Articles

Excerpt: It was more than a year ago that the 3,600-lawyer global megafirm DLA Piper was brought to its knees by a data breach in June of 2017. One of the questions we hear most often when we lecture is, “If DLA Piper can be breached, how do the rest of us stand a chance of preventing a data breach?”

It’s a valid question. The reaction last year varied with the size of the law firm. Larger law firms focused a lot on purchasing or increasing their cyberinsurance coverage after the DLA Piper story made the headlines. They also amped up their security measures, and pried open their wallets to create stronger defense-in-depth strategies.

The smaller firms also began spending more money on cybersecurity, many of them now awakened to the dangers of a breach. From our foxhole, small to mid-size firms particularly began to focus on employee cybersecurity awareness training, newly aware that their greatest asset (their employees) is also their greatest risk. Since 2017, cybersecurity awareness training has been the CLE that we have most often been asked to present.

Read the entire article here.

Excerpt: Pete Banham, cyber resilience expert at Mimecast, commented: “Microsoft Office 365 was hit with major downtime on Friday, with customers around the world unable to access their services or admin portals. An operational dependency on the Microsoft environment creates business risks that need be addressed.” He went on to say that entities need to consider a cyber resilience strategy to allow them to recover from such an outage.

To Microsoft’s credit, it announced later the same day that it had fixed the authentication problem. Certainly, it didn’t solve the PR problem emanating from all the users who couldn’t login.

That certainly made us wonder how long an American law firm would be able to tolerate an Office 365 outage. This is an unsettling thought to many law firms which never thought about Office 365 being unavailable to them.

Read the entire article here.

Excerpt: Sadly, your greatest asset – your employees – are also the greatest threat to your cybersecurity. We know this because we regularly see data breaches and ransomware infections caused by click-happy employees. You also have rogue employees determined to use their own devices, go where they want on the Internet, irrespective of firm policies. When we train them, they tell us that they are scared – and you know what? That means we did our job. One of the great fallacies that employees believe is sometimes called “The IT Shepherd” – they simply have faith that the flock (employees) is protected no matter what they do by the shepherd (technology). You need to make them understand that no technological defenses are ironclad.

Read the entire article here.

Excerpt: Backup is an essential operation for every law firm – and yet, often poorly understood. Having an adequate backup is implicit in the ABA Model Rules for Professional Conduct and their state counterparts, as any legal ethicist will tell you. One of the lawyer’s duties is to competently represent clients. How can you do that if your case files and communications are lost? You could have a hardware failure of your server or a disk crash. What if your cloud provider shut its doors, rendering client data inaccessible? Perhaps your laptop is stolen from your vehicle with client data for a pending matter. There are all kinds of situations where you could lose data or not be able to access it. That is where your backup comes into play. Should you have a catastrophe, you would restore data from your backup and be back in business.

A local backup is also a necessity if you use cloud services and your Internet connection goes down. You could certainly take your laptop to a public open Wi-Fi and get to your data that way, but having a local backup of your data is a good idea too. It gives you a safety net should something catastrophic happen to your cloud provider.

Read the entire article here.

Excerpt: Several years ago, a Canadian attorney and good friend of ours, invested $10,000 in bitcoin. Clearly, he is a lot smarter than us. We can’t even imagine the extent of his profit – the price of bitcoin has been all over the map. It hit an all-time high of $19,343.04 on December 16, 2017. We’re not sure if our friend cashed out, but we suspect he is still holding on to his “stash” of bitcoins. As of May 6, 2018, one bitcoin is worth $9,901. That’s quite a drop in less than six months.

We become aware of bitcoin wallets a few years ago, as husbands (mostly) began to hide assets from their soon-to-be ex-wives in those wallets. And then came a barrage of ransomware attacks. Law firm after law firm was paying the ransom ($300-$500 in the early days and $1500- $3000 today). The cybercriminals usually want the ransom in bitcoin. To our amazement, there are now bitcoin ATMs available in local gas stations and laundromats complete with posted instructions on creating a bitcoin wallet for the Bitcoin novice.

In July of last year, there were reports of a Citrix UK study which found that a third of UK companies were stockpiling digital currency, mostly in bitcoins, to pay the ransom (an average of approximately $176,000) if they became victims of a ransomware attack.

