by Brian Focht | Jan 18, 2016
Cyber security is a serious issue for law firms – if a bit of an existential one. It’s hard to fight what you can’t see, and it’s even harder when you don’t even know what it is that you don’t see. However, as a profession, we certainly don’t set ourselves up to look good when the worst happens. There are numerous challenges that any business faces in 2016, with defending from hackers being near the top of that list. Cyber security is a difficult issue. But it’s an area where lawyers and law firms tend to do pretty badly. Embarrassingly so. Here are 9 Ways Cyber Security will Embarrass Lawyers in 2016: 1) We Live in a “When – not “If” – You’ll Get Hacked” World Most law firm cyber security plans revolve around the concept of “if” a cyber security breach occurs. While this isn’t necessarily a bad thing – after all, it shows they’re thinking about the possibility of a breach – this type of planning is necessarily incomplete. First, planning for a possibility and planning for an eventuality requires two different mindsets. “If” your law firm gets hacked allows law firms to plan based on the possibility that they won’t, in fact, get hacked. On the other hand, acknowledging that it will happen forces decision makers to think about the tough decisions they’ll have to make. Unfortunately, the likelihood of your law firm getting hacked is pretty high. Even a year ago, 80% of the Am Law 100 had reported a cyber security breach. In 2011. (How much you want to bet that number would be higher today?) Sadly, most small... read more
by Brian Focht | Jan 11, 2016
How many times have you gone to another law firm and had trouble connecting to their WiFi? If your answer was anything other than “every time,” you obviously don’t use WiFi networks all that much. Or you rely entirely on your device’s cellular capabilities or a hotspot. Which is kind of dumb, if they’re offering free Wi-Fi. Thing is, everyone else has the same problem when they come to your office. Come to think of it, you have that problem in your office! But since you have the ability to plug into your ethernet cable at your desk, you’ve just looked past it. No worries though – after all, you’re used to being chained to your desk! Fortunately, there are some basic steps you can take to improve your office’s WiFi network, without having to make (major) upgrades to your equipment. Here are 12 Easy Tips to help you Boost Your WiFi Network Like a High Tech Professional: WiFi network strength and security are very important to your law firm and your duty to protect your clients. It’s also pretty important to the whole “getting shit done” part of your job. Your WiFi network’s heart is your wireless router – the most common culprit if your office’s WiFi network has turned to crap. Fortunately, that means fixing your crappy router can do a lot of good. Call your IT person, and they’ll charge you for trying these fixes, which you can totally do yourself. They can be broken down into three general categories, the first being… Location, Location, Location! It’s possible, even likely, that your law firm’s IT people put your wireless... read more
by Brian Focht | Jun 30, 2015
Special Guest: Larry Port Download this Episode: Download Audio These days, cyber security is no joke. I feel like we’ve actually started to expect that we’re going to find out that our personal data has been stolen by some hacker operating out of a warehouse in China or a bar in Moscow. As lawyers, it’s even more frightening. We’re not regular business people. Because of our role, there’s simply more at stake. We’re under ethical obligations to keep our clients’ data confidential. It’s all part of being trusted with a lot of information. Information that is valuable to someone else. Protecting your clients’ confidential information from a cyber attack has to be one of your top priorities as a lawyer. Yet, as I speak to lawyers about cyber attacks, one thing that I’m struck by is how little most of them are aware of the nature of the risk. As I spoke to Larry Port, CEO of Rocket Matter, I wondered about that, and I think he makes a great point: Fear is a Terrible Motivator I’ve spoken about cyber attacks in front of a couple different groups of attorneys, and I have to say that even I was amazed at how easy it is to scare the living daylights out of those in the room by talking about the threats. Yet, months later, I’ve not run into a single person who immediately went back to their law firm and instituted more security. While I figured that it was a combination of factors, I began to realize that basic fear is a terrible motivator. Particularly because it’s visceral – it... read more
by Brian Focht | Jun 5, 2015
