Cyber “Insecurity”: Why You Need to Rethink your Security Practices

Episode Notes

Transcript

The Kennedy-Mighell Report

Cyber “Insecurity”: Why You Need to Rethink your Security Practices

09/13/2019

 

[Music]

 

Intro: Web 2.0, Innovation, Trend, Collaboration, Software, Metadata… Got the world turning as fast as it can, hear how technology can help, legally speaking with two of the top legal technology experts, authors and lawyers, Dennis Kennedy and Tom Mighell. Welcome to The Kennedy-Mighell Report here on the Legal Talk Network.

 

[Music]

 

Dennis Kennedy: And welcome to Episode #244 of The Kennedy-Mighell Report. I am Dennis Kennedy in Ann Arbor.

 

Tom Mighell: And I am Tom Mighell in Dallas. Before we get started, we would like to thank our sponsors.

 

Thanks to TextExpander for sponsoring our show. Communicate Smarter with TextExpander. Gather, Perfect, and Share Your Knowledge. Recall your best words instantly and repeatedly. Learn more at textexpander.com/podcast.

 

Dennis Kennedy: And we would also like to thank ServeNow, a nationwide network of trusted, prescreened process servers. Work with the most professional process servers who have experience with high-volume serves, embrace technology, and understand the litigation process. Visit serve-now.com to learn more.

 

In our last episode, we discussed the much talked-about arrival of the 5G cellular platform and why we are taking a wait-and-see approach.

 

In this episode, we decided that some recent survey results and developments in cybersecurity made us decide that the wait-and-see approach that we have for 5G no longer makes sense in our cyber dangerous world. What can you do where seemingly no one else cares about security?

 

Tom, what’s all on our agenda for this episode?

 

Tom Mighell: Well Dennis, in this edition of The Kennedy-Mighell Report, we will indeed be discussing cybersecurity or as you like to put it cyber insecurity.

 

In our second segment, we’ll talk about whether it’s time for mandatory CLE training on this very subject of cybersecurity and as usual, we’ll finish up with our parting shots, that one tip, website or observation that you can start to use the second that this podcast is over.

 

But first up cybersecurity or as the title of this podcast ought to be named “Cyber Insecurity”. You know, Jack Dorsey who was the CEO of Twitter, when he has his Twitter account hacked and we’re going to talk about how just a little bit, it makes us both wonder whether it’s safe out there for anybody these days.

 

We both sort of checked and look to see about cyber insecurity and collaboration tools. We did a show last year about cybersecurity and using collaboration tools. We gave a presentation on the same topic at the College of Law Practice Management’s Annual Meeting and I think to our mutual surprise, the problems have not yet gone away or gotten better.

 

So we thought we’d revisit the issue again. See if anything has changed or anything thing has gotten remotely better.

 

Dennis, what was it, was there something that made you want to revisit this topic?

 

Dennis Kennedy: Yeah, I think incredibly this situation is actually getting worse and so my motivator for to revisit this topic which I realized I was going — I looked back at my blog a couple of times over the years, and in the early years, I used to write about cybersecurity a lot and then I just gave up and said, I didn’t think anybody, it was sort of like I felt I wrote this stuff and threw it off the cliff that nobody paid attention to it, but so every year I’ve been doing a tech report, it’s called the Summary of the Survey Results from the ABA’s Annual Technology Survey.

 

And so I covered the area of cloud computing. And so one of the things I’ve been watching is in this survey, there are a couple questions on cybersecurity and the security precautions that lawyers are taking with their cloud computing tools. And for the last three or four years, I’ve been just saying that they’re pathetic and that it’s a real area for improvement and then incredibly in the current results and I don’t think my report has been published yet, but that it’s significantly worse.

 

So they list about 12 very, very basic security techniques that you would use and the most commonly used one which is to use the secure protocols or the HTTPS protocol that we’re all used to seeing in the browser with the little lock, is the most commonly use which is around 40% and then there are common techniques like looking at privacy policies and other things that went from the mid 30% to 25% switch.

 

To me it’s incredible because last year, we had the EU data privacy issue that was front and center.

 

(00:05:01)

 

We’ve had all these issues about state hacking of computer systems and the approach the lawyers are taking that is even more cavalier than before. So that’s sort of the thing that prompted it.

 

But Tom, it’s just one of many things. There’s like a ton of cybersecurity issues out there and a lot of them just show just incredibly sloppy practices out there.

