Stephanie Everett leads the Lawyerist community and Lawyerist Lab. She is the co-author of Lawyerist’s new book...
Zack Glaser is the Lawyerist Legal Tech Advisor. He’s an attorney, technologist, and blogger.
Sara is our newest Lawyerist team member and our newest Lab coach. She is a certified life...
Published: | July 4, 2024 |
Podcast: | Lawyerist Podcast |
Category: | Legal Technology , Practice Management |
Stephanie talks with Zack about tech things you should know but might be too afraid to ask.
They get into the why behind password managers, discuss the necessity of two-factor authentication, and bring some clarity to different types of encryption. They also discuss how artificial intelligence is making security fundamentals even more important.
If you’re confused about passwords and access control, or just want to make sure you’re handling them well, you’ll want to check this episode out.
Links from the episode:
Let’s put the image from this Teams thread: Alex Palzewicz: How Long It Would Take A Hacker To Brute Force Your Password In 20…
We may need to check copyright of the image above, or at least cite and link to where it came from.
If today’s podcast resonates with you and you haven’t read The Small Firm Roadmap Revisited yet, get the first chapter right now for free!
Special thanks to our sponsor Lawyerist.
Announcer:
Welcome to The Lawyerist Podcast, a series of discussions with entrepreneurs and innovators about building a successful law practice in today’s challenging and constantly changing legal market. Lawyerist supports attorneys, building client-centered, and future-oriented small law firms through community, content, and coaching both online and through the Lawyerist Lab. And now from the team that brought you The Small Firm Roadmap and your podcast hosts
Zack Glaser (00:35):
Hi, I’m Zack.
Sara Muender (00:36):
And I’m Sara. And this is episode 512 of the Lawyerist Podcast, part of the Legal Talk Network. Today, Stephanie talks with the one and only, well, not the one and only legal tech advisor, but Zack, you about some digital security fundamentals.
Zack Glaser (00:53):
Yes, yes.
Sara Muender (00:54):
So Zack, I’m just have to jump in real quick because I was reading over the podcast brief for this episode, which is kind of like our one pager of everything about this episode, and I saw some funny things there that caught my eye. And we have this section in it for some possible brainstorm ideas or topics or even brainstorm of possible titles for this episode. And I just have to go through these really quick because I dunno which one we’re going to end up with. So if you’re listening to this, you can see the title and you can see what we ended up with. But okay, here we go. Some possible brainstorm titles. We put the fun in fundamentals of legal tech. That’s decent. It’s cute.
Zack Glaser (01:43):
Yeah, yeah, keep in mind that I usually do about 10 to 15 potential titles for every one of these episodes.
Sara Muender (01:50):
So some of ’em are stretch, but I could came up with this list then.
Zack Glaser (01:53):
Yeah. Yeah. This one’s Zack. This one’s the same person that brought you pain and the SaaS came up with these.
Sara Muender (02:01):
I love it. Wait, was that an episode title of one of our episodes?
Zack Glaser (02:03):
Yeah, that was about two episodes ago with Brit Lish. So myself and Brit Lish, it was choosing SaaS software, so that was a fun one.
Sara Muender (02:12):
How funny. I didn’t even notice that was the title. I listened to it. That was a great episode. Alright, a few more on here. And the fact that you came up with these is even funnier why Zack doesn’t know his passwords. Okay. Alright. All right. And remember people, this is our legal tech advisor, and so there’s something to this, right? Forget your passwords and be safer for it with Zack Glaser. Just buy a password manager for Christ’s sake. And Zack doesn’t know his password and neither should you. I think that I feel
Zack Glaser (02:44):
Right? Yeah, I think that because it’s on two levels, I don’t know my password and you shouldn’t know yours, but you also, I hope you don’t know mine,
Sara Muender (02:53):
And it’s kind of like a warning to all the potential hackers out there to not mess with. Yes,
Zack Glaser (02:58):
Don’t mess with me. And yeah, if you can’t tell, we’ve got a fun episode on passwords and digital security Before we get to that. So this week, Sara, if people were to come by the office, which we don’t actually have an office, we’re all distributed, but if people were to come by our offices, they wouldn’t find us.