Another day, another hack. Yesterday brought news that four million current and former government employees may have had their personal information stolen by Chinese hackers. Of course, this comes on the heels of what has been a staggering 18 months of hacks. Starting with the Home Depot and Target hacks, we’ve been barraged with story after story about major companies and retailers being hacked for their customers’ data. It’s not just big companies and big-box retailers, though. Law firms are increasingly the target of hackers, due to a combination of factors including relatively lax security and large quantities of organized, valuable information. Too often when we hear about hacks, our first reaction is how much it would suck to have our own personal data stolen. We think about how much it will cost us to repair that person’s injury – particularly to things that are difficult to repair like credit scores and mental health. It’s easy to think about events like the Target hack, and think about how much Target might have to pay all those customers. You wonder: if your law firm was hacked, would you be able to afford paying for that? Unfortunately, that’s not the real reason you need cyber liability insurance. In fact, very few law firms even have a reason to insure against third-party liability from a hack. So what is the real reason you need cyber liability insurance? First Party vs. Third Party liability. There are two types of damages that result from a cyber attack: 1st party and 3rd party. You’re probably most familiar with third-party liability – the damages you end up... read more
by Brian Focht | May 26, 2015
I’ve always been amazed by insurance companies in litigation. Despite the fact that a ruling in one particular case went badly for them, they usually won’t appeal it. Even if it’s clear that their insured is worse off as a result. Even when it’s obvious that the ruling was contrary to law. Even if there’s a near certainty of victory in a higher court. They have a reason: it makes more sense to endure one (or more) bad ruling than to risk the bad ruling becoming a bad law. Believe it or not, the same principle applies to your office’s security policies, especially any policy you have addressing “Bring Your Own Device” (BYOD). While I generally feel that any policy is better than no policy, the wrong policy can actually be quite destructive. It can decrease employee satisfaction, decrease productivity, increase costs, and even increase your security risks. So it’s a no brainer. You need the right BYOD Policy for your law firm. What is the right BYOD Policy for your firm, you ask (even if you didn’t)? It’s probably different for your firm than the next. Here’s how to create the right BYOD policy for your law firm: Download a Free Copy of our BYOD Policy for Law Firms Template 1) Identify and clearly state your BYOD Policy’s purpose. One of the most important parts of any effective security policy is buy-in. If your employees don’t have a role in crafting your BYOD Policy, you’ve already made a huge mistake. But even if you’ve brought in your employees, you need to make sure they know and understand why... read more
by Brian Focht | Apr 10, 2015
If there was a cyber attack on your business, would you know what to do? No, not would your IT guy know what to do. Would you know what to do? That’s a question that Deloitte, one of the world’s top security companies, asked at a recent “cyber-incident war gaming” session held in New York, as reported by PC World. For seven years, Deloitte has invited business executives to their war games to help improve readiness for a cyber attack. This year, they tried something a bit different: With massive corporate hacks fresh in the minds of the public, Deloitte’s war games sought to give their educational program a global feel. While it’s absolutely critical that your IT staff are able to respond immediately to a cyber attack, some of the most important parts of your response will happen away from your IT office. It’s a Company-Wide Problem with Company-Wide Solutions One of the biggest problems with the way most businesses respond to cyber attacks is they think of it as an IT problem. Deloitte decided that this year was the perfect opportunity to demonstrate just how wrong that philosophy is. Taking their cue from the Sony, Target, Anthem and Home Depot hacks, Deloitte designed this year’s war games simulation around an entire company. A fictional retail chain called Your Living suffered a massive cyber attack. Purchase histories of two million customers had been posted for sale online. Sales were dropping, competitors were swooping in, and the media was issuing daily barrages of bad PR. Not a good scene. War Games and the “Your Living” Hack The seven participants were put... read more
by Brian Focht | Mar 17, 2015
Too many lawyers and law firms are convinced that even if hacking is a problem, they’re not a target. Law firms tend to be too small, too insignificant compared to the likes of Sony Universal or Anthem Health Insurance to get hacked. If you believe this, you’re sorely mistaken. Not only is the situation vastly different than you imagine – hackers attack the little guys too – but your vulnerability is worse. Not only will you have to deal with the financial fallout of being hacked, you’ll have to deal with the ethical implications as well. What can be done? Well, a lot of things, really. But nothing prepares a person to handle a difficult situation like knowledge. Knowing what it means to be hacked – not the feeling like you’ve just been robbed, but an actual understanding of how it happened – is critical. Here’s what it is to get hacked – an anatomy of a cyber attack: 1) Reconnaissance The first phase of a hack is basic – recon. At this point, it’s all about information gathering. Using publicly available information, the hacker or hackers will gather all possible information on the target of the intended hack. This information can be technical – such as IP addresses, information on network infrastructure, hardware, or even passwords – or nontechnical – such as office social structures or location information. To get this information, hackers might look to search engines, social networks, the Domain Name System (which contains important information about the owner of a website), or even a company’s website itself. Importantly, there are no attacks at this point. The... read more