 

Tom Mighell: Well so, what’s interesting about that survey result where the number one is that 40% of people use the secure website to access certain websites, what sort of blows me away about that is I’m pretty sure that Google Chrome visits those sites on default. They go to the secure site.

 

So I don’t think users are actually doing anything consciously to go to those sites which is even sadder, even that they say that they’re doing it in 40% or say that they’re doing it, they’re not doing it intentionally, they’re doing it just because their browser happens to take it there because their browser is paying more attention to security then they happen to be.

 

I think that cloud portion of the tech survey, it definitely shows the lack of precautions lawyers are taking with regard to cloud tools, but it doesn’t really give anymore overall stats on what I would consider the general security precautions; passwords, multi-factor authentication, we’re going to talk a lot more about those.

 

Every year, I see articles, two or three articles come out why you need a password manager and everybody goes here, here, and yet no one’s using a password manager.

 

I would say that when it comes to the cloud tools that you talk about, I’d almost make the assumption and maybe I’m wrong here but because I don’t know the demographics of the people who took the survey, but I sort of tend to assume that lawyers in larger firms have IT departments, when it comes to cloud tools anyway have IT departments that are providing sufficient security around those cloud tools.

 

And then maybe it’s not something the lawyers are doing and I tend to think that the insecurity around the use of cloud tools is more toward solo and small firm lawyers who are their own IT departments who are probably showing that they don’t take a lot of precautions because they really don’t know a lot about it.

 

And I think if I recall correctly, solos and small firms actually take the lead on adoption of cloud tools because it makes the most sense for them in their practice.

 

Dennis Kennedy: Yeah I am going to say, au contraire, I mean because I think that these security techniques, a lot of them are things that any lawyer should be able to do like review privacy policies to look at the confidentiality provisions of contracts, to even look at the agreements that they’re entering into.

 

And so it’s a lot of the things are things that should be due diligence about the companies themselves. There are things that lawyers should be able to do and that to me is it’s what’s shocking and then also you compare that percentage with people saying here’s my concern about cloud computing is, I’m worried about the security or here’s why I don’t do cloud computing, because I’m worried about the security.

 

I’m like look if you make zero effort at protecting your data and your clients’ data and learning how the stuff works, yeah you have reason to be concerned but I’m guessing that probably what you’re doing on a day to day basis on security is probably even more shocking.

 

Tom Mighell: Here’s kind of a true story about a small firm and it’s kind of shocking too, small firm less than 10, less than 12 people who work there between professionals and staff and using Office 365, so great, they’re kind of ahead of the curve moving and using the tool they should use and turns out that the person who’s responsible for finance and for payroll and stuff like that has probably one of the weaker password choices, and it’s a commonly — apparently a commonly known name in this person’s family, either a family member or a pet.

 

And it’s not — it’s probably eight digits and somebody comes in and they go to her Office 365 account and they do a brute force attack so they run a computer program against it, it takes a couple of hundred times to run that before they break it and frankly a couple hundred times is means that the password is pretty weak.

 

They break that password they go in to her online Outlook account and they begin to send emails out as her and they are able to successfully convince the payroll company to redirect two of the payroll checks to a different bank. So they steal two payroll checks. They go to three clients and try to convince the clients that the firm has changed banks and one of the clients actually sends a check for quite a lot of money to this other bank before finding out that it was all a fake.

 

(00:09:58)

 

No two-factor authentication setup there. There were two opportunities to stop that hacker dead in its tracks. The first would be to set a strong password that would be much more difficult or much more daunting to break, even if the password could have been broken two-factor authentication would have I think stopped it dead in its tracks or maybe as we’ve seen recently, if it’s done right, it’s 99% effective.

 

Dennis Kennedy: Yes, and I would say the other piece and this is like a little — I understand the reservations on this. But under brute-force attacks if you limit the number of attempts —

 

Tom Mighell: That also, that’s true.

 

Dennis Kennedy: Before there’s a complete fail, but a lot of people get nervous about that right. So if you only have like four or five attempts and you don’t realize you have your Caps Lock on and you’re typing your password in.

 

Tom Mighell: But even if you do ten, I mean 10 is not unreasonable.

 

Dennis Kennedy: Right.

 

Tom Mighell: It doesn’t have to be unlimited if they — I think even 10 or 20 is not bad, but yeah, you’re absolutely right.