Sara Muender (03:18):
That’s right. We are not, believe it or not, recording this live, we have recorded this in advance and that means that we are probably all on the Lawyerist team out somewhere watching fireworks, sitting on a beach, lounging in a hammock somewhere. Hopefully we took the whole week off as a company.
Zack Glaser (03:37):
So just taking a mental health week or vacation week or whatever you want to call it, or a lazy week, a week to think. But this is a week that we took as a company, affinity and Lawyerist. That way we would all be able to turn off. We wouldn’t have any, well, I’m just going to check in to make sure I’m not leaving anybody hanging or something like that. Everybody gets their stuff done, gets prepped, and we all leave at the same time.
Sara Muender (04:03):
I think it’s a great idea. I personally am really grateful for it. I remember when our leadership team announced last year at our all firm retreat or all team retreat that we were going to all take off the whole week of July. And I was just like, wow, that’s next level. That’s awesome for our team members. Everybody needs it and therefore you should all take a week off somewhere in the year as well.
Zack Glaser (04:25):
And I mean, if you can’t quite take a full week off with your team and you don’t have to go anywhere with your team, but even if you can’t take a Friday, take a Thursday and Friday, take a five day weekend with your entire team and have everybody be out, you can probably plan that.
Sara Muender (04:41):
And if you need some help trying to figure out how to get to a point where you and your whole team can take a week off, that’s what I’m passionate about, helping you build a business so that you can live your life and your team can live their life. So we’d love to coach you in lab on that and well, I hope you are enjoying your week off. I know I will be. And now here’s Stephanie’s conversation with Zack with you.
Zack Glaser (05:09):
Hey y’all, Zack, I’m the legal tech advisor here at Lawyerist, and I spend a lot of time talking to people about technology in their law firms and how to use it, how to best use it, and how to not get completely sideways when trying to stay ahead of the game.
Stephanie Everett (05:26):
Yes. I shouldn’t say welcome to the show, Zack, since this is our show,
Zack Glaser (05:30):
Right?
Stephanie Everett (05:32):
But we have you in a different role today. You’re my guest. And our thought was that there’s probably a lot of tech maybe slash security questions that lawyers feel like they should know, but maybe you’re a little embarrassed to ask. So maybe we call this the, it’s okay. There’s no judgment zone. Let’s confess to what we feel like we should know. But
Zack Glaser (05:57):
Yeah. Yeah. I like that. When I give CLEs, a lot of times I kind of step out of what I would consider my comfort zone of attorneys that I talk to. And a lot of times I run into people who are asking what I would like to think are very basic questions, but, and they’re things that we need to know about, but they’re fundamental. I think that’s a good way of saying it. So one of the things that I wanted to really bring about was just security, basic digital security in your law firm and hoping to get some of those things that we don’t want to ask about out a little bit
Stephanie Everett (06:37):
Or we know it’s probably in the back of our mind. We know we need to do it, but it feels like it’s going to take a lot of research and a lot of time like, oh, I got to go figure that out. And so we back burner it and yet we don’t need to scare anybody, but the security risks are real. And as a law firm, unfortunately, we get targeted, our clients get targeted and you hear all these horror stories
Zack Glaser (07:05):
We have in our offices, a lot of personally identifiable information, potentially have information about somebody’s medical records, but at the very least, we have a lot of sensitive information. And even without that, we have information that we are obligated to keep confidential, but we have business records from businesses that we’re dealing with. We have payment records, we actually have people’s money. We have people’s money in escrow at times. And so yeah, we are targets because we’re not all set up as, I had a professor in law school who called ’em tall building lawyers. We’re not all set up with a security team. And some of us are out there in rural Tennessee or rural South Dakota or Iowa or whatever. And it doesn’t feel like we have a threat at our door
Stephanie Everett (07:56):
Fair. But we do. Yeah,
Zack Glaser (07:59):
The internet is right there for everybody as soon as you bring it in. And so the first thing I wanted to really talk about though with security is kind of the fundamental aspect of it, the password access, because we all take shortcuts as it relates to passwords, but we have to, I mean ideally we’d all have 16 characters and it would be letters, numbers and different types of characters, but who can remember a random set of 16 letters and characters and all that stuff? You can’t. So you have to write it down. Well, now we’ve just created a problem for our password there. So kind of walking the balance of password strength and our ability to keep it safe is something that I think that a lot of attorneys that I talk to just put their head in the sand with or say like, well, I haven’t had it hacked yet, so must be doing something right. But there are some fundamental things we can keep in mind when we’re dealing with passwords. So one is I think of password protection as two different things. One, we’re protecting it from brute force attacks. That’s when somebody is just sheerly guessing your password. And it’s not actually some body, it’s a program,
Stephanie Everett (09:20):
It’s a computer.
