Special Guest: Larry Port
Download this Episode:
These days, cyber security is no joke. I feel like we’ve actually started to expect that we’re going to find out that our personal data has been stolen by some hacker operating out of a warehouse in China or a bar in Moscow.
As lawyers, it’s even more frightening. We’re not regular business people. Because of our role, there’s simply more at stake. We’re under ethical obligations to keep our clients’ data confidential. It’s all part of being trusted with a lot of information. Information that is valuable to someone else.
Protecting your clients’ confidential information from a cyber attack has to be one of your top priorities as a lawyer. Yet, as I speak to lawyers about cyber attacks, one thing that I’m struck by is how little most of them are aware of the nature of the risk. As I spoke to Larry Port, CEO of Rocket Matter, I wondered about that, and I think he makes a great point:
Fear is a Terrible Motivator
I’ve spoken about cyber attacks in front of a couple different groups of attorneys, and I have to say that even I was amazed at how easy it is to scare the living daylights out of those in the room by talking about the threats. Yet, months later, I’ve not run into a single person who immediately went back to their law firm and instituted more security.
While I figured that it was a combination of factors, I began to realize that basic fear is a terrible motivator. Particularly because it’s visceral – it induces action immediately, but it also goes away as soon as the immediate threat is gone.
In order to convince attorneys to implement better security at their law firms, and better protect themselves from cyber attacks, it’s essential to demonstrate the strategic and business benefits. That, as you might have guessed, has it’s own hurdles.
Lawyers Receive No Business Education
One critical task of setting up defenses against a cyber attack in any business is the ability to effectively delegate. How many of you know lawyers who are amazing at delegating? Exactly, none of you. So there’s strike one.
But it’s more than just delegating, it’s operating under the mindset that we’re running a business. The thing is, most of us already have an entrepreneurial mindset. Keith Lee, author of Associate’s Mind wrote so perfectly, it’s not that attorneys are suddenly being forced to be entrepreneurs, it’s actually that law schools are suddenly discovering that their graduates actually have to run businesses when they graduate.
They’re also shocked, SHOCKED, to discover they’ve been lying about post-graduate employment.
Lawyers don’t generally lack in entrepreneurial spirit. However, our general education on the finer points of running a business, including effectively delegating tasks, is something we were never taught. And the lack of training to running a business really comes back to bite us too:
- Over 88% of practicing lawyers are in a law firm of 25 or less;
- The majority are in law firms of 5 or less;
- The overall skill level of in-house IT staff in law firms varies widely; and
- Potentially worse of all, we tend to think that we know more than we do.
When it comes to preparing for a cyber attack, this can be a dangerous combination. Fortunately, there are steps you can take. First and foremost, you can hire a third-party IT vendor. But in the long run, you need to get over what I call the “awareness hump.”
The Awareness Hump and Cyber Attack Readiness
To protect yourself from cyber attacks, you need to understand what enables breaches in the first place. Once you understand the nature of the vulnerability, and you’re cognizant of the risks, you’ve gotten to the top of the mountain. It’s really all walking downhill after that.
You need to know these three ways to better protect your law firm from a cyber attack:
1) Strong Passwords are Critical
Some of the biggest breaches in recent memory have been the result of bad passwords. JP Morgan Chase lost personal financial information on millions due to bad password management. Sony Universal wisely kept all of their passwords in an unencrypted, unprotected folder helpfully titled “Passwords.”
You’ll never thwart every cyber attack, but you’re being foolish if you don’t require strong passwords. For some suggestions, check out my White Paper on Cyber Security. You probably also want to rotate them frequently (although there are different schools of thought on this).
Also, strongly consider using a password manager that will keep all of your important passwords and help you create complex passwords to use for new logins.
2) Update Your Software!
If you haven’t heard about zero-day vulnerabilities, you really should look them up. From the day a piece of software is released, there is a whole cottage industry – around the globe – that looks for vulnerabilities in the code. Once found, there is a whole black market where the vulnerabilities can be sold. A software company can’t fix what they don’t know about.
However, once discovered, it is usually a software company’s first priority to patch the vulnerability. That’s why security updates are so time-critical. You’ve probably passed on a recommended security update before, everyone has. However, there’s a reason those updates are urgent.
It’s possible, even likely, that the reason the update was created was to protect against a vulnerability that hackers are already exploiting. So ignore your next update at your own risk!
3) Understand Your Greatest Threat
It’s not Russian hackers. Unless your computers hold all the technical details to our missile defense system. In that case, yes, it’s Russian hackers.
This guy… but with a computer.
Your biggest threat is your own employees. Two particular types of employee can make you extremely vulnerable: 1) the disgruntled employee, or 2) the blissfully ignorant employee.
The best possible example of a disgruntled employee is Edward Snowden. In what was possibly the biggest breach of sensitive information in history, one disgruntled employee blew the lid off of the intelligence-industrial complex. Personally, I think what he did was heroic, but you get my point.
A disgruntled employee might actively interfere with your security – not actively assisting in a cyber attack (although you never know), but certainly helping along the chances that one will be successful. You should always be aware of the signs of a disgruntled employee.
The other type of employee, however, might be a greater risk. The blissfully ignorant employee answers inappropriate questions about your law firm when people call. This employee leaves the password to the system on a post-it note stuck to the computer monitor. Worst of all, this employee has NO idea how bad a cyber attack could be.
You don’t necessarily know who has access to your office. But of those you do know, how much do you want them having access to your sensitive passwords? Your former employees? Your blissfully ignorant employee’s family? The cleaning crew? Your landlord? Physical theft of sensitive data is much more likely than someone hacking a password from overseas!
In the end…
Resilience is as important as protection. You can do everything possible to keep intruders out, but if you haven’t come up with a plan of how to deal with someone once they’ve gotten past your defenses, you’re in trouble.
You also need to be able to discover that intruders are even there. The Sony Universal hackers were in Sony’s system for an entire year! If you’ve ever wondered how they got that much info, that’s how.
So keep yourself, and your staff, informed. Keep your eyes open. Oh, and check out Larry Port’s new book. It’s coming out later this year I think!