Collaborating with Cybersecurity in Mind

Episode Notes

Transcript

The Kennedy-Mighell Report

Collaborating with Cybersecurity in Mind

08/31/2018

[Music]

Intro: Web 2.0, Innovation, Trend, Collaboration, Software, Metadata… Got the world turning as fast as it can, hear how technology can help, legally speaking with two of the top legal technology experts, authors and lawyers, Dennis Kennedy and Tom Mighell. Welcome to The Kennedy-Mighell Report here on the Legal Talk Network.

[Music]

Dennis Kennedy: And welcome to Episode #220 of The Kennedy-Mighell Report. I am Dennis Kennedy in Ann Arbor.

Tom Mighell: And I am Tom Mighell in Dallas. Before we get started, we would like to thank our sponsors.

Dennis Kennedy: First of all, we want to say thank you to TextExpander for sponsoring our show. Communicate Smarter with TextExpander. Gather, Perfect, and Share Your Knowledge. Recall your best words instantly and repeatedly. Learn more at textexpander.com/podcast.

Tom Mighell: And we would also like to thank ServeNow, a nationwide network of trusted, prescreened process servers. Work with the most professional process servers who have experience with high-volume serves, embrace technology, and understand the litigation process. Visit serve-now.com to learn more.

Dennis Kennedy: In our last episode we took a look at the hype around technologies these days, how to separate technology fantasy from technology reality and something known as the Gartner Hype Cycle.

In this episode we want to discuss the topic of an upcoming presentation Tom and I will be doing live at the 2018 College of Law Practice Management Futures Institute in Boston at the end of October.

Our session is called Security Is a Team Sport and will focus on how the use of collaboration tools will dramatically impact how you handle cybersecurity and some ways you can think about that and protect yourself.

Tom, what’s all on our agenda for this episode?

Tom Mighell: Well Dennis, in this edition of The Kennedy-Mighell Report we will indeed be looking at how the use of collaboration tools can impact your approach to cybersecurity.

In our second segment we will talk about the ever-increasing problem of link rot on the internet, and as usual we will finish up with our parting shots, that one tip, website, or observation that you can start to use the second that this podcast is over.

But first up, Security As a Team Sport, or Security Is a Team Sport, either one, that’s what we want to talk about today. I know, I see more than ever these days how to protect myself and my company’s information from hackers and other cybersecurity threats, but it’s always positioned as only you can protect yourself or you need to pay attention to all of this.

What we don’t see enough of and frankly, I, until we came up with the idea for this podcast and the speech, I am not sure I saw any of is the realization that the amount of collaboration that people are doing these days creates all kinds of security risk. And that we also ought to be looking at the ways we work together when understanding how to protect ourselves, how to protect our information.

I guess Dennis, why do you think that people may under-appreciate this topic?

Dennis Kennedy: Well, I see two reasons. One, I think that security is hard enough for most people without adding a couple of layers of difficulty. So I think you can preach to people, you can give them all kinds of suggestions about keeping their passwords safe, using password managers, updating their software, all those sorts of things. And we know, just looking over the past however many years it’s sort of rare to find somebody who is really up to speed on that and does it well, even in the legal profession.

So the second thing is people are starting to use more of the collaboration tools, the cloud applications, cloud services, and you are working with other people, sometimes many other people, so the security, if you focus on yourself, you don’t take into account the security practices of somebody else and depending on the rights of access, the authority that they have, what they can do with data that’s in a collaboration system, then their poor security practice can really have an impact on you.

So I think that’s why people under-appreciate it Tom is, it’s difficult in the first sense and then we have just added multiple layers to it once we start to collaborate.

Tom Mighell: I think so. I am going to come back to kind of the way I introduced it by saying that I think when the average person thinks about security, I think it’s natural to start first by thinking of ourselves or I guess for those of us who actually do think about security, I should not assume that everybody is thinking about security, but it’s how am I protected, how is my stuff being protected.