Zack Glaser (09:21):
Oh man, it is stupid fast. I mean, I’ve run these on computers to get into a computer that was old or something like that, and it’s ridiculously fast if you have a small password. But then the other side is somebody just stealing or guessing or phishing our password and that’s like, oh, hey, we have whatever password. It’s a great password, it’s a terrible password, it’s something, but somebody gets it from us by tricking us into giving it to ’em. So we want to come at this from two different places. And I always like to tell people that there’s a huge curve of when your password can be bruteforce, like how long it takes to brute force your password. If you’ve got a four character password and it’s numbers, uppercase letters, lowercase letters, symbols, whatever, it can basically instantly be,
Stephanie Everett (10:07):
Yeah, I think we should put this chart that I think you’re probably looking at too, because our team shared it. We should put this in the show notes because nothing got my attention more than seeing this. There’s a team out there, and they did this analysis and said, how long would it take someone to hack your password? And it was shockingly crazy scary.
Zack Glaser (10:29):
It really is. But it’s also really nice how easy we can get to five years. So for example, numbers only four characters, instant numbers, only 10 characters instant for the most part. But if we’re doing 10 characters and it’s numbers, uppercase letter, lowercase letter, and symbols, five years, it’s that complex. There’s that many possibilities at that point. And then we get into 11 characters, 12 characters. So we don’t have to have these things be 18 characters. And by the way, the highest they did here was 18 characters at numbers, uppercase, lowercase letters, symbols, and it’s seven quadrillion years. So if you want it really, really safe from brute force, that’s the way to go. But what we’re really talking about is 10 characters, but keep them to numbers, uppercase, lowercase, and symbols. And now we’ve got a lot of time before somebody can brute force hack our password and that what we’re talking about is slowing people down. At the end of the day, somebody can brute force your password, just might take some time or some computing power. Which kind of leads us to the second thing of like, okay, well if it’s not guessable, is it a dumb password? If it’s not brute force hackable, is it guessable? Is it obvious? Is it something that somebody is going to get from you by asking you a series of random questions in a Facebook poll?
Stephanie Everett (11:59):
Right. Exactly. Or also I feel worth noting, and I hope I’m going to make my husband listen to this episode. We have this discussion regularly. He has what he considers to be a good password, but he uses it all over the place. And I’m like, dude, when something gets hacked and it gets out there, they set up these programs to go take that password that did get released and go see how many other times you’re using it. And guess what? That’s another. So you may actually have a good password, but if you’re also using the same password for everything, you’re setting yourself up for another risk, right?
Zack Glaser (12:37):
Absolutely. Absolutely. Because let’s say that I use my really, really great amazing password for my bank account, but then I also use it for Joe’s Tire Shop and Joe’s Tire Shop doesn’t have really good security and they get hacked almost instantly. Nothing against Joe, but that gets hacked instantly. So now my email address and that password are out there, so somebody’s going to try that on my stuff and now they’ve gotten into my bank, I have a beautiful password. It’s just been compromised. So that leads us to, you need to have separate passwords for everything. Okay, Zack, 10 characters, numbers, uppercase letter, lowercase letter and symbols. How in God’s name am I going to remember? 150, 200 or even 10 passwords that are like that. Password organizers. You remember one master password?
