Is Your Law Firm In Cyber Jeopardy?

Show Notes

Cyber liability and Cybersecurity are not topics that will soon disappear from the lexicon of Law Firm leaders.
However too many law firm leaders still remain considerably uninformed to their professional responsibilities and the devastating financial risks of their inaction or the actions of their staff.
Jim and Dave review the Top 3 Cyber Problems law firms face and how to solve them with minimal effort.
As an added bonus, they show you the tell-tale signs to determine if your firm is in jeopardy.

No Law Firm Left Behind is made possible by our friends at SpliceNet Consulting

Connect with Jim Gast https://www.linkedin.com/in/jamesgast/
Connect with Dave Myers https://www.linkedin.com/in/davidjmyers/
Find our past shows at https://www.splice.net/nolawfirmleftbehind/

No Law Firm Left Behind is made possible by our friends at SpliceNet Consulting
Connect with Jim Gast: https://www.linkedin.com/in/jamesgast
Find our past shows: https://www.splice.net/nolawfirmleftbehind

Transcript

00:00 We're a hosting without Dave Myers today.

00:02 Dave, hey, listen, don't worry about it.

00:04 I know you had technical problems.

00:05 Don't worry about it.

00:06 It does happen.

00:08 But we're going to go on with the show today.

00:10 And so this is No Law from Left Behind.

00:12 Once again, I'm Jim Gast, host.

00:14 We took quite a long hiatus over the last few months.

00:17 I had a little bit of a show start up back in December.

00:20 And so we're back now.

00:22 This is Good and Strong for season five.

00:25 Real quick, I just kind of give you

00:26 a couple of things you can look forward to in season five.

00:29 We're going to kind of go back to our roots

00:31 a little bit on No Law from Left Behind.

00:33 And we're going to start talking a little bit more

00:36 about very important technologies for law firms,

00:39 marketing for law firms, business development, sales,

00:44 human resources, HR, cybersecurity,

00:48 which is what I'm going to talk about in short today.

00:50 Today's going to be a pretty short show, actually.

00:53 We're still going to have some really good guests lined up.

00:55 Next week, we've got Paul Unger from Affinity Consulting.

00:59 We're really excited.

01:00 And by the way, I'll plug your book real quick, Paul.

01:02 And if you haven't gotten out there to get Paul's book,

01:05 it's available on Amazon.

01:06 Please go get Paul's book so that you can read about it.

01:09 But read it before next week.

01:11 It's a real nice, easy read, but great information.

01:14 So we're really looking forward to Paul Unger next week.

01:17 And we'll have some other guests.

01:19 Mike Brown's always a regular on the show.

01:21 We really appreciate him, too.

01:22 And so we're looking forward to shows with really good content

01:27 that's going to be very useful for you and your law firm

01:31 and your legal professional career.

01:33 So without any further ado, let me just

01:36 get to today's topic and where this comes from.

01:39 I have and our crew at Splicenet and Dave,

01:44 we're always involved in various levels of cybersecurity

01:49 situations.

01:51 And so whether it's helping a customer respond

01:55 to a cyber threat, cyber event, or helping a customer or law

02:00 firm prepare for a cyber disaster that's not happened

02:07 yet but getting ready for it, we're

02:09 always involved in various stages of preparedness

02:14 and reaction.

02:15 And so what we thought we would do,

02:17 and it really is bad that Dave can't be here, but that's OK.

02:20 What we thought we'd do is really talk

02:22 about the concept of is your law firm in jeopardy,

02:27 a cyber jeopardy.

02:29 And what does that mean?

02:30 Well, what that essentially means

02:33 is that have you addressed the things that can help

02:38 you avoid a cyber disaster, a cyber event?

02:43 And if you do have a cyber event,

02:47 do you have the mechanisms in place to help you mitigate

02:52 that situation?

02:54 And so I look at it and Dave looks at it

02:58 as there are three main things that you should look at.

03:01 There's a lot of them, but really it

03:05 comes down to three main things to start with.

03:10 Cybersecurity insurance, look, it's not new.