 

Dennis Kennedy: So I think that — and that’s what surprising to me. So you could say, I always figure like each year I’ve been on the Internet, I’ve learned like some new security technique that I’ve adopted, usually I learn that from you and your recommendations, but I sort of go out there and like try to learn this stuff.

 

So yeah, so we saw this, the statistic recently that if you go to multifactor authentication, we did a show about this, but it’s basically where you have a password, it’s something else that indicates that you are you, so either you have a phone or a dongle or a fingerprint, something like that, plus password that that gives you essentially a 99% confidence in that you’re going to be secure or if somebody tries to hack, you’re going to get some notification that you’re able to know something’s going on and to have the chance to — I don’t know what the right word is, I would say unconfirmed it while it’s happening.

 

Now there are some nuances of multi-factor which is I say you try to learn as you go along. So there’s definitely some people advised against using SMS or text messages when you’re doing multi-factor. So it’s good to read the literature and understand what those concerns are, but there are just some standard things out there that I run into all the time with lawyers.

 

So where you might be concerned or read things about like these zero day attacks, or somebody figures out this way to where there’s a — at least a theoretical security breach and somebody can take advantage of a flaw before a patch can be done. There’s a lot of concern around that, but basically I would say this is a huge percentage of the intrusions in the successful compromises come from on updated software, supported our patches applied.

 

I mean there are people out there using Windows 7 and other programs that are out of life. They’re just not being supported anymore, and so the — it’s trivial for somebody who wants to get — get into those because the routes in or known and you may even have a toolkit that can use them.

 

So, it’s kind of like, there’s a lot of things Tom, and we’ve talked about this from time to time, which is why I want to revisit this. It’s like there are some basic things that you can do that can put you really a lot safer in the world of security that people just don’t do, and it’s hard to understand the reason that people don’t do that.

 

Tom Mighell: Well, no, I agree and I can come back real quick on your multi-factor authentication. I am one of those people who believes it is not appropriate to rely on SMS, on text messaging for multi-factor authentication. Sometimes you can’t avoid it, some vendors, some companies only do it that way. I try to limit it as much as possible. I still say and I don’t know how many shows we’ve done where I mentioned this, used an authentication app, Authy is a great app, Google has an app. I am using Microsoft now on my Office 365 account, my own personal one, and I think they’re all great tools and I think that enabling multi-factor authentication on any account that you have that could impact your money. So banking, financial accounts but then also the email and the tools that you could get into to get to those financial accounts.

 

So if I’m banking using my Gmail account, I’m going to protect my Gmail account as well, and so it’s kind of we’ll talk a little bit later about how to solve for those things but think carefully about how you need to protect the different vectors of approach to get into your firm or just even to enter you personally.

 

(00:15:06)

 

Now when it comes to the fact that so many people are running un-updated programs, I agree with that. I think that there’s — I think when you come to the practice of law, you have a lot of people and I’m not clear how often this happens, but I just remember lots of lawyers proudly telling me that I’ve had this desktop for 10 years and I’m happy to keep using it and I’m still using WordPerfect and everything works great for me and I’m going to using all this stuff until it dies on me, and I need to get something new and that’s really not how technology works especially around security.

 

But I will say that part of the problem also is there continued to be brand new ways that bad people can get to us and keeping up with it all I think is pretty overwhelming, and it’s not necessarily our day job to do. And so take for example, I think we’ve talked about this on the podcast, but the one that kind of scares me the most right now is SIM swapping. I mean that’s how the CEO of Twitter essentially had his account hacked, is that someone got a hold of a phone and put his — got his SIM card swapped over into that one and so here’s how it works.

 

A person will walk into a phone store and give them your phone number and give them apparently enough information to convince the phone company that they are you and say I lost my SIM Card, can you give me a new one, and you’ll be sitting there using your phone and all of a sudden it’ll die because it’s no longer your phone anymore. It belongs to other person, they turned it on at a AT&T; or Verizon store and you have no idea to get back to it and getting back to your phone, getting that back from a person who took it from you is extremely hard to do.

 

So my word to the wise there is I went — when I learned about how this could happen I went to my carrier and I’ve placed a verbal password on my account. So if anybody tries to do anything they first must answer that verbal password which only I know and nobody’s getting to and hopefully that will be enough to protect me.