Stephanie Everett (13:32):
It’s the most beautiful thing. Oh,
Zack Glaser (13:34):
They’re amazing. They work on your phone, they work on your tablet, they work on your computer. We use RoboForm here. Lawyerist Affinity. We use robo forms. We’ve used Dashlane. I use LastPass personally, and I have different master passwords for both of those, but then I don’t even have to think about my password. I have no idea what my email login to Microsoft password is for our office. Not a clue.
Stephanie Everett (14:03):
Me either, but I have a different, and I actually said it to 15 to 18 character passwords for everything my whole life. I mean, we should talk about this. My whole life right now is in this system and it’s amazing and it remembers it’s so easy. So it remembers from the soccer login to whatever. I mean everything I’ve ever visited is there. I don’t think of any passwords. It generates all them. For me, I’ve had somebody say, well gosh, aren’t you putting a lot of trust into that system? And I’d like to hear what you say. I’m always like, well, it’s their job, so I figure they’re doing better than me. I don’t know.
Zack Glaser (14:45):
Well, yeah, I think the first thing is they’re doing better than me. But the second thing, I heard a quote one time that was, put all your eggs in one basket and defend that basket with your life. Have a really good password for that. Have a really good system. We know where everything is. We can set up defenses for this. And I’ll tell you the one that I set up because you can say, well, what if LastPass hacked? Okay, yeah, what if LastPass gets hacked? First thing, you have to use an organization that is willing to tell you when they do have that happen, then have a folder in there that says extremely important stuff. It’s where your bank account is, where your email is, all that. And as soon as you hear about it, go in and change those passwords, those 10 passwords, and then start changing the passwords beyond that.
(15:34):
But let’s have our most important stuff. So as soon as you hear that blah, blah, blah, password manager was hacked, go in and change those. So now, well, okay, they got old information and that’s the idea. We want people to get old information because they’re going to get information from us somewhere. The other though is that these organizations, so if they hack the organization, okay, that’s one thing they’re going to tell us, well, what if they brute force my amazing password? That’s why we have a second guard at the gate. We have two gates here. One is the password and the other is two-factor or multifactor authentication.
Stephanie Everett (16:11):
Okay, can I stop you for just a second? Yeah, I do want to go there next, but just on the password thing one more time before we jump off, that these tools are so easy to set up for teams, and so as an owner of a firm, what happens when Betty Sue or whoever you’ve got leaves and you’ve shared passwords with them. So I just want to also highlight that these tools, one of the reasons our team uses it is we can only share a password through this system. I’m not allowed to just send Zack an email with the password, so then it’s all encrypted or whatever. It’s all protected. And if an employee leaves with a click of a button, we could go in and cut off access to whatever. Even if I had a personal assistant and maybe I shared some of my personal stuff with that person because I was willing to, they have my Delta account, I don’t know.
(17:03):
They have whatever these systems are set up where they can’t even view the password. You can set it up where they can only type it in, use it to log in, they can’t even see it. And so then with a click of a button, you can go and change all their access and cut them out. And so it’s really amazing. There’s a lot of reasons that you should just, if you don’t have one of these tools right now, please go get one and start using it. You can share it with your family and your coworkers and it changes your life.
Zack Glaser (17:34):
Yeah, I think that’s a good point to kind of harp on because this is a hill I will die on. You do people often ask us, what technology do I need? I will say that you need a password manager. You are not doing well if you don’t have sort of password manager. Now Apple has key chain, so there are password managers that you might be using, but a team password manager is huge. The other issue that we get into a lot of times when you’re sharing passwords is, well, what about my multifactor authentication? What about when it sends the six digits to this? Well, you can set up the multifactor authentication that can be shared through that password. So we have the six digits, the second factor come through that password system also. So when somebody shares access, they’re sharing that password and the ability to get that multifactor authentication as well. So it just helps. It just helps.
