Excerpt: Sadly, your greatest asset – your employees – are also the greatest threat to your cybersecurity. We know this because we regularly see data breaches and ransomware infections caused by click-happy employees. You also have rogue employees determined to use their own devices, go where they want on the Internet, irrespective of firm policies. When we train them, they tell us that they are scared – and you know what? That means we did our job. One of the great fallacies that employees believe is sometimes called “The IT Shepherd” – they simply have faith that the flock (employees) is protected no matter what they do by the shepherd (technology). You need to make them understand that no technological defenses are ironclad.
Excerpt: People are inherently lazy. After all, why do something today that you can put off until tomorrow? Users hate to do anything that would slow down their access to their computer or data. That means they would much rather just sit at a keyboard and start to surf the Internet instead of entering logon credentials and then entering a second factor. How many times have you been tired of the constant password changes only to resort to using one you know you’ll remember and have previously used? Didn’t feel like creating a new account so passed on that online purchase? You are not alone.
A recent study from the National Institute of Technology (NIST) found that the majority of typical computer users experience security fatigue, which leads to risky computing behavior at work and in their personal lives. Security fatigue is defined as a reluctance or weariness to deal with computer security. So what does this mean for law firms? A balanced approach is the way to go. If you make things too difficult for the users, they will find ways around the security measures.
Excerpt: Almost all law firms have an IT consultant, whether an outside consultant or in-house employee. All too often, lawyers believe that information technology wholly embraces information security. It does not. While there is a lot of crossover between the two fields, most IT providers are aware of basic security best practices – they are not actually cybersecurity specialists – though they may feel that they are!
As technology has gotten more and more complex, it has become critical to have access to folks who do a “deep dive” into security. A security specialist who is all textbook and has no practical experience with IT is no good to you. All the certifications in the world are no substitute for experience.
Excerpt: In the summer of 2016, author Simek had the pleasure of joining a Pennsylvania Bar Association panel comprised of both testifying experts and judges to explore how to find and effectively use a good expert.
It seemed to author Nelson, sitting in the audience, that she was hearing a series of rapid-fire tips so she endeavored to jot them down, in no particular order, to offer the collective wisdom of the panel. Here are some of the many valuable tips she heard…
Excerpt: That was the question I was asked to answer at the College of Law Practice Management’s 2016 Futures Conference. As part of a great legal technology panel, my answer was quick and decisive. No, it will not be.
Look how the cone of silence (check mentions of Maxwell Smart if you don’t recognize the reference) around law firm breaches has shattered in 2016 alone. It turns out that law firms, even major law firms, have been breached again and again. Do we really believe that there will be any respite from the attacks?
Law firms, by their very nature, are honey pots. If you target a corporation, you may get that corporation’s data, but probably not a lot of data from other companies. On the other hand, law firms hold the data of many individuals and corporations. That’s what makes us such an attractive target. And our security is, in general, not as good as that of major business entities – though we are getting better.
Excerpt: For years, the authors (and many others) have been saying that law firms generally keep mum about data breaches. While we have seen a few small firms abide by data breach notification laws, the larger firms generally have not, usually hanging their hat on the “we don’t know what data was compromised” or the “we had an incident, but no evidence of an actual breach or misuse of data” excuses. In fairness, not all data breach notification laws are equal – in some cases, they may not have to disclose Whether they have told their clients is unknown, but speculation has been rising that they often have not, for fear of a mass client exodus.
Excerpt: Cybersecurity is a hot topic these days, but what does it mean to practicing lawyers today? Essentially, cybersecurity is the protection of your information systems from theft or damage. For an attorney, that means making sure your client’s information stays confidential. Today, that includes taking steps to protect yourself from experiencing a data breach.
Are lawyers doing enough to safeguard law firm and client information? Our opinion is that many are not. Here are a few reasons we hold that opinion.
- The FBI reported at a legal technology conference in 2013 that they are seeing hundreds of law firms being increasingly targeted by hackers.
- Mandiant, now part of InfoSec giant FireEye, reported that 7% of the breaches it investigated in 2014 involved law firms.
- Another report noted that 80% of the largest 100 law firms, by revenue, had been hacked between 2011 and 2015.
- At a meeting of large firm information security experts from D.C., most admitted that they had been breached – and that they were aware from their colleagues that others had been breached as well.
- Even with the dismal record of reporting law firm data breaches, we still learn of them in the press and informally – and we will detail some of them for you.
Excerpt: Scarcer than rubies are talented digital forensics experts who are also skilled at writing expert reports and giving court testimony. So how do you find a good expert when you have electronic evidence in issue? This can be a daunting task and the right selection may depend upon a number of factors including what’s at issue in the case, the budget, the geographic location of the expert, and balancing the relative credentials of the experts under consideration. In short, reach for your bottle of Advil. Mistakes are frequent.
Here are the extremes. At one end, you have the major players – with big price tags and a horrendous disparity of quality between their employees. At the other end, you have Joe, formerly a plumber, who fiddles with computers at night and thinks that digital forensics is cool. He takes a course in it, perhaps even gets a meaningless certification from the vendor, and then promptly hangs out his shingle, advertising his service at “blue light special” rates.
Excerpt: The very first time we saw Moneyball, we knew it would crop up in an article. The movie’s use of data analytics in baseball immediately prompted us to start talking about how some of the lessons of Moneyball applied to the legal sector.
We promise you that we came up with the title of this column ourselves, but as we began our research, we were shocked at how many others have had the same idea. In fact, a CLE at this year’s Legal Tech had a very similar name – and several articles on data analytics in the law did too.