 

The other quick thing I want to mention is if you’ve been reading the news lately, you will have noticed that I think 22 cities in the State of Texas, 22 municipalities were struck with ransomware and the way that they got to all 22 of these was through the managed services IT Provider for all these municipalities. So that was the Weak Link.

 

The Weak Link was an IT services company who deployed stuff out to these municipalities and as part of that deployed ransomware. So understanding how these things happen and how to protect yourself against them, is a huge issue. It’s even bigger than it is ever been and I think we’ll — probably Dennis, talk a little bit more in our B segment about how you propose to address this issue, but I think that’s one of the biggest problems we have is just keeping up to date on all the new issues and possible ways that somebody can get into our stuff.

 

Dennis Kennedy: So I agree with that, but I also say that we’re just doing a terrible job on the old issues. So poor password, it’s all over the place. The incredible thing of poor passwords and default passwords on administrator accounts, leaving default settings on hardware devices, I think there’s — not doing multi-factor on admin accounts is pretty amazing to me that people will take those chances, and then, then I think there’s a couple and I consider you now the expert on one of these things. But there are couple things that I think are opening the doors in other ways too.

 

So a lot of places give you these security questions that you can choose from to recover your accounts and so it’s like where were you born, what’s your mother’s maiden name, those sorts of things, and those are pretty easy for people to find or to guess. And then you add those things to the social media quizzes where you 00:19:03 is like here’s 15 questions I’m answering and sort of like what street did I first live on, what was the first job I had, that sort of thing. You are going like, oh my God, you’re just putting the answers to these questions right out into the open.

 

So you have to pay attention to those things as well and then Tom, I think that leads right to what you’ve experienced with this social engineering, which has become so effective that it’s just almost like the telephone tag for people to come in and say they’re you and you just kind of walk through this thing and either guess what the passwords are or have somebody spending over backwards trying to help you recover your account or recover a password, and I think that social engineering probably has been for a long time and still is the most effective way of breaking into your system, and you just, you look at what people do as a matter of course and it’s shocking.

 

(00:19:59)

 

Tom Mighell: Well, I think you’re right. I think social engineering is a way that technology can’t protect against to a certain extent and I mean that’s what happened to me back in June was that someone called my bank and through telephone calls were able to take money out of my account, and I still haven’t found out exactly how they did it, I still haven’t found out exactly what information about me they had. I think it’s probably pretty clear that they had some part of my Social Security Number, at least enough of it to get through and I believe that I was a victim of a — I was part of the Office of Personnel Management hack a long time ago and they had my Social Security Number because I did work at one point of time for the government. So easy to understand how they might have that.

 

When it comes to those security questions, I totally agree. I think that — while back my mother’s maiden name is quite common — excuse me, quite unusual, but it’s something that would be easy to find out what the maiden name was. I used to use it all the time because I thought well who would know such a weird name. Well, my social media, my cousin puts that name up on her social media page all the time because that was my grandmother’s married name.

 

So what I have started to do for security questions is, I’m giving completely fake answers to the security questions and I am putting the answers because I’ll never remember them, I mean that’s part of what makes the security questions great is you remember what your mother’s maiden name is, or what your first dog was or what job you’ve always wanted to do, that’s easy to remember. But I’ve been putting things that are so ridiculously wrong, I put them into my password manager for that account so that if I ever have to do it, I’ve got to the answers to that and I hate that we’ve come to that place, but I know for a fact that no one’s ever getting through any of my security questions again, because there’s no way they will come up with these answers, I mean unless somehow they’re able to break into my password manager and that would really be the end of the world as I know it.

 

Dennis Kennedy: I do have a way that somebody might be able to do that but I’m not going to share it on the podcast. I’ll tell you after the show though.

 

Tom Mighell: Thank you so much.

 

Dennis Kennedy: So, let’s get to what people can do Tom, because I think that first of all, our concern comes in collaboration tools, because it really is the case that your really poor security practices couldn’t have an impact on me, when we’re using collaboration tools.

 

Flat out problem, growing problem, you can call it, an exponential problem in terms of security but — it’s everybody has to think about what’s going on. I always say, you got to protect the herd. So like your bad practices have an impact on me, so we need to think about everybody.

 

And then, the second thing that’s worth noting is the millions of new devices being connected to the Internet. So the Internet of Things, Sensors, all these other things. There’s great story a couple years ago. Somebody got into a casino’s network through an Internet connected aquarium. So — and it’s important to really understand how the security stuff works, because you go like, oh my God, I am never going to have an aquarium and I don’t want to have something connected to the Internet.