(00:04:57)

And we think of the basics. Most people I would guess think of the basics; passwords, antivirus, firewalls those types of ways to protect myself. For those, I think who work in larger firms, I think, my guess is, it’s easy to get complacent, because I have had — it’s sort of the same attitude as lawyers in big firms who really don’t pay attention to technology, they say things like IT takes care of it for me. They take care of the security. I don’t have to worry about anything. I am guessing that that is a common attitude that would be found in most law firm environments, but still I think if you are thinking about security, I think you are hopefully realizing that you shouldn’t click on that link in an email that you don’t recognize or that you shouldn’t plug that USB drive in without having IT check it out if you don’t know that USB drive, because if you are not, you are affecting everyone else.

And so I think that once you start thinking beyond yourself and thinking with others and I think this kind of leads us into the collaboration space, then it starts to give you — it requires you to think about other people and how what you do or how what others do affect security as a whole.

Dennis Kennedy: Yeah. And so I think as in all things, we don’t really live in isolation. So I think about that broken windows theory of policing that people talk a lot about. And so if in my neighborhood most everybody is doing a great job and we have home security and we have alarms and we have lights and stuff like that, but one place doesn’t and it’s vacant and it’s rundown and the windows are broken, if that’s not taken care of, suddenly the level of danger and risk in the whole community goes up dramatically.

And so I think in the collaboration area you have a similar notion, so you can be doing a great job and then somebody is using their 123456 password or they haven’t updated things or they allow access to things that should be locked down, it just dramatically increases the risk for everybody else in that ecosystem.

Tom Mighell: Right. And I think that it’s not just that, but I think that when it comes to actually collaborating, I would say that security for internal collaboration is probably better than security for external collaboration. I am guessing that working in a law firm that has dedicated IT, I think you should hope that to the extent that you are collaborating with others in your organization that security has been considered for those collaboration efforts.

If it’s not being considered and we are going to talk about, and I am going to talk about some of the ways that sometimes that fails, then it ought to be. But where I really start to think we see things happen is not necessarily just the broken windows of a house, but the nice house down the way who decides they like the next-door neighbors and they want to start doing things together.

Well-meaning collaborations that take place outside of the firewall; maybe you and co-counsel decide to collaborate on trial documents together or your client invites you to a file sharing site so you can see their files. Without involving IT in that decision, then you become the weakest link. I guess maybe you have the broken windows or whatever. I don’t think that it’s an intentional thing; I think that you really are well-meaning, you just want to get stuff done, but you are not really thinking about all of the implications when you start to collaborate with somebody from outside the firm.

Dennis Kennedy: I think that in a lot of ways security is interestingly a lot like looking at the spread of infectious disease. So who you have been in contact with, how you have that contact, how viruses, illnesses are spread, there is a similar notion clearly in security, and I think it gets amplified in the collaboration setting.

I mean, Tom, it’s kind of weird that we use this word so often on the podcast over the years, but I think there is just this notion of hygiene, that there are some things that you want to do to protect yourself, and when you are in a collaboration world, you almost want to have that checklist to say okay, what are the things that I need to do, and some of them are pretty basic, don’t use the same password as I use on another site, really understand what the access rights are that you are giving to people and have a good understanding of that.

But kind of think how those systems work together and what you are storing inside and outside the firewall and then just kind of really having some rigor to that, because I think everything that you do in terms of prevention is going to pay off, because as Tom said, it’s a cliché, but it’s really the right metaphor that you become the weakest link in the chain.

(00:09:56)

Tom Mighell: Right. I kind of wanted to step back and talk about the different ways that people can collaborate, I guess both internally and externally that can lead to security risks, and I sort of think of these in four different categories of collaboration. I have been kind of thinking a little bit differently about this lately and I think that there are — it kind of breaks down among these four ways in my mind.

One is collaboration of what I would call store and sync, using tools like Dropbox or Box or Google Drive or OneDrive to store and share documents and synchronize documents across multiple devices, that’s one way that people are collaborating.

Creation, using Google Docs or Office Online or OneNote or even, there are lots of creative content creation things that Adobe has put together, where you can collaborate online on creating all sorts of things, but those tools that you can actually all contribute to creating a document or presentation or some other type of substantive content.

