With the data breaches and ransomware that has plagued law firms (and other companies) of all sizes recently, clients and firm managers alike are seeking more advanced data security. Certifications like the ISO 27001 provide guidelines and standards for how to protect the confidentiality, integrity, and availability of the information your firm holds. But what does implementing the high level of cybersecurity mean practically, how much will it cost, and what if a solo or small law firm can’t afford it?
In this episode of The Digital Edge, Sharon Nelson and Jim Calloway interview John Simek about the International Standards Organization (ISO) 27001 certification, The National Institute of Standards and Technology (NIST) small business standards, and other news concerning law firm cybersecurity.
- Updates, guidelines, and costs of getting the ISO 27001 certification
- NISTIR 7621 Revision 1: absolutely necessary, highly recommended, and advanced cybersecurity actions
- Helpful resources for small firms
- Client wishes and data breaches in 2015
- How to implement an incident response plan (IRP)
- Email encryption and Opinion 648 of the Texas Center for Legal Ethics
- Protection from ransomware
- Passwords, multi-factor authentication, and biometrics
- Changing defaults and patching applications
John Simek is the vice president of Sensei Enterprises, Inc. in Fairfax, Virginia, which offers IT, information security, and digital forensics services for law firms and other businesses. John is a co-author of the book “Encryption Made Simple for Lawyers,” published by the American Bar Association in 2015 and a co-author of the second edition of “Locked Down: Practical Information Security for Lawyers” which will be published in March of 2016. John is one of the country’s leading cybersecurity experts for law firms.
Special thanks to our sponsors, ServeNow and CloudMask.
Mentioned in This Episode
Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 95th edition of Digital Edge, lawyers and technology. We’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.
Jim Calloway: And I’m Jim Calloway, director of the Oklahoma Bar Association’s Management Assistance Program. Today our topic is what’s hot in cybersecurity for law firms.
Sharon Nelson: Before we get started, we’d like to thank our sponsors. CloudMask offers cost-effective and efficient data encryption for law firms. Whether large or small, in Google Apps, Office 365 and other Cloud solutions. Sign up now for your 60 day free account at CloudMask.com. We also thank Serve-Now, a nationwide network of trusted, prescreened process servers. Work with the most professional process servers who have experience with high volume serves, embrace technology, and understand the litigation process. Visit ServeNow.com to learn more.
Jim Calloway: We are happy to welcome as our guest, John Simek. One of the country’s leading cybersecurity experts for law firms, John is the vice president of Sensei Enterprises, Inc. in Fairfax, Virginia, which offers IT, information security, and digital forensics services for law firms and other businesses. John is a co-author of the book “Encryption Made Simple for Lawyers,” published by the American Bar Association in 2015 and a co-author of the second edition of “Locked Down: Practical Information Security for Lawyers” which will be published in March of 2016. He has more certifications than we can list and testifies as an expert witness all around the country. He also happens to be Sharon’s husband and business partner and one of my close friends for many years. Thank you for being a guest on our podcast today, John.
John W. Simek: Well, Jim, it’s always a pleasure to be on the podcast with you and Sharon.
Sharon Nelson: John, security seems to be on the minds of all lawyers and their clients today. We’ve seen, fairly recently, 27 AmLaw, 100 firms, get the ISO 27001 certification as we go to record this process. Can you explain briefly what that certification is and what’s the process and the cost to get it?
