Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

Most Law Firm's are low hanging fruit for hackers - PTG Podcast with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Attorney Alex Pearce on Law Firm Cybersecurity Risks

November 12, 2020 Craig Petronella
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Most Law Firm's are low hanging fruit for hackers - PTG Podcast with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Attorney Alex Pearce on Law Firm Cybersecurity Risks
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

Most Law Firm's at easy targets for hackers and cybersecurity threats because they lack good cybersecurity hygiene. Learn how Security Risk Assessments and basic cybersecurity controls can significantly increase the cybersecurity maturity level of a law firm to make hackers move on to an easier target.

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Announcer:

You're listening to cybersecurity and compliance with Craig Petronella. Visit us online at Petronellatech.com.

Craig Petronella:

What do you think is on the current landscape of threats? What are typical small law firm risks, what they should pay attention to?

Alex Pearce:

I think there's a sort of increasing recognition by law firms of all sizes that cybersecurity is something we need to think about and worry about. There are related reasons for that. Criminals have figured out that law firms tend to be places where sensitive information is collected and centralized in one place. To the extent they're looking for sort of high-value targets. Law firms tend to be especially attractive. Historically, law firms have not necessarily been sort of at the forefront in securing that data or the use of technology. I think law firms have sort of come to be identified as the soft underbelly of corporate America. Fortunately, there's a recognition by firms, if that's the case.

Craig Petronella:

Sure. What do you think the reason is for recognition? Why now?

Alex Pearce:

I think you have some pretty highly publicized incidents where firms have been victimized. You have the prominent examples like you're the sort of Panama Papers case, the month Mossack Fonseca firm, and more recently, you've got stories coming out about firms involved in the 911 litigation. Those are sort of outliers. But you also hear lots of stories about firms being victimized and business email compromise scams where criminals are trying to get firms involved, for instance, in real estate transactions to wire funds.

Craig Petronella:

Interesting that you bring that up. We had a client last year that came to us for a referral. And it's a local triangle small firm, just three people. And they had not an IT professional, but an in house IT designated guy that wore the hat.

Alex Pearce:

Yeah.

Craig Petronella:

They're using Office 365. And Bob and I wrote a story about this. But they didn't properly harden and secure the platform. They fell victim to a phishing email, gave the credentials. The hackers compromised and set up rules to spy on all their email communications for months without their knowledge and covered their tracks. They laid low until wire this amount of money. They bought a domain name with an S or the same firm's name, but with an S at the end. And then they impersonated, Oh, no, those weren't the right wire instructions we sent them. These are the right ones. Bam, lost over half a million dollars.

Alex Pearce:

Right. And scams like that have become common enough that I think our state bar sends out alerts to lawyers doing that real estate closing in particular. But in terms of the most prominent threats, the one you mentioned, that's one that relies on an individual employee's vigilance and sort of their ability to recognize and act in accordance when there's a phishing email and as opposed to a firm's investment in technological safeguards.

Craig Petronella:

Do you think that most small law firms are doing the training and testing of their staff every month?

Alex Pearce:

Do I think that most are? Unfortunately, I tend to think probably not. As you might expect, I suspect the level of sophistication and investment in that sort of thing and training probably runs the gamut depending on the size and sophistication and resources that our firm has. I've been to some firms. Last weekend, the news observer had a story about companies throughout the triangle running sort of fishing exercises on their employees and that sort of thing. And you hope that people are doing that, I would say they should be. I think there's nothing more effective to have someone teach someone a lesson and trick them into a training exercise into clicking on something. So I think that's something firms should be doing. Whether our firm certainly is but whether others are. I can't say but to me, which seems like one of the most prominent threats out there.

Craig Petronella:

Oh, statistically, users are the number one to fall victim, even you get the world's best security.

Alex Pearce:

Right.

Craig Petronella:

Bob and I have struggled to raise awareness and get people to talk to us about this topic. Even we've tried different. I've been writing for maybe two years now with Bob, the cybersecurity articles, just different recent hacks, recent things that we wrote a story on the fishing example, just try to bring awareness about what is happening in your backyard. These things give good content and good knowledge for free but never really getting any response. We've gotten zero response from the advertising and the writing that we've done. And it's just baffling to us on why and what do you think is the reason for that?