 

Well, it’s the — the mere fact it’s connected to the Internet is not the problem, it is basically when they went in and found something that had an easily breakable password or a default password and we’re able to get in that way. So it has nothing to do with the aquarium, the real issue is going to be the password and the fact that somebody could get to it.

 

So here’s my thinking on cybersecurity Tom, is that I think that there really — you just really have to learn as a citizen of the Internet some basic security and you’re not going to get to a hundred percent, but every little bit you can do is helpful and I’m going to spend one half of one of my classes at Michigan State, this fall, it’s actually next week, I’m just going to do cybersecurity basics because I think it’s so important for lawyers.

 

And then I think with the ransomware that just illustrates that backup is part of security and so it’s likely that there’s going to be a problem in what you want to be able to do, especially ransomware is to have a backup that you can pull back and just go on.

 

The third piece and you may want to comment on this more, I love and we talked about this Microsoft Secure Score which goes through, it gives you some things you can do with point values, so you can pick this sort of high-value practices that you can add that will really improve your security and show what progress you’re making on security. So I don’t know. Tom, do you have some other things and you want to wrap this up.

 

(00:24:58)

 

Tom Mighell: Not really. I mean, I think that in addition to what you said, I like to think about what are the points of entry to get to you, or to get to your firm, email, financial accounts, phone, think of all the services that people can use to get to you. For example, I may give my debit card number to Fandango to make buying movie tickets a little bit easier, but I’m less worried about security there because if they get hacked I can always just turn off that credit card. I’m less worried about them getting access to that because they have limited information that I’m nevertheless protected against.

 

So I think focus on the places that are the most likely targets that need the most protection. Learn the basics, passwords, multi-factor authentication, don’t click that link. I know that some of you may be receiving what they call calendar spam lately. I’ve had spam calendar entries showing up on my Google Calendar lately telling me about a free iPhone, don’t click that link. The only reason you’re getting these spams is because somebody’s clicking on that link to get to it.

 

I think that backup is a no-brainer, but I also think that backup is something that goes on behind the scenes. You shouldn’t have to worry about it. So it’s not about backing up regularly, it’s put a system in place and let it go, make sure that it’s running.

 

I agree the Microsoft Secure Score, although I’ll tell you, that Secure Score is something that an IT director is going to have trouble fulfilling entirely. So I go into mine and I am woefully low on my Secure Score. I mean there’s a lot of stuff in there that I can’t and just don’t need to do for the purpose — that it’s a personal account for me but I definitely think that it is an eye-opener to see how many different vectors of attack somebody can have into your account just by getting through your Office 365 account.

 

So I think that all those things make sense but I totally agree with the idea, start with the basics. There are a lot of new things and a lot of new threats coming up, but I keep coming back to, if you just follow the basics you’re going to protect yourself against a whole lot of those things.

 

Dennis Kennedy: And it sort of goes back to the old joke Tom, about the bear chasing you and me. I don’t have to be faster than the bear, I just have to be faster than you. It’s sort of like if my security is better than you and you’re an easier victim then you’re going to be the one who’s more likely to be caught then I am unless somebody’s specifically targeted you. So keep that in mind.

 

Tom Mighell: So we’re going to have to figure out after the podcast which of us is faster from there.

 

All right, let’s take a break for a message from our sponsors before we move on to our next segment.

 

[Music]

 

Advertiser: Looking for a process server you can trust, ServeNow.com is a nationwide network of local prescreened process servers. ServeNow works with the most professional process servers in the industry, connecting your firm with process servers who embrace technology, have experience with high volume serves, and understand the litigation process and rules of properly effectuating service. Find a prescreened process server today. Visit www.serve-now.com.

 

[Music]

 

Dennis Kennedy: TextExpander is a productivity multiplier. Lawyers love TextExpander, because with a short abbreviation or search, while typing, TextExpander can produce cover emails for invoices or signing instructions, insert templates for consistent meeting notes, perform accurate date math on-the-fly, and instantly present things you retype all the time. TextExpander runs on Macs, iPhones, iPads and Windows and works in any application. Visit textexpander.com/podcast for 20% off your first year.

 

[Music]

 

Tom Mighell: And now let’s get back to The Kennedy-Mighell Report. I’m Tom Mighell.