John W. Simek: The ISO 27001 is an international standard. It’s published by the International Standards Organization, hence the ISO. It describes how you manage information security within a company or in our context here within law firms. The latest revision of the standard was published in 2013. Essentially, it’s guidelines on the standard to tell law firms how they can protect the information, the confidentiality, the integrity, the availability of information that the law firm holds. An independent certification body does this, but I think one of the biggest myths of folks – when we’re talking about 27001 and they hear the word, “standard” – they think that you’re going to get some sort of a checklist or something that tells you this is exactly what you need to put in place; those types of things, and it’s not. It really, at its heart, talks about what is required in order to – as I said earlier – protect the confidentiality and integrity and availability of information. Such things as backup as an example. It doesn’t tell you how often you should back up data. If they said it’s every 24 hours, 24 hours may not be good enough for some firms. Your data may be so volatile, you really have to assess what the risk is and what type of information that you’re holding as the data is very volatile and changes a lot. 24 hours may put you at too much risk and you maybe need to do it every hour, every 15 minutes or something like that. If you’re a firm where your data is fairly static and isn’t real dynamic, maybe 24 hours is too often. Maybe once a week is fine. So it’s really a grouping of guidelines and standards to help you, and it’s going to be different for each individual firm. So if you’re a smaller firm, you may be able to accomplish this certification process in as little as four to six months. Mid sized firms, probably around ten months or so. And larger firms, some of the big firms that you were just talking about, Sharon, it could take twelve months or longer, a couple of years before you run through all of these different things and that the independent verification body has verified that you’re compliant with these various ISO standards.
Sharon D. Nelson: What about the cost, John. Do you know?
John W. Simek: No, not really. It can be several thousands for small effort, up to tens of thousands. It really depends. As I mentioned, it’s the timing. If you can accomplish it in a short period of time then obviously it’s going to be less cost.
Jim Calloway: Well, John, solo practitioners and smaller law firms are not going to get that certification. Can they self certify that they are compliant with the NIST small business standards And can you explain to our listeners what those are?
John W. Simek: Sure. And I wouldn’t say that all small firms are not going to even attempt the 27001 certification. Some may, they may elect to go down that road, but you’re right. It sounds pretty costly to me for most small firms. But there’s an alternative in this small business guide, as you’ve talked about, where NIST, the National Institute of Standards and Technology provides guidelines for smaller businesses as to what they should or can do. They basically group those guidelines and the business guide is readily available on the internet, by the way. It’s NISTIR 7621 Revision 1, which is dated December of 2014. But there are really three sections that they talk about. There’s the absolutely necessary cybersecurity actions that you should do and there’s a highly recommended one and then there’s more advanced ones. And as an example, the absolutely necessary ones are things like manage the risk, protect your information, protect your internet connection; that seems pretty obvious to me, install and activate software firewalls, patch your operating systems. So those are the types of things that are included in the absolutely necessary. Some of the recommended ones are be careful with email attachments and email requesting sensitive information; be careful with web links. So these are fairly simple things that small firms can certainly, easily do. Be careful when surfing the web, things like that. For a law firms I think the recommendation primarily is that when you’re looking at that NIST small business guide, law firms should be doing everything within the absolutely necessary grouping and there’s approximately 11 of those, and then they should be doing everything in the highly recommended, there’s 12 of those. And in addition to that, because law firms are a little different than a lot of other businesses in that they’ve got different ethical requirements and different requirements in order to protect the confidentiality of the client information that’s being entrusted to them. They should also probably be dealing with and handling continuously in disaster recovery operation, which is part of the more advanced cybersecurity practices as a small section in that NIST small business guide.
Sharon D. Nelson: John, can you name any other helpful resources for small firms that may assist them in assuring clients that security is uppermost on their mind.
John W. Simek: Sure, there’s a lot of them. There’s some of my favorite ones that I would steer people towards. One of them is CERT, the Coordination Center at Carnegie Mellon University. They deal and they publish a lot of the vulnerabilities and security things as they come about. So they have a list that you can sign up for notifications on there. I like another website called Dark Reading, as well, and that’s www.darkreading.com. That’s more for the technical side. It’s the security piece of information week. Krebs On Security, Brian Krebs, is another blog that he publishes. He’s not as frequent as some of the other sources that are available out there. I still subscribe to him but the Dark Reading and CERT comes out with more. Sans Institute, you can’t deal with any security reference unless you’re referencing Sans. Sans is a leading organization at Sans.org and they’ve got all kinds of security notifications, research, training; they also certiffy as well, so you can get great information from those guys. SC Magazine is another good source, very timely. Schneier Security, Bruce Schneier. Bruce calls ‘em like it is. I know you follow Bruce as well, Sharon.
