Security is critical for law firms, especially with so many people working remotely these days. While the where of work may be changing, the need to be clear on security procedures and tools hasn’t changed. We spoke with Henry Dicker, Senior VP of Client Engagement at Lowers Forensic International. Serving for more than 20 years as ALM’s Vice-President of Global Consulting, where he earned the name “father and architect” of LegalTech and CyberSecure, Henry was the right person to help us to find out everything law firms need to know about how to protect themselves, including tools, tips, and processes.
This session was an Ask Me Anything (AMA) format webinar hosted by CosmoLex Director of Marketing, Joshua Goldberg.
Joshua Golberg (CosmoLex): So we’ll go ahead and get started with – Who is responsible for security?
Henry: You know, much of what we go over today is really going to be common sense. You’ve all have heard most of this or all of this before. The idea here is, a lot of this is preventable.
Nothing in cyber is 100% preventable, but a lot of it is and there are a lot of factors that determine that preventability. I’ve heard people claim as high as 90% of all cyber breaches can be linked back to the human element.
I’m a big proponent of the doctrine of proactive versus reactive. So proactive is procedural and technology-based, operating procedures, guidelines, technology, whether they be hardware or software. And then the reactive side is recovery response such as ransomware.
Do I pay it now, do I pay it later? And of course, the consequences which are always either compensatory and, God forbid, punitive. And of course, the drivers of all of this, the drivers of this proactive versus reactive is first and foremost cost.
The managerial courage for the tolerance of those costs, whether they be business interruption through damages, the downtime of the human capital within your organization, the immeasurable costs of remediation, especially when you talk about reputational. It’s the biggest and probably the hardest factor to calculate, especially for us in the legal industry.
And then last but not least, the regulatory, everything is always driven by compliance. So whether you have issues that you have to be concerned about on GDPR, if you have EU data, CCPA or the California Consumer Privacy Act.
Josh: Thank you so much for the context – it’ll help lay the framework for the rest of the questions and presentations that have been pre-selected as we get more questions from the audience. So, with that, question number one is – is it better to manage my own server and security system or rely on a technology provider?
Henry: Well, listen, for our General Counsel friends, when they have a need, go to a forum for an employment process. But in some cases, there’s a different skillset needed and that’s when you go and perhaps look outside of your organization to help in those matters and look at a managed service provider.
Josh: Yeah, and I think actually in this case, my follow-up would be the next question – so is there a way to test the overall security of my law firm?
Henry: Well, there are a couple of different ways and I would tell you that no one can be held up without the other. So you have the pure essence, which is to do an audit of your security, and that would include everything from the touchy-feely pen testing when you go in and you softly knock on the doors and check the validity of firewalls and passwords.
Then there’s the RVA or the Risk Vulnerability Assessment, which is a little bit more hardcore. One is done with knowledge and usually, some of us practitioners will do the other without the knowledge of members of the staff, in order to get a true understanding.
No security program can be tested just episodically. I believe that a true security program – monitoring system, a 365, 24-7 monitoring system – of one’s IT network, both the militarized and demilitarized zones is terribly important because let’s face it, after a pen-test, an RVA is taken, 10 minutes later something else could have come up, so a full security program must include a method for continually monitoring the health of one system.
The remediation policy and the reputation policy everyone, both proactively and reactively has to have a policy in place, a standard operating procedure that includes everything from how you’re going to handle notifications, your insurance policy and how often that has to be updated and tested with your professionals on all sides to make sure.
Too many companies take cyber insurance as a safety net and they neglect all the other items in the list. So, insurance should be used to protect your company from all nefarious activity, and always involve your insurance professionals on both sides to make sure that you’re completely up-to-date.
Josh: I’ll speak from CosmoLex‘s side of things or from our experience. From our applications side of things, we do yearly pen-testing of the actual application, as well as consistent monitoring as you talked about.
And the idea of those is two-fold, right? As one is to check the security, but also to make sure that as we’re adding new features and functions and patching, that our software is also not creating any loopholes or issues like that.
So, that’s one thing that people ask when their insurance writer, when they’re using CosmoLex, they ask us, “What is your security? What is your firewall? What has CosmoLex put in place?”
That’s just one piece of our overall security package. But, I can tell you that from a business perspective, what we’ve done as well, is the testing of our organization, the training and educational part of it, as well as periodic actual testing.
One example was just the other day. We had a phishing email or a fake phishing email, I should say, sent out to everyone at the company and the idea of course, is just to see who would click open or look at it. They’ve been trained and drilled and tested on it, but when that real-world example comes up, they still need to put that training to use.
Henry: Oh absolutely. And the educational portion, a lot of companies use outside vendors to help. You watch the videos, you get familiarized with it, but if you don’t test the employee like you had just spoke about, if you don’t put together controlled and understood phishing and spear-phishing tests to make sure that there is a retention of that information, then you’re sort of keeping your head in the sand, so absolutely, I agree with you 100% Josh, have to test.