There are I guess collaborative tools that help you manage content and I think of things like SharePoint, things that create structured repositories. They are not quite the same as Box and Dropbox because they are smarter, they can do more things, they can be more like a file management system than these other can be, but they are more about file management than file sharing.

And then finally, and this sort of goes over everything is collaboration by communication, using tools like Slack or Microsoft Teams or using Skype or other type of instant messaging programs, or even email, I suppose, is couple of ways to look at them.

And then once you look at the things that you are collaborating on in the ways that you are wanting, I think you need to ask yourself some of these questions. And let me pause for a second before I go on because I have been talking for a while, anything I am missing there Dennis, is that kind of how at least we think of it? Would you like to add to anything there about how we would — before I start talking kind of about my thoughts about the security options, what are your thoughts on that?

Dennis Kennedy: I think that’s a really good set of categories, but I do want to make sure we emphasize that law firms in particular have been targets, and it’s pretty well-known or should be well-known that the FBI has come to major law firms in the US and warned them over the last, I don’t know, maybe five years about how they are definitely — law firms are definitely a target and they are seen as the weak link to get corporate data and sometimes personal data.

So I think that as you think through your categories, I mean sometimes people say we are not holding that much valuable stuff, but if you think through the different categories that you are collaborating, you may find that you have a lot more exposure than you think.

Tom Mighell: I think that’s right. I think that you are absolutely right about law firms becoming more a target and I would definitely recommend for those of you who aren’t already listening to Sharon Nelson and John Simek’s Digital Detectives podcast, take a listen to that because they are routinely talking about the dangers to law firms from a security standpoint.

I think that when it comes to understanding — I kind of wanted to switch now Dennis and kind of talk about some of the — you started to talk about some of the practical things to do, I kind of want to talk about more high level approaches to security when you are looking at collaboration tools, and I think it really comes down to three or four different areas that you need to consider. I think you hit on one of them, but I am going to expand on them a little bit.

One of them is access rights and who has access. Are there different layers of access to the tool? Can some people only see some things based on their role? Do you have a collaborative area where an expert witness needs to see certain types of documents but can’t see all the client confidential information? Do collaborators have the ability to invite people in without approval? That’s a huge security risk is if they have the ability to either share with or invite other people in who may not have authorization to come in.

Do these access levels make it easy to share information? What I find in my work is that when access or when collaboration is restricted, it may make things more secure, but it also discourages sharing, which really defeats the purpose. So you want to make sure the security isn’t so strict that it loses the purpose or the benefit of the collaboration.

I think if you don’t find a way to make it easy or make it simple for them, or if you aren’t able to grant exceptions in certain cases or make it reasonable, people are going to find a way around those access restrictions.

The second thing, authorization; strong passwords, strong multifactor authentication where it’s necessary, being able to prove that the person who is trying to get in is actually who is entitled to get in.

(00:15:03)

And then finally is something that doesn’t get really considered very much, but I will talk about it on the back end is audit, is actually looking at the collaboration tools. Good collaboration tools have the possibility or the capability of providing an audit trail, to help you detect risky activity, to see are people sharing things, what are people doing, so that you can maybe identify risky behavior and nip it in the bud or learn a way around it or fix the problem.

And so one thing that I don’t see people doing that often is actually saying all right, how are we using this tool and are there ways that we can get better about the way that we use it. Those are kind of my initial thoughts about things that need to be considered before with any collaboration tool that you are using.

Anything I am missing there Dennis?

Dennis Kennedy: No, I think there — I would say there is a notion, because I know that I do this and I think you probably do this, because I think we have talked about it is sometimes people really lock something down. And you find out that you can’t print something and you just want to read something or you can’t copy something, and they think they have locked everything down; sometimes this happens in PDFs as well.

I know that you and I did something recently on that Tom, which could turn into a parting shot one day, a great little tip on how to get into PDFs that are locked. But basically if somebody sends me something that I can’t print, I can use something like Snagit and do screenshots and print those. So I mean it’s — you kind of need to think about what the users might want to do.