Sharon D. Nelson: He’s colorful. He’s very colorful, and sometimes he talks like a marine. But anyway, it’s all good stuff and he really is spot on.
John W. Simek: But those are some of the ones at least that I subscribe to and then certainly he knows the other reference as you talked about earlier, Jim, the Locked Down book that we just finished updating.
Sharon D. Nelson: Which hopefully will be published in March.
Jim Calloway: Well, John, when I in the past have mentioned internet security or cybersecurity to groups of lawyers, it was sometimes as if I said, “Now’s the time for everybody to take out your phone and check your email.” So what’s driving their recent push to really focus on cybersecurity issues?
John W. Simek: It’s really the clients. Primarily that and all the data breaches that we’re hearing about, darn near weekly. And we have heard of data breaches at law firms. They’re certainly not as publicized as OPM or Target or any of those major ones. But the clients themselves are now coming to the law firms and they want to know what are the law firms doing in order to protect the data that the client is entrusting to them. So they are the ones who are driving this train.
Sharon D. Nelson: I know we’ve seen a lot of firms begin their cybersecurity efforts by developing an incident response plan, which is critical, but many people don’t even know what it is. So can you explain what such a plan consists of and what elements it should contain?
John W. Simek: Yeah. An incidence response plan is basically, think of it almost like your fire drill that you did when you were kids in school. There’s a fire and everyone quietly goes in a line and you already knew where you were going to stay; in the parking lot or in the baseball diamond or whatever it was. So you put this plan together in case something happens, in case of a fire. The incident response plan is similar exercise where you identify upfront what your plan is going to be should you have certain security events. What happens if I get a virus attack? What happens if there is a denial of service attack on my network? What do I do if an employee loses a flash drive that’s unencrypted and has client information on it? Those are the kind of the elements of the incident response. You take the incidence and then how you’re going to respond to it. There’s a lot of elements that comprise the incident response; some of them that you identify, certainly the internal personnel that are responsible for each function. And you should do that not by the person’s name but by the title that they hold. Such things like the IT folks or the information security people. Maybe human resources or marketing or compliance or some of those groups need to be involved in your incident response. The contact information of an experienced data breach attorney. After all, what we’re talking about is if your network gets compromised or you lose that flash drive or whatever, that’s really considered a data breach. So you’ve lost information that someone else, unauthorized personnel has access to. There are lawyers that they specialize in that. I guess we can’t use the word specialize but they concentrate in that and they are very, very familiar with data breach laws and the various state laws and various federal regulations that they come to bear. So you need to identify at least somebody that you’re going to contact for that. The location if your insurance policy, you may or may not have coverage. Hopefully you do, so you need to contact your insurance company, whatever. Law enforcement as well, contacts. Typically, it’s going to be your local FBI office. At least identify who within law force is going to contact. The contact information for any digital forensics consultant that you’re going to use. Those are going to be the guys that go and analyze the breach or the incident and then can tell you things about it, potentially; where did it come from, how was it compromised, et cetera. Also within the IRP, containment recovery from the breach. So if you’re compromised, how you contain it and how do you recover from it in the case of ransomware, as an example. Where’s your backup data, how do you go back to that, so you’re recovering from that particular incidence. Try to determine at least the data that’s been compromised that you can absolutely assure has been compromised or potentially compromised. Identify and preserve system logs, and that’s the biggest thing that I think we see is that a lot of logging that is possible is not enabled. So when the digital forensics guys come in to investigate, there isn’t a heck of a lot of information to analyze because they haven’t been capturing it, so that’s something that we want to make sure we’re always doing. If you have an intrusion detection or data loss prevention software, logs from those systems as well. Any bank information, financial information, banking credentials may have been compromised. You have to notify your bank that’s there. A lot of times, it’s optional but you may want to have contact information for public relations firms. Because sometimes, depending on the severity of the breach and the compromise, it may be a public relations nightmare for your firm. Identify how you’re going to handle any contact with the clients and third parties. Sometimes you may not want to tell them everything but you want to have a measured response, you want to know what that’s going to be right upfront. How are you going to inform and handle your own internal employees? A lot of times the employees don’t even know that a data breach has occurred and they may have been the cause of it so they’re continuing to do the same act. If you have a data breach notification law, it should also be part of that plan, that’s where that data breach lawyer’s going to help you. But most states have that. Sharon, I think you know the exact number. 47? Is that where we’re at?