03:14 It's been around for a long time.

03:16 And what we're finding still to this day

03:19 is that law firms do not have cyber liability insurance.

03:23 I know that's hard to believe, but it's a reality.

03:27 And so what we need to think about

03:29 is cyber liability insurance and how do we get that.

03:33 And what's it going to cover?

03:35 Not all cyber liability insurance policies

03:38 are the same.

03:38 They're not all created equal.

03:41 The carriers are a lot more stringent today

03:45 than they ever have been in the past.

03:48 Why?

03:48 Because they're losing money in a cyber liability.

03:51 An insurance company is not going

03:53 to lose money long term.

03:55 I mean, they're just going to kind of change the way

03:57 coverages work and change the way how you buy insurance.

04:00 So from a cyber liability insurance perspective,

04:03 it really starts with an application.

04:05 And so the cyber liability insurance applications,

04:09 almost all of them that I see lately,

04:12 they're all about the same.

04:14 And Dave and I talked about this in a meeting

04:16 yesterday with a potential customer.

04:20 They really have a baseline today

04:22 as to what they're expecting a law firm to have as far

04:28 as the technologies and the policies in place

04:31 to protect the law firm and to protect the insurance

04:35 company from a claim.

04:37 And so all of them, it's really not about the technology.

04:42 I know that all these insurance applications will ask you

04:47 about the technologies.

04:48 But it's not really just about the technology.

04:50 It starts with, we want to get cyber liability insurance.

04:54 We want to do the right thing.

04:56 And it's a mindset is where you start.

04:58 So I would recommend looking at cyber liability insurance

05:03 and realizing that, hey, just because I

05:06 have this application doesn't mean

05:07 I'm ready to fill out the application.

05:10 For example, one of the most common questions

05:13 we see on cyber liability insurance policies today

05:16 are the applications, I should say,

05:18 is multifactor authentication is a technology requirement.

05:22 Well, so what is that?

05:25 What is multifactor authentication?

05:26 And today's not about getting into the specifics

05:29 of these technologies and what they do.

05:31 It's more of a high level conversation.

05:33 So multifactor authentication isn't something you can just

05:36 like, bam, and we've got it.

05:38 Let's just install it on our computers.

05:40 We have to go through a process as a law firm to implement it.

05:45 And there are different layers of implementation.

05:49 So just to kind of get a little technical, multifactor

05:52 authentication can protect your email systems.

05:55 It can protect your computers.

05:56 It can protect your SaaS applications.

05:59 It can protect your VPNs and remote access

06:02 and so on and so on and so on.

06:04 So when a policy application talks

06:09 about multifactor authentication,

06:12 it's not an event, click, and it's done, and we've got it.

06:17 So you just can't check the yes checkbox.

06:19 You need to know what they're looking for specifically

06:23 and what they're trying to get multifactor

06:26 authentication to protect.

06:28 And so you have to understand cyber liability insurance,

06:31 even getting cyber liability insurance, is a process now.

06:36 And it's not so much the process of just getting

06:38 the applications, being able to answer all the questions

06:41 the right way.

06:42 So cyber liability insurance is one of the top three things

06:48 that we need to be considering as a law firm

06:51 to avoid a cyber jeopardy situation.

06:53 The second one, and I think Dave and I talked about this right

06:58 before, and he has some technical problems again,

07:00 but I'll talk about that, is really cyber education.

07:04 So what does that mean?

07:05 There's two different types of cyber education in my mind.

07:08 One is understanding what a cyber threat is.

07:14 As a business owner, what can happen?

07:16 What are the outcomes?

07:17 What are the things that can hurt us?

07:21 And so that's not really an ongoing education.

07:25 Yeah, those things change regularly.

07:27 But understanding that, OK, there's things called ransomware.

07:30 There's things called malware.

07:32 There's things called attack vectors,

07:35 and so on and so forth.

07:36 That's a very high level business understanding

07:39 of what cyber security education is.

07:44 But what most people think of and what

07:46 we're going to talk about is cyber education

07:49 from an end user perspective.