There are some new tools out there, they are not new, but there’s more focus on the USB keys, what’s known as the YubiKey, which is a great way to do multifactor authentication, that can be helpful.

And then Tom, I think you just raised a really great point about — it’s partially audit, but it’s the monitoring. So you are looking for — are there ways that you can look for unusual behaviors, look for anomalies, unusual traffic that will tip you off to something going on in the network.

In the cloud world, you are kind of relying on the host of the service to be doing all that, and that is one of the benefits of a cloud-based tool, but if you are not really using that, then there could be things going on that you don’t know about that you could have caught earlier.

And then I think there’s — the other big hole Tom is when people leave, right, people forget to take — there’s all these different places you don’t remove them as users and that opens up security risks as well.

Tom Mighell: Yeah, it sure does. I think that one of the other pieces that we are missing and briefly I will talk about this as kind of a what we do initially is communicating with your collaborators. I know it’s important to bring everybody that you are collaborating with up to your standard or what your standard needs to be, and I think that that requires some discussion or some consideration or whatever it is at the beginning to say all right, how are we going to do this, how are we going to make sure that everything is secure.

I will say every engagement I enter into with a client these days, one of the first conversations we have is how are we going to share information? We have a secure file sharing technology that we use, that we feel very comfortable with, but sometimes our clients have their own cybersecurity protocols in place and they can’t send information outside the company to independent consultants. They have got to keep it themselves. And so we have an in-depth discussion about how we are going to do that, who is going to access what, what tools are we going to use. I am waiting on receiving a token from one client so that I can access their website.

I will say though that when it becomes ridiculous, when it becomes so hard to do that it’s not worth it, it really does put a strain on productivity, it puts a strain on the working relationship. And so it’s got to be something that makes sense, that we get, that is not too onerous, but still is able to protect things.

And I think you are right, I think that the hesitation is let’s lock things down as much as possible, and when you lock that PDF so that it can’t be modified or edited or anything, I mean there are certain things you don’t want to be able to modify but my gosh, I downloaded a copy of the California Consumer Privacy Act and I just wanted to be able to highlight portions of it so I could take notes and annotate the document. And it wouldn’t even let me do that. It wouldn’t let me do any of that to it, which I think is just absurd. When you take that level of security, you really have a productivity problem on the back end.

So I think communication and making it easy for people are kind of my two biggest tips for helping make security an easy thing with collaborators.

Dennis, what about you?

(00:19:56)

Dennis Kennedy: Yeah, I mean, I think bringing people up to your level of security requirement is really difficult and I think when you’re living in the HIPAA world or the PCI world, in the financial world there are some external factors that require people to behave in certain ways, and that can be a benefit.

There are also a couple of areas that people don’t think enough about, and so, it could be that there are NDAs in place that putting information up into a cloud service could be a violation of the NDA and you need some clarification of that. So there are a number of things out there you have to think through. So to go back to the initial question, it’s like kind of security is hard enough in my home with one-on-one device let alone saying, oh my god, I live in this world, it’s all interconnected with all these different platforms and devices and I can use anywhere, and it’s the trade-off that we make and we can be much smarter about it, we can do a better job.

It’s just something that needs to get on the radar and there are some good approaches you can take and then kind of think of the Internet as an ecosystem that you live in and you need to be responsible in, I think that’s a really big thing.

Then, I think there is a communication not just with your sort of direct partners but you’re seeing more and more the case especially with big institutions that there is sharing and collaboration on security among those institutions and in the FBI and others with as we have these zero-day attacks and other really sophisticated things going on that the sharing that you find about security and issues and malware that’s out there and those sorts of things can be really helpful.

So, if you learn or something that’s a problem in say a cloud-based service, collaboration tool. I think it’s really important to notify the other people, not that you have an obligation. I don’t think of as a legal obligation so there’s like some requirement, but I just think it’s a good practice to say, hey, we learned of this, here’s a notice about this one to make sure that you saw that. I think that can be helpful. So, there’s a notion of collaboration of to security that’s going on in the background these days. It’s pretty significant.