Stephanie Everett (18:27):
So now let’s talk about that. The two-factor authentication.
Zack Glaser (18:31):
So two-factor authentication and multi-factor authentication. So they’re used interchangeably for the most part, but multi-factor authentication, the whole concept is that you have a thing that, and a thing that you have. The thing that is the password, a thing that you have most of the time is a specific phone that has been validated, that’s been verified, or a phone that is connected to a phone number, but it could also be a thumb drive that gives you a code or something like that and the code that you’re entering in. So what happens is you put a password in and then you hit enter. We go to another thing and it says, please put in the six digit, eight digit whatever code or validate this in some ways. So the code is really just saying, I have this thing and the code changes on a series. So the six digit code that’s sent to you via text message is going to be different in five minutes.
(19:29):
Great. That’s what it’s supposed to do. Or the six digit code that’s sitting in your multifactor authentication app. So Microsoft, Google, LastPass, all of these password generators and whatnot have these apps that’ll let you set up this multifactor authentication. And what you’re basically doing is validating that you have your phone or validating that you have a thumb drive. I do like to say the caveat that we talk about two factor authentication as kind of that text message. The text message is the least secure of all these, but I’m not going to keep somebody from using it. I mean, if you’re using a password and even a text message, two-factor authentication, you’re ahead of the game. But those can be hacked a little bit easier than an app.
Stephanie Everett (20:13):
Okay, I use that a lot. So what’s the better standard? Where should I be looking to move towards?
Zack Glaser (20:20):
So the better standard that is really approachable for small to medium sized businesses is using an authenticator app when it’s available. So not everything that you use will let you use the app. So I have an authenticator app that for my login at work, I have to go to the authenticator app every day and it seems like a pain at first, but then it’s just like this is my system, this is how I do it. I type in a password and I in six digit character or six digit number, and then my banking system, I have the authenticator app. Things that are pretty important to me, things that let me do it, but some of the things that I have are just regular two-factor authentication. What’s set up my Adobe is probably just regular two-factor authentication. And that’s okay. It’s just if somebody was really, really trying to get your stuff, that’s a little bit easier.
Stephanie Everett (21:14):
Okay, that’s good to know. But it’s good. Get it set up and you have that app. That’s what we use. So every day I just have to make sure I have my phone at my desk. I mean it does make you need to have that phone so I can get to the app.
Zack Glaser (21:28):
It does, but I’m going to have my phone anyway. Now we have had some things where somebody’s like, I don’t have access to my phone. Well, we can figure that out. We can go through our tech team and figure that out. A lot of times there’s a second way, oh, I don’t have access to my phone, so now you’re going to have to answer security questions and something like that. Okay. The beauty of the two-factor authentication, and this is what I really like about it, is that I could tell you my password right now, Stephanie. I could say, Hey, here’s my password for my email, and you could log in, but you couldn’t log in. You could attempt to, and then it would send me either send me a two-factor text message or you wouldn’t have access to that application and you wouldn’t be able to get in. So if my password is somehow brute forced or phished or something like that, now I have a little bit of time, I have some time to go change it or people are locked out. That’s the beauty of it.
Stephanie Everett (22:25):
Awesome. What else do we need to know? So these are the basics. These are the must haves. I think we can agree that you absolutely need in today’s world, get your password manager and get it for your team. And I’ll just also share, educate your team on how important it is that they use solid password strength, like the little we use Dashlane or RoboForm, it tells you if it’s weak, good, strong, and it even gives you a score. And we’ve had to go to our team members, so it’s not enough just to give them the tool. You have to actually teach them and say, use the tool. It’s really important that all your passwords follow this strength level. Yeah, the
Zack Glaser (23:06):
Structure. Yeah, the strength level. Because yeah, you could be using a password manager, but all your passwords in there or password 1, 2, 3. Right? I mean, what do you think the system is going to guess first in a brute force system? Yeah, and it takes a minute sometimes to shift away from, okay, well these are all things that I can remember and all my TV related apps have this password. Well, no, let’s just go in and change all the passwords here. And yet the program makes suggestions. You can tell it, like you said, you’ve got it at 12 or 14 characters with all the different types of characters. Okay, great. That’s what you’ve set it at and it’ll always suggest a password with that level of complexity.