07:52 So we have these people in our organizations and our law firms

07:56 that are using computers all day.

07:58 They're typing.

07:58 They're using their email.

07:59 They're surfing the web, and they're

08:01 doing all these various things.

08:03 All of these things come with risks.

08:05 And it doesn't matter what type of technology

08:09 that you have in place.

08:11 There are all kinds of holes, pinholes, if you will,

08:15 in cyber security and the things that you

08:19 buy to protect your people.

08:21 Unfortunately, you can spend as much money as you want,

08:25 but one misstep by a staffer can cost a law firm

08:31 hundreds of thousands of dollars,

08:33 and that is not an exaggeration.

08:35 The smallest ransom I'm seeing now today

08:38 is a half a million dollars.

08:40 And even if you have cyber liability insurance,

08:43 a lot of people say, oh, I've got cyber liability insurance.

08:45 That's great.

08:46 I'm covered.

08:46 I'm not going to worry about that.

08:48 It's not that simple.

08:50 So cyber education is the thing that we

08:53 want to give our staff to protect our law firms

08:58 from the cyber jeopardy that is out there.

09:01 So everyone knows what a phishing email is.

09:04 And if you don't, unfortunately, you're way behind the curve.

09:08 But a phishing email with an email link or attachment

09:14 that somebody would click on, right?

09:15 Everybody knows what spam is.

09:17 Well, there's still today lawyers

09:19 that are getting caught and their staff that

09:22 are getting tricked by these emails still to this day.

09:26 Still to this day.

09:28 Unfortunately, email is and remains the number one attack

09:33 vector for your hackers that are out there that

09:38 are trying to install ransomware and lock all your systems.

09:42 It's amazing.

09:45 You would think that after, what, 10 years?

09:47 I don't know, 5, 10 years of people being attacked by emails

09:51 that it would be a lower attack vector.

09:56 But from a percentage perspective,

09:59 hackers can send infinite number of emails

10:01 with infinite number of attempts to try to trick your staff.

10:05 And really, still to this day, it only

10:07 takes one errant click to actually trick someone

10:13 to download something or go to a website that installs

10:16 something on a computer.

10:17 And boom, there we go.

10:19 And if we don't have the right technologies in place,

10:22 which is a little bit about what we're going to talk about next,

10:26 sorry, you're out of luck.

10:28 And it still is cyber education that

10:32 will condition your users on avoiding those threats.

10:37 Don't go to websites you don't know.

10:38 Don't just click on an email.

10:40 Slow down, right?

10:41 The old stop, drop, and roll.

10:43 I mean, when I was a kid and we were taught stop, drop,

10:47 and roll.

10:47 Well, hopefully, if I caught on fire as a kid,

10:51 I could stop, drop, and roll.

10:52 Hopefully, today, when we get emails,

10:54 we can stop, think, then act, which

10:58 is what I always used to say when it comes to phishing

11:01 emails and the like.

11:02 So I would really seriously consider

11:07 that we need cyber education for our end users.

11:10 Now, all these things we're going to talk about as we go on

11:13 through the season this year.

11:15 So these are just kind of a high level.

11:17 The third thing is I know a lot of people

11:21 think it's the technology that is important.

11:25 And it's very important.

11:26 Don't misunderstand me as I've probably

11:28 put it as a number four top item that's

11:33 needed to avoid cyber jeopardies.

11:36 And so I would say that the number three

11:39 would be a cyber review.

11:42 And I know that's like, well, wait a minute.

11:43 Hold on.

11:44 You can't fix what you don't know is broke.

11:47 So if you don't know it's broke, you don't know what you've got,

11:49 if you don't know where you stand,

11:51 if you don't know what your vulnerabilities are,

11:54 then you just can't throw things at it.

11:55 You just can't throw antivirus at it or MDR or EDR,

12:00 whatever it is, whatever technology that is missing,

12:03 until someone does a thorough evaluation of your cyber

12:07 posture.

12:09 And so that comes from a couple of different angles.