Alex Pearce:

It's a good question. In some of the organizations I'm involved in, the North Carolina Bar Association and other groups like that, more and more discussion about law firm cybersecurity is an important issue. The state bar has recently enacted a new continuing legal education requirement that requires lawyers to have some to devote. I think it's an hour every year now to education on technology issues. I think, in part, because of a recognition that you have ethics authorities, like the North Carolina State Bar and the American Bar Association, issuing ethics opinions that talk about sort of lawyers' duties to protect client data. There is more and more recognition sort of generally in the profession, these are important issues why particular thing might be that the folks know this is an issue, but they don't know where to start. I understand that I'm at risk, and I need to do things to protect myself, but I don't know where to begin and turn.

Craig Petronella:

That's interesting because we put writing and advertising to hit on that topic. And that was our thought process, but not a single response on that.

Alex Pearce:

Yeah.

Craig Petronella:

And we were baffled. In a five-minute free phone call, just asking if your questions can easily score a firm's cyber maturity. You're reading these things, or you're not doing these things, and then just giving them genuine fiduciary advice on Okay, we should do training. You should do these certain things; whether you do them with us or somebody else, you should still do these things.

Alex Pearce:

Right.

Craig Petronella:

You said that they're starting to increase the requirements or the suggestions through CLE training. I'm just wondering, What do you feel is the best method to bring awareness and action towards this? Where it's received well?

Alex Pearce:

I don't know that. A lot of people get this information from organizations that they're already a part of. As I mentioned in further North Carolina, your County Bar Association, I'm part of a committee that focuses on privacy and data security issues. And one of our goals is to sort of disseminating information that small firms or solo practitioners can use to protect themselves to that's one potential avenue. The private sector and companies that provide these services can play a role there, too. But in terms of the best way to do it and I'm not sure. It probably just depends on the firm their level of sophistication. In a firm that is keyed into these issues, needs will differ from the sole practitioner.

Craig Petronella:

Because you understand the depth of the subject matter.

Alex Pearce:

Right.

Craig Petronella:

What's interesting is how we bring more awareness and action to those that are not subject matter experts there, Brad Dunn's CLE training and presentations, and talking with different groups in the triangle. I had two conversations after. But still, nobody wants to do anything to strengthen their profile.

Alex Pearce:

The other thing that might drive change in this area, and I've seen some client demands, and so...

Craig Petronella:

Meaning the consumer side doing business

Alex Pearce:

Right, their clients. They're going to hir with... a firm, and it's more corpor te clients. But it's usually lar er. Major corporations are soph sticated. But I think we're in reasingly seeing those clients a consumers of legal services, d manding as they would from any o her vendor as part of their s rt of third party risk program The law firm agreed as part of the engagement to comply wi h their cybersecurity standards

Craig Petronella:

That's correct. I've noticed that the same thing with other medical practices: wanting to do business with another firm requires a self-assessment questionnaire or a sock two, type two to justify, improve their security stature. I've seen more of that. But, as you said, on the higher, larger enterprise level, I have seen it too, from a bigger vendor to a smaller business. And the small business usually has no idea what that is. But it's interesting. Bob's audience and the readers of the magazine are

Alex Pearce:

Yeah, that's interesting. mostly smaller law firms. Most of the firms in North Carolina

Craig Petronella:

I don't know why there is not much more action. We've even tried face to face CLE events. I did a are smaller. We've tried, we tried everything from free to paid channels and just could not get any response. presentation on Google Fiber with Professor Kevin Lee at Campbell University. And that went well, and we had great conversations after that as well. And it was recorded, we put it online, but still nothing after, it stopped there. There was nothing. It was like, Hey, why don't you do a free scorecard for our firm just to kind of see where we're at. But I assume that I don't think that the small firms are even doing security risk assessments.

Alex Pearce:

Yeah, I don't know.

Craig Petronella:

I know for a fact that the medical firms, chiropractors, physical therapy, small clinics have never done it before, even though they're supposed to with their HIPAA.

Alex Pearce:

It may be just a function of until you've had an incident.

Craig Petronella:

Yeah. And that happens.

Alex Pearce:

That's a sort of proactive investment. People don't think it's justified. I'm on the same page as you. I don't think that's the right way to think about that's much more expensive to deal with than incident.