Stephanie Everett (23:48):
Yes, highly recommend that. It’s so easy. I don’t know why everyone doesn’t have them. By the way, we just set this up for my in-laws because we realized that’s crazy. I don’t know what they had. They were writing stuff down, who knows what they were doing, but we went in, set it up for them and then you can even assign, and I’ll stop talking because I’m not going to say this right, but we were sort of thinking about their estate planning. So now estate plan, you can include this and you include a way for someone if you die, these are things that people are going to need unfortunately when you die.
Zack Glaser (24:23):
Yep. I think that’s a fantastic way to use this as well as an attorney, as an estate planning attorney advising your clients to do that I think is huge. And I am going to go ahead and figure that A lot of estate planning attorneys have figured this out, but if you haven’t, that is a great thing to be suggesting. And yeah, I’ve set it up for my parents and my wife and I have shared accounts and it just takes a lot of pressure off of passwords.
Stephanie Everett (24:50):
Absolutely. Okay. What else do people need to know about that they’re probably not thinking about or think they should know about, but maybe they don’t?
Zack Glaser (24:57):
Yeah, so passwords keep us from being able to access something, but in order to make that even mean anything, you have to have things encrypted. So encrypting, it’s what you think it is. I mean it’s taking the information, mixing it up in a manner that can be unmixed. You can unpick the cucumber, but you have to have all the appropriate stuff to do it. I guess it’s more like putting the toothpaste back in the tube. You can technically do it.
Stephanie Everett (25:24):
It’s tough. I was wondering. I was like, can you unpick a cucumber?
Zack Glaser (25:28):
Yeah, I don’t think you can. But yeah, I think it’s more like putting the toothpaste back in the tube. It’s really difficult and you probably need the right tools. So when something’s encrypted, what it means generally is that when somebody doesn’t have authorization to view it, then it’s going to look like gobbly gook, which is obviously a technical term. So it’s going to look like gobby gook and people for the most part aren’t going to be able to kind of brute force unencrypted like back. So when I haven’t given somebody access to a file, if they look at it and they try to get access to it without going through the right channel, then it’s just going to be a garbled mess. So great. It’s encrypted so nobody else can see it. But there are two ideas of encryption. One is something when it’s encrypted at rest and the other is encrypted in transit.
(26:21):
And that’s what I want to get through to people here is that encrypting something while it’s sitting on your computer essentially means you encrypt the folder or the file or you put a password on it or something like that. So if I’ve got encrypted folders on my computer and somebody logs in and they’re not me, they’re not going to be able to see those files, they’re not going to be able to access it, and even if they are able to technically access it, they’re not going to be able to get the data out of it. So that’s encrypted while it’s sitting there. So for example, when you have your information on a law practice management system stored in the cloud, that information while it’s sitting there, while it’s at rest is encrypted. So if somebody just comes across the information, unless they have the ability to log in and to access it, they’re not going to be able to see it.
(27:08):
It’s going to be garbage to them. The other is in transit when you’re sending it from one place to another. So an email being sent from me to you is not encrypted. Now I can encrypt the package, I can encrypt the load, I could encrypt the file maybe, but for the most part, the email in a normal sense is not encrypted. So if somebody came across that email, they’d be able to read it. If somebody intercepted that email, they’d be able to read it. But if you and I create a system and we encrypt that pathway, so we encrypt it in transit, then people aren’t going to be able to see what it is I’m sending to you. They’re going to be able to see potentially that I sent something to you, but they’re not going to be able to see what I’m sending to you.