 

Dennis Kennedy: And I am Dennis Kennedy. In this segment we want to talk about cybersecurity as it relates to the ethical rules on technology competence. So for the lawyers out there, there’s a new comment 8 to Model Rule 1.1 that addresses technology confidence and it’s been adapted in 36 States since 2012. So I guess that’s fast in terms of the legal profession and its key part it says, a lawyer should keep abreast of changes in the law and its practice and this is the key part including the benefits and risks associated with relevant technology and then engage in continuing study, education et cetera to keep abreast of the changes in law and technology.

 

So I believe this Rule means anything, it means lawyers have to keep up on cybersecurity. Then I also say, if you look at the rules about our lawyers obligations of confidentiality to clients, I think that also require an understanding and use of good cybersecurity practices. So we’re not seeing that happen out there.

 

And we see Florida, States like Florida and North Carolina have taken approaches that require mandatory technology CLE, but I’m not sure that’s enough.

 

(00:30:08)

 

So Tom, my question for you really is have we reached the crisis point where it’s time to require mandatory training on cybersecurity itself with some real teeth, such as testing and certification for lawyers or maybe more than that.

 

Tom Mighell: Okay. So, I think we’re going to agree on a lot here. I think making cybersecurity training mandatory is a no-brainer, even if it’s just for awareness purposes. I think requiring attorneys to take — let’s just say two hours per year cybersecurity training is not too burdensome that it would create an issue.

 

But I do think that you’re going to start to get resistance if you require more training than that or if you require some level of certification by the lawyer. The natural resistance of lawyers to change I think will kick in the things and things are going to bog down, not that that’s a good thing, not that change isn’t a good thing, not that having people push back, we’ve had lots of things that lawyers that push back against that they don’t need more. Email is one example.

 

But I think it’s going to be the same thing that happens whenever someone tries to get lawyers to make a radical change to how they operate. They push back, sometimes they push back hard, sometimes there’s lawsuits, there’s ethics commissions that deal with things, but I think — so here’s the other part that I think is going to be a challenge.

 

Developing a certification process would really require the creation of a whole new layer of infrastructure in the legal market that doesn’t exist at least in the format it needs to exist in to get to the goal that you want. It would open I think lots of new opportunities for certain kind of companies, but I don’t know that it would have to be created maybe not from scratch, but you’d be creating a new standard for cybersecurity for law firms, you could just use the same security, you could leverage probably the security standards for other industries, but you’d have to come up with something for the legal industry.

 

I think frankly the real push here is going to come from clients who are demanding greater levels of security for the data their lawyers are keeping for them. In fact, my company right now, we’re working on cybersecurity standards that would allow law firms and vendors to become accredited, so that the clients would feel more comfortable with information that they’re storing with them, but I think though that this push if it comes is really only going to be led by the big clients who know better and if you’re a solo or small firm lawyer and you have individual clients, they won’t know to demand this sort of thing. They won’t know to say you need to protect my information.

 

So I hate to say that it’s not just the lawyers that need the education, it’s the consumers and the clients that need it too, but I think that while this is a great idea I don’t see this happening without a lot of issues down the road.

 

Dennis Kennedy: Yeah, I mean it really does come down to looking and we’re supposed to look at the clients’ perspective, right, and so the fact that it’s inconvenient for lawyers and they don’t want to learn it, to me has to be balanced out with you compromising my confidential information.

 

So I think that’s where the rubber hits the road. So I think you can go. So I sort of — we’re going to come up pretty close to this. I think that realistically it’d be nice to see some states take the lead on saying, it’s not just some, some technology CLE, but there’s is going to be an hour or two or cybersecurity that’s required annually in the same way that states require ethics, and it could be done as part of ethics frankly, because to me it is a core part of that.

 

I think that to say there’s going to be certification, lawyers live in a world committees you and I know that five or six, if we decide there’s going to be a certification, wait five or six years from now and people will still be deciding how to word this certification certificate that you get.

 

So that I don’t think is super promising. I do think that there can be a push from the amount of practice insurance carriers that will move some of these things forward. I think that regulations and especially your regulated clients will help move things forward, and I think there’s an opportunity and this is what I talk to my students about is, I think there’s an opportunity that if you’re a new lawyer or a law student and you can pick up any kind of security certification while you’re in law school or shortly thereafter, you could use that potentially for a competitive advantage.