Sharon D. Nelson: 47 currently, yeah.
John W. Simek: So at least have a copy of that, of the most current data breach notification and you know what your legal requirements are. Any impact data that may be covered by other legal obligations like HIPAA, those types of things. Is it financial information or is it medical information that’s handled under other obligations, and then train on that plan. So once you’ve identified this IRP, make sure that everybody understands what the role is that’s part of that IRP and then test it with various hypotheticals. Because the big problem there, and this is a living document, because the vulnerabilities and the access points or the threat landscape, it changes very, very quickly as technology changes. So there wasn’t a Facebook 15 or 20 years ago, as an example, or the social media craze. We didn’t have smartphones connecting up to our networks 15 or 10 years ago, it was of prevalence. So as those things come about and increases your threat landscape, you’re going to need to modify this IRP so that you adjust for what those various technologies are.
Jim Calloway: John, I can hear the lawyers across America listening to that catalog of things they need to do and they’re question is going to be, “Is there anywhere a law firm can get a template for an incidence response plan?”
John W. Simek: There’s got to be a form for that, right, Jim?
Jim Calloway: That’s right!
John W. Simek: No, there isn’t, unfortunately. And the primary reason is because the technology varies about the firm, the workflow varies for each firm. What the exposure points are, what the risk of the data – different forms hold different types of data. If you’re a patent attorney, you have very, very, highly valuable information from your clients, and you may take extra steps and do different things as part of your IRP than somebody that does some transactional thing. So there really isn’t a template as the short answer, because you need to walk through and you can get some help. You can find IRPs on the internet but they may not necessarily apply.
Sharon D. Nelson: Let’s pause for a commercial break and then we’ll be right back.
Advertiser: In recent years, the legal sector has come under increasing pressure to improve efficiency in client services. Cloudmask enables law firms and solo attorneys to leverage free and low-cost Software as a Service, such as Google Apps and Office 365 to improve efficiency and client service, while reducing cost and strengthening compliance with data privacy laws and ensuring that legal, ethical duties are met. Cloudmask is even certified by 26 governments around the world. Sign up now for your 60 day free account at Cloudmask.com
Looking for a process server you can trust? ServeNow.com is a nationwide network of local, pre-screened process servers. ServeNow works with the most professional process servers in the country. Connect your firm with process servers who embrace technology, have experience with high volume servers and understand the litigation process and rules of properly effectuating service. Find a prescreened process server today. Visit ServeNow.com.
Sharon D. Nelson: Welcome back to the Digital Edge on the Legal Talk Network. Today our subject is What’s Hot in Cybersecurity for Law Firms. And our guest is John Simek, one of the country’s leading cybersecurity experts for law firms – I may be a little prejudiced in saying that – and the vice president of Sensei Enterprises. John, we both noted that encryption has been big, very big in 2015, especially email encryption. Can you talk a little bit about how easy email encryption has become?