(27:51):
So most email is not encrypted, but you can get encrypted email. Most text messages are not encrypted. So if somebody comes across your text message and it’s not encrypted, they can read it, but if you send it via an encrypted system like signal or something like that, then it’s packaged as an encrypted thing. So while it’s moving, it’s encrypted and then when it gets to its destination, you need it to be encrypted at rest as well. So the way that this comes into play is that if you think about your law practice management software, you’ve got your stuff in the cloud and the system says, Hey, we are encrypted at rest. We encrypt your data. We have it on an AWS Amazon server and it’s protected, it’s password protected. We can get into it and then we say, okay, but I’m accessing it from somewhere that’s not that physical location, so it has to be in transit at some point.
(28:46):
So that information has to move back and forth. Well, only the information that is being moved that you’re accessing is actually potentially going to be accessible while in transit. You need to make sure that that is HTTPS tells us that that area is secure, that internet is secure. So if you see the lock in your URL, that’s telling us that we have an encrypted transit there, so that information is encrypted where it’s sitting, it’s encrypted in transit, and then I had to have a password to log into it, and then I had to have two-factor authentication to authenticate that I’m the right person with that password. That’s our kind of four layers of security as it relates to our offices and really as it relates to specifically cloud-based computing, we want to make sure that all those points, because in our office, if we have things encrypted here, well, we don’t really have public transit. We’re not really kicking things out to the public internet, but when something’s coming from an AWS server in Virginia to my house in Tennessee, it’s going literally long distance over public internet spaces and potentially even over private areas that somebody else some organization owns. And there are ways of accessing that information between here and Virginia. And so we want to make sure that it’s protected in all four of those points.
Stephanie Everett (30:10):
If an attorney’s sharing information with a client through a portal, I know a lot of the practice management solutions now have built-in client portals. I assume that it’s protected if it just stays in there. I’m just going to send you an email that says, go to the portal and look for this information.
Zack Glaser (30:28):
Yeah, I’m glad you said that because that’s the important part of this is that I want to say if you’re sending sensitive client information just to your client via email, and it’s from Zack at Zack law firm.com, and it goes to [email protected], I have no idea what kind of security they have on their email. We’re not encrypted in transit. It’s probably encrypted at rest because our Google and Microsoft are doing that. But yeah, so I don’t want to send sensitive data that way, but I do want to send a thing that says, Hey, log into your portal because the portal then, let’s say that it’s a law practice management software. That information is sitting there at rest encrypted, and then the way that we’re accessing it is encrypted, and then the client had to log in and had to validate that they are them. And so that is a much, much safer, much more confidential way of sharing information, and that’s why these client portals are important.
(31:29):
This is one that irritates people when I talk about it because it’s annoying to clients. I don’t want to log into another thing. Okay, well let’s figure out what client portal is the easiest way to do it. And I’ll even do what I call a poor man’s client portal, and that’s have a folder on my SharePoint that I share with that client. I know that it’s encrypted going to them. I know that it’s encrypted sitting on my SharePoint, and I know that I’ve granted their email address access and that they have to validate that they’re coming from their email address. And so I’ve at least added a level of encryption and security on there better than, Hey, here’s the file, or please send me those photos or please send me those notes you took, or something like that in an email.
Stephanie Everett (32:14):
Yeah, I think it is annoying as a client. I know my CPA obviously has a client portal, and so I always have to, that’s an example of one I can think of that I have to go to regularly, but I think if the CPA or the lawyer in this case had just said to me during our intake process, Hey, we’re setting up this portal for you. We know you’re a super smart person, but you may not realize that every time we send each emails, it’s possible for anyone in the world to see that information. So that’s why we want to make sure your information stays private and that’s why we put it here. I think we assume people know that. And so just explaining the why to your client, probably most people would be like, I didn’t know that. You mean in even my text, what people could read my text messages? Who wants to read my text message Google? Well, I don’t know, but somebody out there assumes you’re a lawyer and you’re probably, they should read your text messages. So I think just giving those clients a little bit of the why and a little an explanation will make it more tolerable for them and they’ll be more willing to do it and understand what you’re asking them to do is a good thing and it helps them.