Josh: Question three: What kind of backup should I have for my data and what’s the best way to test my back-ups?
Henry: The three Ps: Patch, patch, patch. Always, always, always be patching. And as far as testing the back-ups, obviously spot-checking, run queries and compare. That’s a good way to test the backups, macro testing data size versus data size.
The idea is to connect your applications to the recover database and to make sure they’re operating correctly. This is an important test because when you recover systems following a disaster, what people ultimately care about is whether the business applications you’re using are working.
Josh: Yeah. And then I assume that you also are a big advocate for that redundancy? Different physical location redundancy.
Henry: Yes and there’s also the idea of having backups done with an external hard drive right? And that external hard drive is only plugged in when the backups are being done and then it is held off to the side, never to be looked at or run again. And then of course obviously, there’s what the previous question asked of us is, where in the cloud do you keep all those redundancies? Cloud or cold storage, whatever right?
Josh: I can only speak for CosmoLex. We do consistent mirroring, and then there are two physical backups in two different locations for each of our data sets, so in Canada, there are two locations, then in the US, there are two different locations.
But speaking of CosmoLex, we’re often asked if clients can download a copy of their data to a secure all-purpose server as a copy? The short answer to that is yes. It is slightly more complicated than that, but long story short, the answer is yes.
And then speaking of physical security, since we’ve touched on it a few times, what physical security measures should my law firm have in place?
Henry: Again, the three Ps, patch, patch, patch. Strong and unique passwords, length is your friend, so they say. And multi-factor authentication, whether it be via sent code or now the new physical-digital keys that they’re using – all of this or it can be taken up a notch if your company installs only allowing, known managed devices.
And then like we just spoke about before, encryption software, back-up redundancies, external hard-drives only connected when the network is being backed up.
The ABA lists these as governance or policies – people, education, process, response plans and technology. So the security measures, whether you’re a law firm or any other firm, those are the things to think about. Passwords are right now one of the best physical security measures to be put in place.
Josh: Oh, absolutely. I think that using extremely secure passwords and using password management systems to be able to manage incredibly secure passwords is super, super, supercritical. I can’t tell you how many people I see use the same password.
Henry: So if you look at it this way, every time you increase your password character, it levels, it raises the level of the difficulty of breaking that password by 10. Alright? So follow this – so a 10-character password with all those different variables, that’s 720 trillion character possibilities, which sort of equates into about 720 million password possibilities.
So breaking that is a lot more difficult. We always say, a minimum of 10 characters, 14 is preferable. And again, this is where we talk about common sense – don’t use full words from any known language. Instead, gibberish, so they’re not easily referenced from a dictionary.
And then that slowly folds into the next, which is a two-factor authentication.
There are two types, perpetual, which is like hardware tokens, these two keys. One is public, heavily guarded, one is privately shared as a dongle. And then triggered, which is the new face recognition ID system, or something through a text, an SMS. Right?
Josh: Google, for example, implemented a physical key, a dongle as you were talking about in their organization a couple of years ago. And they saw not only a reduction in the time it took users to authenticate, but the number of failed authentications fell to zero. So, they essentially tightened up their process exponentially just by moving to a physical key.
So they are the be-all, end-all. Two-factor authentication using SMS codes and stuff like that is great. There are vulnerabilities to that, so changing your password often is huge.
But, one quick caveat to that, obviously, is that SMS is a perfect example of hackers or bad actors who are able to get access to your SIM card and then they get the code to their phone. So, no security is perfect, but following the tenets and pieces help.
People ask us all the time about our security but what we often tell them is that your only security is your password.
Henry: You know, one of the things that also is sometimes lost, but often asked – is it safe to have my employees use their own devices? And the short answer is, yes and no.
If you’re going to do it, put the following in place: complex passwords, restrictive access in places, and then you’re getting to talk about the VPN and very sensitive firm data. And then encrypted software that allows the firm to wipe off those devices in case of the loss, theft or let’s face it, sometimes separation.
Josh: I think that that’s one argument towards the cloud side of things as well, is that the ability to restrict access and the ability to take away access becomes exponentially easier when you’re not dealing with physical installs.
Moving on though, does my law firm need to be concerned about ransomware?
Henry: Yes, of course it does. So the best thing I could say about it is use network intrusion detection systems, use some NIDS, because along with the client-side agent, you need to be looking for ransomware all the time.
We spoke about it in earlier slides, it’s a disruption of business. And you’re sitting back there waiting to get back to work – how long can that be tolerated?
The ways for remediating against ransomware is something that should be spoken about, tested, talked about, implemented every single day. So, yeah, bottom line, be very concerned about ransomware.
Josh: Question six, What are some data security policies that all law firms should have in place?