12:12 It comes from what are our policies,

12:14 what are our technologies, and what are our standard reviews

12:17 of these things.

12:19 Do we have a team?

12:21 Do we have discussions with our managed service provider

12:23 or managed security provider or IT teams in our law firms?

12:27 So what I would suggest is the number three

12:30 is do that review.

12:32 So why do I say it in this order?

12:34 Well, cyber liability insurance will

12:36 tell us what we need to cover ourselves

12:39 from a financial perspective.

12:41 Cyber education will help us avoid more and more.

12:46 And I can promise you from a cyber,

12:48 when you do your cybersecurity review,

12:50 education will always be on that list.

12:52 So that's why I put it in there.

12:55 Then we can start talking about what technologies do we need,

12:58 what's appropriate for our law firm.

13:00 Do we want to go out and spend exorbitant amounts of money

13:05 on third party socks and so on and so forth?

13:09 We want to match the threat.

13:11 We want to match the cost to our potential threat

13:13 and our potential risk factors and where our insurance

13:16 companies say we have to be.

13:18 So short of today's show, three things

13:21 that we need to be watching out for to avoid our law firm being

13:24 in cyber jeopardy.

13:25 One, make sure we're looking at cyber liability insurance

13:29 policies if we don't already have one.

13:32 And they're getting more and more expensive.

13:34 I'm sorry, but it's just the nature of the beast.

13:37 It is a necessary thing.

13:39 If you are hit, and we've seen businesses get hit,

13:43 unfortunately not many law firms.

13:46 But when you get hit by a ransomware attack

13:50 and they're asking for half a million dollars

13:52 and you've got no outlet to pay that

13:56 and you've got to rebuild your systems

13:58 and you've got none of your client's data,

14:01 yeah, cyber liability insurance is

14:02 going to help you through that situation.

14:05 These insurance companies know what they're doing

14:07 and they know how to help.

14:08 Cyber education, that number two thing,

14:11 we want to make sure that looking at things like know

14:13 before, which is a fantastic product, one of the things

14:16 that we recommend to our customers,

14:18 making sure that that know before is in place.

14:21 And at least we're talking about it in our organizations

14:25 and doing training classes, doing thorough review,

14:28 and then testing and validating.

14:30 It's not good enough that we talk about it every now

14:32 and then once a month.

14:33 We want ongoing testing, ongoing review,

14:36 ongoing email alerts, and training videos.

14:40 I think that cyber education is incredibly important.

14:45 And number three, finally, do that review.

14:48 Have someone do a review.

14:50 Now look, I'm going to put it as simple like this.

14:53 If your IT team is not talking about this to you,

14:56 if they're not telling you regularly,

14:58 we need to review this once a month, which

15:00 is a minimum in my opinion.

15:02 And I think that if you look at some

15:05 of the professional ethics, that really

15:08 stands to reason to be appropriate.

15:13 And everybody measures a little bit different for themselves.

15:16 But if your IT teams, your outsource IT teams,

15:18 or in-house teams aren't talking to you about cyber security

15:23 reviews, reviewing and trying to improve and continually doing

15:26 better, then we need to have a serious conversation with them

15:30 and saying, hey, what's going on here?

15:32 Why aren't we doing this?

15:34 So again, three things I wanted to make today real short,

15:37 sweet, and simple.

15:39 Get that done, and I'll post these three things

15:43 on any of the outlets that we use,

15:45 LinkedIn, and YouTube, and Facebook,

15:48 so that you've got them.

15:49 And if you have any questions, of course, you can contact me.

15:52 Everyone knows how to find me.

15:53 You can direct message me on Facebook, LinkedIn,

15:56 and also join our group, No Law From Left Behind,

15:59 on LinkedIn, where we're putting a lot of this stuff information

16:02 that we bring out of all these shows.

16:04 So again, really simple show today.

16:07 Thanks for joining me.

16:09 Again, we've got Paul Unger.

16:10 If you don't have his great book yet, grab his book, Paul.

16:12 We're looking forward to next week.

16:14 And Dave, sorry you had those technical problems,