Zack Glaser (33:24):
Yeah. Yeah, I like that. Just put that as part of your intake and you kind of just have to do it. But yeah, put that as part of your intake. Know that you’re going to have to train them up on a little bit. And I think we can kind of ride the wave of other client portals. My doctor’s office has a client portal, like you said, your CPA has a client portal. We just need to make ’em things that needs to be obvious. They’re there and it needs to be easy to use.
Stephanie Everett (33:47):
Alright, well as we kind of wrap up, it feels like maybe we just need to also just address AI pretty quickly. What do we need to know about this new layer and how it might impact things?
Zack Glaser (34:00):
So I don’t think you can get out of a legal tech conversation right now without at least addressing artificial intelligence. It’s the elephant in the room, and it does come into play here in two ways, in my view, at least for small to medium sized law firms. One is you need to be thinking about the fact that people can do this, they can do the phishing a little bit more easily. You and I have talked about some ideas on advanced phishing techniques where somebody could use artificial intelligence to dupe our voices or something. And so you’re getting phone calls from the attorney to say, Hey, change this trust account. Okay, well we need to be thoughtful about that and to have these security practices, these security protocols in place in the first place, and then potentially add some security like our own personal passwords like you and I have talked about.
(34:48):
And so just knowing that artificial intelligence, some of these tools that are out there are helping people be better at phishing and stealing your passwords even beyond brute force. The other is that from the use of the artificial intelligence tool. So if we’re using an LLM and we’re granting it access, let’s take copilot for instance. If I’m using copilot in my office and I’m personally using copilot in our office, it has access to anything my user has access to. And so if I don’t want copilot to have access to client information, I can’t use it from a user that has access to that information. So we need to be thoughtful about what it is we are granting access to when we are granting access to artificial intelligence. So we need to be thoughtful about all these encryption ideas and access ideas and passwords and sharing folders when we’re adding artificial intelligence, which is something just extremely powerful. It’s going to exacerbate some of our security issues, but if we get the fundamentals and we understand the fundamentals, there’s not much that it can exacerbate them.
Stephanie Everett (36:02):
Yeah, I think that’s great. And I mean, I was just on a call with a Labster this morning and they were like, Hey, could you just audit my SharePoint? I feel like I need to make sure it’s set up the right way and think thoughtful when it comes to turning on copilot. And I was like, yes, that is something we will have available in the future because that feels like something Affinity for sure needs to have an answer to. We already knew we needed an answer to it. I just don’t have it quite scoped and priced yet. But if you’re listening today and thinking like, gosh, this would be great to get some help. I mean people in our lab community get access to Zack and our other legal tech advisors and you actually help people. You look at this and help them set this up, which is amazing. But I think even just all the stuff you gave us today, it’s not hard. Don’t put your head in the sand and I guess is my departing message is get a few things in place, you can do it and get your team healthy too, because it’s too important to ignore.
Zack Glaser (36:59):
Yep, absolutely.
Stephanie Everett (37:01):
Alright, thanks Zack.
Zack Glaser (37:02):
Thank you. Thanks for having me. Thanks for having me on this side of the desk.
Stephanie Everett (37:05):
Yes, always a pleasure. We learned so much. We’ll do it again. I know we didn’t get through everything, so we’ll have to do it more.
Zack Glaser (37:11):
We’ll be back. I’ll be back on the show sometime. Thanks, Stephanie. We’ll see
(37:17):
The Lawyerist podcast is edited by Brittany. Felix, are you ready to implement the ideas we discussed here into your practice? Wondering what to do next here. Your first steps. First, if you haven’t read the small firm roadmap yet, grab the initial chapter for free at Lawyerist dot com slash book, looking for help beyond the book. Let’s chat about whether our coaching communities are right for you at the Lawyerist dot com slash community slash lab for more information. The views expressed by the participants are their own and are not endorsed by Legal Talk Network. Nothing said in this podcast is legal advice for you.
Notify me when there’s a new episode!
Lawyerist Podcast |
The Lawyerist Podcast is a weekly show about lawyering and law practice hosted by Stephanie Everett.