Henry: Always, always, always: VPN’s privacy security encryption, anonymity, firewalls, email security systems, the ability to report emails, continuing education. There’s plenty of software out there as well. It almost falls back into, what’s the most secure way to handle sensitive communications and files with your legal clients, right?
Do everything that we spoke about on this call. Have a CPO, a chief privacy officer, either on staff or on call. If you have to outsource chief security officers, outsource cyber MSPs, have SOC, security op centers.
A forensic accounting firm and an audit firm, they never audit their own books and neither should you. IT should allow and welcome forced audits into their environment and those are the types of security policies that all law firms should really have in place.
Josh: So should the lawyers in my office use a VPN when connecting and sharing data?
Henry: Well, hopefully, if they’re inside the firm, they’re already using a VPN. So let’s assume that this question means when they’re outside the firm.
So there are a couple of different ways. There’s proprietary VPNs, ones that your firm or your company has put together. There are third-party VPNs, many of them out there, and then there are remote desktops.
All VPNs allow law firms to protect client’s confidence as well as transferring and storing data. It’s a great competitive advantage.
Don’t go by the pool when you’re at the resort and click on resort pool Wi-Fi. Use encryption. The encryption scrambles the data, so if it’s intercepted, the interceptor can’t read it.
VPN encrypts all data by default. So when it sends, it decrypts it upon receipt.
Josh: Yeah, so one question that I hear a lot is that these VPNs are often difficult to set up or difficult to manage or work with. Are there any sort of suggestions that you have towards that, aside from hiring a firm?
Henry: Again, you’re talking to a provider. And so I’m always going to, especially in this situation where you’re talking about the conduit of data, say you need to look at the experts for the advice on whether you’re going to be using proprietary VPN or whether you’re going to use a third party or like we said before, whether you’re going to go to something like a remote desktop, which then falls back to the whole security of Cloud and AWS. It’s this wonderful cyclical merry-go-round that we’re dealing with today.
Josh: Have you seen a significant spike since the start of the pandemic and people reaching out about these types of things or trying to understand how they work?
Henry: Absolutely. Listen, right now, we’re approaching what the world knows as Cat season, C-A-T. So catastrophe season. So, hurricane disruption, tornado disruption, environmental and physical disruption.
These are going to be things that are taken advantage of because it takes the concentration and the eye off of one thing and then allows another thing to be vulnerable. So yes, there has been a rise with this local pandemic and that’s not my opinion. That’s just common knowledge. They’re talking about it every single day, and it’s true.
Josh: From a cloud perspective, we’ve seen that people who previously had no idea or had no plan in place, sort of scrambled when moving to the cloud, when moving to the sort of remote and working from home and not being able to be in an office.
One thing that we take a lot of pride in as a company is that on a Friday afternoon, we decided we’re not coming back to the office on Monday. And on Monday, we didn’t skip a beat. And for we have people in four different locations, three different countries, and just to make that decision, in essence, on a whim before the states or governments took action, it was just really a test to having that really detailed plan in place.
So even if you don’t have a VPN set up right now or you don’t have a solution, you should honestly plan and consider one. Maybe you weren’t affected by the pandemic, or maybe you weren’t affected by this – you’re still going to the office or whatever it may be.
But I think it’s critically important to have that plan. We talked about hurricanes, typhoons, tornados, things like that. These things happen – you can’t plan for them but you can plan accordingly.
One question we had come in is – do you recommend a VPN if one is using CosmoLex? Do you encrypt that in transit?
So I’ll let Henry answer the question of – should you use your VPN with other cloud providers? But to answer, CosmoLex specifically, yes we encrypt your traffic in transit.
So there’s a 256-bit SSL that’s encrypting data coming back and forth between your connection, but we also take some additional security measures on the server itself. One of those is encryption at rest. So essentially, if you’re not accessing the data it’s also encrypted on the server itself. So even if someone were to access our server or compromise our server one way or another, the data itself is also encrypted.
Henry: Same thing here. Different criteria and different tolerances, but absolutely the same.
Josh: Perfect. So, how do I know if my firewall or email filtering mechanisms is really keeping threats out as it should?
Henry: Obviously, pen testing should be performed. We recommend quarterly external vulnerability and pen-testing.
For example, having the ability for users to report emails that were missed by the filtering system. Again, continual education can help users identify malicious emails. You can’t be 100% sure if the firewall is working with the email filtering system correctly.
All you can do is continually report things that look outside of the realm. But without doing the quarterly pen testing you really can’t know whether or not the firewall is testing. And there are some people who test a firewall more than just quarterly, and there are some people that put a solid demilitarized zone in that basically captures things in the center before it releases it into the public.
To listen to the complete interview, including additional questions that were asked from our live presentation audience, watch Ask an Expert: Security Basics for Law Firms.