John W. Simek: Sure. In the “older” days of technology, encrypting email was very, very cumbersome. You had to do this key exchange to public and private keys. And before I could even send you a message I had to know who I was going to communicate with and make sure that you had access to my public key and then I would use my public key. So it was so cumbersome that most folks didn’t even do it. I didn’t even do it, it was such a pain in the butt. But today, email encryption is extremely easy, very cost effective and affordable. There are service providers that are out there that provide a mechanism whereby you can send encrypted messages without doing key exchange upfront. As an example, we happen to use ZixCorp in our company here, but they’re not the only ones. There are a lot of companies that do this type of thing where all you need to do is click a little button – there’s an add-on to Outlook, as an example – and it says, “encrypt and send.” Or you can have certain rules in there that every single message is encrypted or only messages that might contain social security numbers because you already know the social security number format, things like that. But it’s extremely easy these days to have and I think that every lawyer – at least they don’t have to necessarily use it all the time, but it should be available for them to use when appropriate.
Jim Calloway: John, would you talk a little bit about the 2015 Texas Ethics Opinion about encryption? And do you see other jurisdictions moving in the same direction?
John W. Simek: Well, Jim, as you know I’m not a lawyer. But Texas came out with Opinion 648, and they were the first state to identify in an ethics opinion when the kinds of situations were when encryption should be used or considered. So they’re very, very specific in their things. They listed essentially six areas you should use encryption when, as an example, communicating highly sensitive or confidential information via email. Sending email to or from an account where the sender or recipient share that account with other people. Well, that’s pretty obvious to me, right? You want to make sure it’s protected so the other people can see it. Sending email to a client when it’s possible there’s a third person, such as a spouse in a divorce case; if they also know the password to access that email. Sending email from public computers or borrowed computers. Sending email if the lawyer knows the email recipient is accessing the email on devices that are potentially accessible to third persons. Sending an email of the lawyer’s concern that the NSA or other law enforcement agencies may read. So they’ve identified, at least specifically, some areas where encryption would be appropriate to use that. I don’t know that other states are going to use such language specifically. I know they generally talk about just the protection of it and they don’t specify technology. My concern about using the word encryption is that that’s what we know today and that’s what protects data. But what about ten years from now? What about five years from now? Is there going to be something different that is going to be better than what we know and we’re going to have to change the rules as you specify to technology?
Sharon D. Nelson: I agree with that, but on the other hand sometimes you can’t be entirely technology-agnostic. And I know certainly Bruce Schneier who you referred to before, he calls encryption a no-brainer. And although I don’t think it has to be used all the time, when you transmit confidential data I believe it should be. And that’s what Texas was headed toward, use it where appropriate. But let’s move on to ransomware which is driving law firms crazy. I know we saw four Northern Virginia law firms hit within two weeks. How can the firms protect themselves? And also I know from our dinnertime conversations that there has been a new and unsettling development in ransomware variance. Can you talk to us about that too, John?
John W. Simek: Sure. The best way to protect yourself from ransomware is to make sure that you have a backup system that’s engineered to recover from a ransomware infection. Ransomware essentially is malware that encrypts your data and then pops a message up on there with a countdown time that says you have an X amount of time to pay money in order to get the decryption key so that you can gain access to your data. That’s what ransomware is. The best approach is to have your backup solution engineered in such a way that you can recover from that so that it’s not infected with ransomware. You can just then restore your data on top of the encrypted data – most certainly clean the malware off first – and then you’re good to go. That’s the best way to deal with that. There’s other things that you can do to try to stop the installation, certainly training. CryptoPrevent is a piece of software that attempts to stop these infections. You can do manual editing of the registry to block certain executables from running certain areas. That will help limit your exposure to ransomware. But the variant you were talking about that’s pretty recent now, and it’s nasty stuff, when your machine gets infected it scans your machine for vulnerabilities. And it’s not just vulnerabilities in your operating system but it’s also in any third party applications that you might use like Acrobat or Flash or something like that. If they find a vulnerability that’s not patched, it installs a program that steals all of the passwords off your hard drive first, sends them off to some other service somewhere, and then it encrypts your data, taking your login credentials, potentially, off your user ID and password and then encrypt the information. So that’s sort of a double whammy. That’s the latest and greatest of what these bad guys are coming out with.