Craig Petronella:

Pennywise, dollar foolish, or whatever. What's weird is that in the past 14 days, my company has helped more companies with an incident response regarding ransomware victims from a referral, not our client from a referral. Hey, help us. We're encrypted.

Alex Pearce:

Right.

Craig Petronella:

How do we get out of this mess? We found more reports with the FBI and the incident response piece of it in the past 14 days than we have ever. Locally, here. That's alarming to me because we have the technology, and you're aware of the technology that can help stop and mitigate those risks. That either one they can recover without paying a ransom or to not have to worry about that threat because we have the layers in place at such a level where it's hardened, where they're not victims.

Alex Pearce:

Right.

Craig Petronella:

That's alarming to me that in all of them were three or four different companies. All were small. They had no backup means to recover; we're forced to pay. One of them was over two bitcoins, which is now almost$8,000 Just in the fees, that doesn't include all the labor that has to be done to clean it all up. It's branding 1020 grand to a small company. I would think it's still a lot of money. I know what it is to my small business.

Alex Pearce:

Yes, certainly.

Craig Petronella:

It's baffling to me. I was curious if you had any thoughts there?

Alex Pearce:

I always think it's better to invest in front-end prevention. And that's the better way to spend your time and money and resources. But, I can also understand for small firms with no resources. They've got competing priorities. I'm fortunate enough to work at a place that takes this seriously. We're ISO 2701. Certified.

Craig Petronella:

Fantastic.

Alex Pearce:

We take this seriously. That certainly colors my view of things. I know that Nigeria is fortunate enough to work in a place with the resources and the bandwidth to implement a program like ours. As there's more of a focus on sort of lawyers' ethical obligations, when it comes to this thing, as clients start placing more of an emphasis on one to make sure their lawyers have appropriate security in place. We have more examples of these firms getting hit, whether it's through business, email compromise, or ransomware, or sort of other nefarious acts. Hopefully, folks will start getting the message that this is something that they need to focus on. And again, I think there has been some recognition of that, but it certainly varies. There's a spectrum in terms of firms' size and their level of sophistication.

Craig Petronella:

One of the things my company does is we vet and test in our lab, at our data center in Raleigh, different technologies, what works, what doesn't sort of good stuff, that's just fake marketing. And we built a 22 layer stack of all different things that we have proven that work. We blend that. That's how we protect our clients. And one of the layers in that stack is called a BDOS. I don't know if you've ever heard of it. And we tried to help them, they came out of stealth mode, they got an international patent on their particular security layer. What it does in a nutshell. The short version of it stops any type of threat from being able to write to the hard disk drive. So if you were tricked into clicking on the link, or you went to the infected website, if that droplet tried to come in through a Java exploit and try to drop that payload to your disk, it would be stopped in real-time, whether it knows about the threat or not. And Lockheed Martin did a 120-page report on it. And it's a fantastic technology. But it's really expensive. They're minimum buying $100,000. However, some of the largest law firms and the largest corporations in the world use it. They don't advertise it. They use it because they don't want the hackers to know their secret sauce. It's not a silver bullet, but it's a very effective layer in their arsenal and stack. And we tried to help even that company, which we're still partnered with. We tried to help them talk with larger law firms, as well as larger enterprise CIOs. And even with them, we couldn't get people. Even though we could show realistic examples and proof. Here's a capture of the flag that's been running for ten years plus; this layer is so good. It's boggling to me how sometimes companies and people are receptive to trying different neck technologies and understanding. I understand that there's a trust level. You don't want just to trust. Some barriers need to be overcome. It's just interesting how certain people are more willing to vet and check out technology like we do to see what's good because it changes all the time. Even the technology we used in our stack in 2013. We found that many people were getting the endpoint security layer was letting the ransomware through, so the other layers would have to catch it. It was like, Okay, we swapped that layer out and put a better layer in that had more sophisticated heuristic technology. So we're always looking for that for our clients. And it's just interesting how I would think that there would be more awareness around, Hey, we should be checking up on our security every year we should be doing these risk assessments. We can't just make assumptions and speculate that we're okay because what we bought last year might no longer be good enough. It's just interesting. The whole puzzle is mind-boggling to me.

Alex Pearce:

I think the legal field is probably no different than the other fields.

Craig Petronella:

Yeah!