At the 2017 ILTACON conference, artificial intelligence wasn’t quite kicked to the curb, but the buzz around blockchain became very loud indeed. In the last several months, it has become increasingly clear that blockchain is a transformative technology that is going to make substantial changes in the practice of law.

Read the entire article here.

Excerpt: Well, it’s finally here. In the fall of 2017, a vulnerability in WPA2 wireless encryption was discovered. Known as the Krack Attack, the flaw impacts every implementation of WPA2. The manufacturers needed to provide a patch update to fix the flaw. The Wi-Fi Alliance has now announced the availability of the WPA3 standard (to be implemented in certified devices starting later this year), vastly improving security over WPA2, which has been around for over 15 years and should be the current WiFi encryption of choice. WPA3 provides a new security protocol that contains improvements in terms of configuration, authentication and encryption. Just like WPA2, WPA3 will be available in personal and enterprise versions.

Read the entire article here.

Excerpt:
Setting the stage
The title of this article was also the tile of a session presented at ABA TECHSHOW this year. And each part of the title is true. It is absolutely necessary to have cyberinsurance in order to manage your risk. No amount of technology, policies or training can guarantee that you will not be breached. Expensive? Oh yes. Get ready for sticker shock when you purchase cyberinsurance. Because we teach CLEs on cyberinsurance, we can tell you with some assurance that lawyers are very confused about what specific insurance they need. Insurance companies are not very helpful– the various policies offered across the industry are not at all standardized – and of course they are written in complicated language which often obfuscates their meaning.

Where are we today?
Not in a great place. According to a 2017 survey by the data analytics firm FICO, half of U.S. business have no cyberinsurance, 27% have no plans to buy coverage and only 16% report having a policy that covers all cyber risks. There is a certain justified cynicism about cyberinsurance. The news is rife with companies who had cyberinsurance, but found – after being breached – that a substantial portion of their damages were not covered.

Read the entire article here.

Excerpt: We have said for many years that the cloud will generally protect a law firm’s data better than the law firm would itself. As more and more law firms adopt Microsoft Office 365, thereby moving to the cloud, we have come to the conclusion that a few words of caution are in order when law firms entrust their data to the cloud.

With huge volumes of law firm confidential data (and data from other verticals) moving to the cloud, it is no wonder that the bad guys are taking aim at the clouds. And there seems to be a shift afoot, in which the main responsibility for protecting corporate data in the cloud belongs to the cloud customer rather than the cloud provider.

The Cloud Security Alliance (CSA) recently issued the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report.

While there are many security concerns in the cloud, CSA’s list focuses on 12 concerns specifically related to the shared, on-demand nature of cloud computing. CSA conducted a survey of industry experts to gather professional opinions on the greatest security issues involving cloud computing. In order of severity, here are the 12 risks.

Read the entire article here.

Excerpt: Traveling abroad? Worried about pickpockets? We have far bigger worries these days. If you travel abroad, you also have to worry about foreign governments – and our own – which may be interested in our data. Lawyers are not only not exempt from that interest – they are magnets. And when The New York Times published an article early this year about safeguarding data when crossing the border, we knew we were seeing a new hot cybersecurity topic – one that has primarily been considered at very large firms, until all the recent stories caught fire in the news. This article will focus on the dangers presented by our own government (the current runaway headline), but the advice is generally applicable to the risks presented by foreign governments, risks which may increase as there seems to be a worldwide ratcheting up of device seizure and examination at borders.

Read the entire article here.

Excerpt: There are very few lawyers who seem to have control over their digital devices. To the contrary, the devices themselves seem to be in control, demanding the nearly non-stop attention of lawyers. It might seem odd to hear two geeks talk about digital detoxing, but we recognized the need for it years ago. Perhaps, as geeks, we were on the bleeding edge of this phenomenon.

Author Nelson was not pleased that author Simek could not have dinner in a nice restaurant with his wife without regularly checking his phone. That was the beginning. In time, marital negotiations (and renegotiations) resulted in some rules! Our phones may be in our pockets but they are not invited to participate in nice dinners. Our phones, unless an emergency is in progress, are not checked after dinner. And our phones charge in the family room – they are not permitted in the bedroom. The majority of lawyers do have their phones charging in their bedroom on their bedside tables – or, worse yet, in their beds.

Read the entire article here.