Jim Calloway: Well, John, I was dealing with a firm – I thought you had to click on an email attachment, but one firm managed to get infected with the ransomware by a drive-by at a website, so I thought that was another scary development.
Sharon D. Nelson: Oh, yeah, that’s been around for a while.
John W. Simek: They’re always thinking of something.
Jim Calloway: Well, speaking of security, let’s go to the base level of security. Are passwords dead? And how will the future involve biometrics and multi factor authentication and how fast is all of that going to happen?
John W. Simek: I don’t think passwords are dead. You read a lot about that where people say that’s a thing of the past. I think we’re always going to have passwords. Where I think where we’re actually heading, though, is multi factor authentication. So not just passwords but also something else, whether it’s a token, and Jim I’m sure you’re probably familiar with multi factor. You can turn on GMail as an example or a lot of different products now. When something you have, the RSA tokens as an example, they’re also multi factor. I don’t think biometrics are long – with fingerprints and stuff – are long for the world. Because biometrics really is an electronic representation of something. So an electronic representation of your iris scan, of your fingerprint or something. If that gets compromised, you’re screwed, because you’re not going to have a new fingerprint on. You’re not going to have a transplant of an eyeball. At least with tokens and those kinds of things, those things can be changed, and I think that’s where it’s going to happen. So how fast will it happen? We’re already seeing multi factor and more and more applications and companies going in that direction. We’re seeing biometrics as well being built into Windows 10, for an example; facial recognition and those types of things. But I believe the future for us is really going to be multi factor.
Sharon D. Nelson: And let me just add, John, too that for those that say what about two factor authentication, that’s a subset of multi factor authentication, so if you were confused about that. Jim and I talked a little bit about what questions to ask you but I’m sure we forgot something important that listeners might want to know. What can you think of, John, that we might have forgotten?
John W. Simek: Well, two things, I think. Number one, any time you have an opportunity to change any defaults, whether it’s on a wireless or whether it’s on your firewall or any of that stuff, change those default values because those default values are known and you can easily search on the internet to find out what those are. The second thing I think is – and Sharon, you know this – is the number one reason that people get compromised is they’re not applying updates. They’re not patching their operating systems or they’re not patching their applications. That ransomware variant that I mentioned before, if you patch the application, you wouldn’t have that vulnerability for this whole process to start where they would steal the passwords off your machine. Make sure you’re always patching, you’re always up to date, and not using unsupported software like Windows XP as an example.
Sharon D. Nelson: Well, John, we really want to thank you and most especially because John was our guest today because our intended speaker had a sudden business commitment come up and so what do we do? We reach for John, who fortunately for us can speak on any one of a hundred subjects. So when we get stuck, he always carries the water for us and I’ll see that I have a proper Single Malt Scotch waiting for you at home, John. Thanks for sharing your expertise on this, it’s always terrific.
John W. Simek: It’s always a pleasure, thanks for having me.
Sharon D. Nelson: That does it for this edition of The Digital Edge, lawyers and technology; and remember, you can subscribe to all the editions of this podcast at LegalTalkNetwork.com, or on iTunes. And if you enjoyed our podcast, please rate us on iTunes.
Jim Calloway: Thanks for joining us. Goodbye Ms. Sharon.
Sharon D. Nelson: Happy trails, cowboy.
Advertiser: Thanks for listening to The Digital Edge, produced by the professionals at Legal Talk Network. Join Sharon Nelson and Jim Calloway for their next podcast covering the latest topic related to lawyers and technology. Subscribe to the RSS feed on LegalTalkNetwork.com or in iTunes.
[End of Transcript]