Tom Mighell: Yep, there is a lot to digest here, a lot that we’re still unpacking as we get ready for our presentation in October. So, stay tuned, we might have more to offer in a future episode of the podcast.

And, before we move on to our next segment, let’s take a break for a message from our sponsors.

[Music]

TextExpander is a productivity multiplier. Lawyers love TextExpander because with a short abbreviation or search, while typing, TextExpander can produce cover emails for invoices for signing instructions, insert templates for consistent meeting notes, perform accurate date math on-the-fly, and instantly present things you retype all the time. TextExpander runs on Macs, iPhones, iPads and Windows and works in any application. Visit textexpander.com/podcast for 20% off your first year.

[Music]

Advertiser Looking for a process server you can trust, ServeNow.com is a nationwide network of local prescreened process servers. ServeNow works with the most professional process servers in the industry, connecting your firm with process servers who embrace technology, have experience with high-volume serves, and understand the litigation process and rules of properly effectuating service. Find a prescreened process server today. Visit www.serve-now.com.

[Music]

Tom Mighell: And now, let’s get back to The Kennedy-Mighell Report. I am Tom Mighell.

Dennis Kennedy: And I am Dennis Kennedy. I recently went to send a link to the first article I wrote on estate planning for digital assets, which I probably wrote maybe eight to ten years ago. So, it was in a major legal publication and had been online, so I had the URL and I clicked on it just to make sure it was live and not only did the URL, not take me back to the article. I could even find the article on the site anymore using any search tool, everything was dead. Also I couldn’t find other articles I had written.

So, that was problematic to me because I had promised somebody I’d send a link to this article. So, unfortunately, it kept the last draft that I had had and sent that on to the person who made the request. But the final version that was published, poof, vanished. I really never expected that Tom is an author, and I think it’s another example of the growing problem known as link rot, that has always affected us, but it seems like it’s getting worse. Do you think, it is actually getting worse these days?

(00:25:10)

Tom Mighell: I do think it’s getting worse and I think that unfortunately unless there is some concerted effort to deal with it, I think it’s just going to keep getting worse. I don’t see any improvement in the near future.

I was doing some research for this and noticed that even as late as five years ago there was a magazine called ‘BMC Bioinformatics‘ and they had a study there where they analyzed 15,000 links from a scientific Citation Index and found that the median lifespan of the web pages in that Index was 9.3 years, and then, poof, they went away, they were gone.

Then, just a year later, in 2014, Harvard Law School actually did a study with Larry Lessig and a couple of others that found that 50% of the URLs in the US Supreme Court opinions no longer link to the original information and that in legal journals that were published between, I think it was 1999 and 2011, 70% of those links no longer worked.

So, it is definitely a problem and it is definitely widespread, but I think that to fix something like this, it’s not enough really that web publishers resolved to do better. It’s not enough that you and I say we’re going to keep our blogs up in perpetuity. The Harvard study pointed out and the quote that I liked from it that, Many people who produce content for the web are “indifferent to the problems of posterity”, and I see that as being — I don’t expect that to change. I think that I would see that that level of indifference we want to capture everything but we don’t care so much about whether it gets retained or kept.

So, I think it has to be a concerted effort and probably as a result, and I can’t believe, I didn’t really know about this. The folks at the Harvard Library Innovation Lab developed a service called Perma.cc, which is a free service that has the goal of ending link rot. You just submit a link, they’ll add it to their database. They will provide you with a permanent link that is pledged never to go bad, every day people, it’s open to anybody. You can only submit about ten links per month if you work with a library, if you work with an archiving service then you have unlimited access. You can you can submit as many. I believe they have something like 750,000 links right now.

I really like this idea but like all services, and this is the concern I have, its success depends on its survival. It needs to be something that can live on in perpetuity and perhaps future innovation labs can create an artificial intelligence that will manage the library and help to begin to end link rot.

I just worry that those 750,000 links may be all there might be. That’ll be permanently in it and stuff will start to go away. Dennis, do you feel the same kind of despair I feel about how that is?

Dennis Kennedy: Yeah, a little bit, because there’s a great left hand, right hand thing. When you describe that effort by Harvard we know that’s going on at the same time, they’re taking down the servers that hosted some of the really important early blogs, and so that material may disappear.