by Brian Focht | Mar 12, 2015
Your firm is a target for hackers. That’s right. They want valuable data. You’ve got it. A lot of it. And it’s nicely organized and, usually, poorly protected. And just in case you weren’t paying attention, if they do get it, you’re probably going to have to answer to more than just your client (as if that wasn’t bad enough). Civil damages and ethics charges are two of the fabulous prizes you could earn thanks to your poor security. Yet, there are rays of hope! No system is perfect, no security is absolute. But here are 8 Simple Cyber Security Rules You Need to Know: 1) Cyber security is complicated, so first, educate yourself There are a lot of places you can go to get the basic information to keep yourself updated on security. Regardless which one (or more) you choose, you have to choose one. Securing your information in a tech-savvy world isn’t taught in law school, and the only thing you gain by being unaware is an increased likelihood of committing legal malpractice (and, of course, getting hacked). You can’t be in a position to lead if you haven’t educated yourself. It won’t be the blind leading the blind. If you claim to lead without knowing what you’re talking about, everyone will be able to see it clearly. 2) Create an inclusive culture of cyber security Contrary to popular belief, the greatest threat to your firm’s data security is your employees. Sure, if your client base manages to get the attention of China’s weapons developers, or you represent Sony pictures, you might have to focus on foreign hackers. But... read more
by Brian Focht | Feb 9, 2015
Last week, the nation’s second largest health insurance company, Anthem, announced a massive data breach. According to reports, personal information for as many as 80 million customers and employees of Anthem was accessed. While no bank account or credit card numbers were apparently stolen, information taken includes names, addresses, social security numbers, and medical records numbers. I have echoed the warnings of security experts who have identified health care organizations as a major future target of hackers. While Anthem is not the first health care-related business that has suffered a data breach, it’s currently the largest. But the Anthem hack targeted a health insurance company. What can we lawyers possibly learn? Plenty. 1) Hackers aren’t just looking for credit cards. Why do you rob banks? “Because that’s where the money is.” Willie Sutton’s famous quote (and one he denied ever making) is appropriate here. The hackers behind the Anthem hack didn’t go after credit card or billing information. They went after personal identity information (“PII”). Why? Because that’s where the money is. With your PII, a hacker can steal your identity. More significant, they can do so anytime they want to. How is that? Well, just having your SSN is one thing, but what happens when they know your email and your mother’s maiden name. Yep, that password hint that you added to make your email more “secure.” Now they don’t need to use your credit card before you report it stolen. Instead, they can wait years before taking out a loan in your name. Health care providers have a wealth of PII in their possession. Medical records have... read more
by Brian Focht | Jan 26, 2015
Did you hear about the most recent hack? The systems of a major (retail/entertainment/medical/government/miscellaneous) company were stolen. The information was quickly put up for sale. I decided to keep it generic, because let’s face it, between the time I’m writing this and you’re reading it, another major hack probably happened. As attorneys, securing your clients’ data had better be something that occupies your attention. Mostly because it means you’re a better person. But, even if that isn’t an issue, it is your ethical responsibility. There is no way to guarantee that your data is completely safe. However, don’t let perfect be the enemy of good. Here’s why Multi-Factor Authentication is the imperfect tool you need to use: What is multi-factor authentication? Your password, regardless how complex it may be, has an inherent weakness: it’s your only line of defense. Once someone has figured out your password (and it better not be one of these), they’re in. Beyond being your only line of defense, passwords have one major weakness: you. Your password is likely easy to figure out, and you probably use the same one multiple times. Multi-factor authentication means that anyone seeking your information is going to need more than one thing. Generally, most multi-factor authentication systems rely on at least two things from three categories: Something you know – like a password; Something you have – like a keycard or a code sent to you remotely; Something you are – biometric data, like your fingerprint or retinal ID. One of the most popular methods of multi-factor authentication calls for you to enter your password, at which time you... read more
