be used. It’s really easy to set up these days, and you can get it on Microsoft 365, Google Workplace, Amazon, and services like that all have it. It’s something that law firms should move toward quickly if they’re not doing it regardless of the size of the firm.
Sharon D. Nelson: One of the best things is that it’s generally free. You can usually sell that, but not always with the smaller firms. Dave, I want to thank you for being our guest today. We are always happy to have you with us, but especially happy that you are with us today when we are recording the final episode of Digital Detectives. You’ve been our guest on our podcast a number of times and have been one of our closest friends for several decades. It’s been a great ride, but it’s time to start winding things down as we prepare to retire, hopefully at the end of 2024. I know that may not be you, but that’s where we’re headed.
Thank you for so often being a co-author and copresenter with us. We have jokingly called ourselves the Three Musketeers for many years and what a lot of fun we have had together. Thank you for all the cybersecurity information you’ve generously shared with us and for all the many contributions you’ve made to the legal profession, especially to the law practice division of the ABA, and most of all, for one of the great friendships of our lives and it will continue long after the three of us are retired, whenever that may come.
David G. Ries: Thanks. I want to echo that first thanks for including me. A lot of the audience may not know, but you and John and I met for the first time at Tech Show over 20 years ago. And since then, for years, we worked closely together, lecturing, writing on various ABA activities but more importantly, we’ve really become close friends, lifelong friends, and I’m really honored to be invited to do this last episode.
John W. Simek: I don’t know how I can compete with those closings, but that does it for this final edition of Digital Detectives. Thank you for listening to us over so many years.
Sharon D. Nelson: If you should ever need Sensei’s digital forensics, manage technology and manage cybersecurity services, you can find us at senseient.com. We want to offer a warm thank you to Legal Talk Network for all its support over so many years. Every member of the LTN staff is wonderful. They too have become friends, and we will miss all of them, so I hope they stay in touch and to sign off with our favorite closing line from Anchorman Lester Holt, please take care of yourself and each other.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.