So, I mean, I used to do the same, where I used to do PDFs of my articles when they appeared on the web so I at least had that locally, that sort of seems like overkill. I guess the best thing is the Internet Archive or the Wayback Machine to try to find things, and so the importance of that project I think has really been illustrated. But, as people go into these third-party publishing platforms like media and those sorts of things, if they all of a sudden stop then we don’t know what’s happening to that content.

So, there is this notion that it does make sense even more to have your own blog, your own website where you’re keeping everything because at least while you’re alive and cognizant and willing to pay the bills for, that it’s there and available but something to think about because you said, Tom, in scientific research, the thing about the Supreme Court links and stuff that’s a really important issue that’s going to sneak up on us if we’re not careful.

Now, it’s time for our parting shots, that one tip website or observation that you can use the second this podcast ends. Tom, take it away.

Tom Mighell: So I’m going to — second podcast center, I am going to have a gear tip. I have been trying out new different gadgets and stuff and my latest is the Surface Go. The Surface Go is Microsoft’s, I’m not sure what it wants to be. It’s not really an iPad killer, it might be intended for schools but what it really is, is it’s a smaller version of the Surface tablet. It’s closer to an iPad form factor but it’s a fully functioning Windows computer and I’ve been using it for a while, I will say it’s not powerful enough to be my daily driver.

(00:30:00)

I’m never going to use it to do work on all the time, but I have full Windows on it and I can access all the documents and all the applications that I can in full Windows, which is kind of been my Holy Grail. I’ll probably bring it to the Law Practice Division meeting in October to use it as my walk around taking notes tool to have.

But it’s an interesting device. I think it’s really nice looking. It works well if you’re looking that — I think the one thing that it suffers from or actually it suffers from a couple of things. Battery life could be better and it doesn’t have the same app store that the iPad app store does or even that the Android Google Play Store has. That’s where I kind of was hoping that it would improve. I’m not saying no to that because it actually got some really pretty decent reviews. It’s a nice thing if you’re looking for a Windows device that’s closer to the size and form factor of an iPad. It’s not terribly expensive. It’s only about $500-600 total to buy. You may have to buy some accessories along with it, but I’m enjoying it so far, the Surface Go. Dennis.

Dennis Kennedy: I’m going with the free one this time, Tom, and so occasionally you’ll do especially a complex Word document. When you save it you will realize it’s gigantic and it could have trouble sending as an attachment, things like that.

So, there are actually a couple of things you can do to compress the size of Word files and probably the classic one is to compress the photos and images in any Office document when it’s Word or PowerPoint. But on the great How-To Geek site there was an article by Rob Woodgate called “How to reduce the size of a Word document” and it goes through a bunch of tips, so that if you have a very large Word document, you can slim it down to a size that may be easier to send around to people; so, very useful information.

Tom Mighell: And so that wraps it up for this edition of The Kennedy-Mighell Report. Thanks for joining us on the podcast. You can find show notes for this episode at tkmreport.com.

If you liked what you hear, please subscribe to our podcast in iTunes or on the Legal Talk Network site, where you can find archives of all of our previous podcasts.

If you’d like to get in touch with us, you can reach out to us on LinkedIn, or leave us a voicemail. Remember, we’ve got a voicemail for questions for our B segment. We love to get messages at (720) 441-6820.

So, until the next podcast, I am Tom Mighell.

Dennis Kennedy And I am Dennis Kennedy and you have been listening to The Kennedy-Mighell Report, a podcast on legal technology with an Internet focus.

If you liked what you heard today, please rate us in Apple Podcasts, we will see you next time for another episode of The Kennedy-Mighell Report on the Legal Talk Network.

[Music]

Outro: Thanks for listening to The Kennedy-Mighell Report. Check out Dennis and Tom’s book, ‘The Lawyer’s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together‘ from ABA Books or Amazon, and join us every other week for another edition of The Kennedy-Mighell Report, only on the Legal Talk Network.

[Music]

Continue Reading