 

So I think it’s going to be the carrot and stick thing, but I think that — I think we’re past the time. The data is out there and it’s shocking, so I think we’re past the time where we can say, oh security is too hard for lawyers to learn, they don’t want to make changes.

 

(00:34:55)

 

I think it’s time to really put some mandatory training on people and this is coming from somebody who always prefers to learn things on my own because I’m motivated to do that. But I look at a profession that doesn’t, in this area, it doesn’t seem to be motivated that way.

 

So now it’s time for our parting shots, that one tip, website or observation you can use the second this podcast ends. Tom, take it away.

 

Tom Mighell: So, I am going to continue the theme and my parting shot is a new website that I found that is cybersecurity related and it is called YourThings Scorecard, it’s at yourthings.info, and it’s an initiative that provides smart home device owners with insights about the functionality and security of their devices, and they measure on things like the device itself, the mobile application that comes with the device, the cloud endpoints, the Internet services that the device communicates with and then network communication, the network traffic between each component of the smart device.

 

And then they assign grades to each one of them and if you want to be truly horrified about how insecure in general your Echo is or your Google Assistant or some other things in there, go look at this website yourthings.info, it’s I think a very revealing look at how they grade security and how we still have a long way to go on the Internet of Things and cybersecurity.

 

Dennis Kennedy: Yeah, so mine is also part of the theme where I said I think that backup is just a core part of security. So as they say it’s not if but when something happens. And so, the other day I was thinking and I was looking at and I say, I have backups in four different places that are happening and I thought I’m a little concerned about a physical backup to a hard drive, and that because I do that and I said, it seems like the technology is better now. It takes a long time to do that. On a Mac you can do this Time Machine backup, which is really straightforward.

 

And so, I read about something called the RAVPower, it’s a 500 gigabyte mini SSD drive, so it’s USB External, it’s like a big thumb drive. It’s like way bigger than your thumb, but 500 gigs on it. And for me, it is like and is $89 and it was like, well here’s — this is what I think I’m looking for rather than like an old external kind of slowish hard drive. I’ll just add this SSD to my backup routine as another place and it will go faster and be easier to do as part of that routine and give me some comfort because it’s an SSD.

 

And so far, it’s been great. I will say that like the first backup does take a long time, but after that the incrementals are great, and so if you’re doing that layer of backup where you have some physical and local ones and some online stuff, I think this is a really interesting tool as it’s essentially now the USB Drive has gotten so big that you could do a whole backup.

 

So I think there are some one terabyte ones out there that are more like the 200 range, but sort of for your personal backup, it’s kind of an interesting way to go just to make it a little faster and easier, and you also have a device that’s a little easier to hide in your house if you’re concerned about that.

 

Tom Mighell: And so that wraps it up for this edition of The Kennedy-Mighell Report. Thanks for joining us on the podcast. You can find show notes for this episode at tkmreport.com.

 

And I want to say you can — we’ve got — I guess I should point out that we have at least one person who’s checking on the show notes who did point out that we’ve been very, very far behind in updating our show notes page, and we take the note, I’m going to start updating it very soon.

 

In the meantime, if you want to take a look legaltalknetwork.com has got transcripts of all of our podcasts which have the links or at least mention of the things that we talk about.

 

So until we can get those show notes updated, please go to legaltalknetwork.com and check out the transcript.

 

If you like what you hear, please subscribe to our podcast in iTunes or on the Legal Talk Network site, where you can find archives of all of our previous podcasts, like I mentioned with those transcripts.

 

If you’d like to get in touch with us, please reach out to us on LinkedIn, or leave us a voicemail. We love to get voicemails. The number there is (720) 441-6820.

 

So, until the next podcast, I am Tom Mighell.

 

Dennis Kennedy: And I am Dennis Kennedy, and you have been listening to The Kennedy-Mighell Report, a podcast on legal technology with an Internet focus.

 

If you liked what you heard today, please rate us in Apple Podcasts, and we will see you next time for another episode of The Kennedy-Mighell Report on the Legal Talk Network.

 

(00:39:54)

 

[Music]

 

Outro: Thanks for listening to The Kennedy-Mighell Report. Check out Dennis and Tom’s book, ‘The Lawyer’s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together’ from ABA Books or Amazon, and join us every other week for another edition of The Kennedy-Mighell Report, only on the Legal Talk Network.

 

[Music]

Continue Reading