Alex Pearce:

You've got a range of organizations in terms of size and sophistication with different competing priorities for the budget. Sometimes, some of us might think cybersecurity deserves a higher spot in terms of priority. I believe we are on the same page.

Craig Petronella:

I don't know this for a fact, but I was speculating that, maybe, I'm just thinking and brainstorming. Do you think that some smaller companies and or law firms think they can just buy breach insurance and just not have to worry about the rest of the puzzles?

Alex Pearce:

That's interesting. I don't know. I think insurance is a big and important piece of the overall risk management program, but just a piece. I would hope that nobody is relying exclusively on insurance to protect against this risk. That's an interesting question.

Craig Petronella:

I wonder how the logic goes through people's heads of, Well, why am I going to pay XYZ firm or buy all the software stack layers, and that's going to cost me X dollars per year when I can buy cyber insurance.

Alex Pearce:

Right.

Craig Petronella:

And if I get hacked, then then I could just make a claim. I just wonder if that's some of the logic that happens.

Alex Pearce:

REMAX parents could also be that many cyber insurers want some evidence that you've implemented.

Craig Petronella:

Yeah. Do you think that that will become more strict? Or what do you feel is the stance that if you got Mr. Insurance Company here, and then you've got XYZ small firm here, and they have a breach? Let's say that half a million dollar breach, for example?

Alex Pearce:

Yeah.

Craig Petronella:

And they had breach insurance. So they call insurance. That would happen. They get all the reporting, and then Mr. insurance company says, What safeguards have you put in place? What was your last risk? Do they ask those questions?

Alex Pearce:

My experience is that it's usually on the front end as part of the underwriting process. And again, I think that sort of cyber insurance market isn't all that mature yet. There's not a lot of standardization and what the coverages and policies and that sort of thing, but I would think, as that market matures, that cyber insurers will want to do some due diligence of the insurance program front end. I think some of them already do that. There's probably some variance in how far, how deep they go, whether it's just answering a questionnaire versus some more active looking and doing.

Craig Petronella:

Are they doing some of that now?

Alex Pearce:

Yeah, I know that they are. Some insurers are insisting as a condition of getting the coverage that you meet certain standards. I think that's one thing that could counter the strategy you're talking about, where somebody says, I'm not going to worry about this, I'm just going to insure him on the back end.

Craig Petronella:

Maybe, one day, we'll be able to get the insurance.

Alex Pearce:

Right, in my opinion, to get the insurance in the first place that I think is wise on the insurance part, because they're just going to have claims. Just smart business for them to kick the tires a little bit.

Craig Petronella:

I'm not insurance, but I would think that Mr. insurance company would want their client to be as buttoned-up as possible so that they would be less likely to pay a claim. Maybe their premium is reduced by doing those activities, like the safe driving or good driving behavior program.

Alex Pearce:

Right.

Craig Petronella:

You do that for so many years or whatever, you get a brake runner or something like that, whatever you

Alex Pearce:

Yeah, it's interesting. I've also seen some insurers do helpful and proactive in terms of things with some of that sort of education about best practices and like incident response and helping, companies get plans in place. All of that is a value add to the insured; it also protects the insurance company on the back end.

Craig Petronella:

I think NIST has done a pretty good job with that. But I think, again, it's around awareness. I don't think most firms or lawyers know what it is. Apparently, they know what that is. And then even if they did, it's a 300 plus page document that's evolving and changing every day as well. And I wonder if they would even know where to start with that or hand it to the IT guy, which typically even the generic IT doesn't have the depth.

Alex Pearce:

The guy who fixes your mouse, isn't it?

Craig Petronella:

Right.

Alex Pearce:

Maybe, isn't all that well versed in NIST or whatever framework. The complexity of the subject matter. A cost all those things may drive. Yeah, it may preve t the sort of widespread adopt on you'd otherwise.

Craig Petronella:

Sure.

Alex Pearce:

I don't know. I guess if I could figure that out all that, it could be done something else. But it's an interesting problem that my experience has been being not unique to law firms. I think law firms, maybe, as a whole, just a little later to the game than other businesses?

Craig Petronella:

Do you think that it will be more breaches that headlines everywhere, that kind of opens the eyes? Or do you think it's going to be more pressure from insurance or these other requirements coming in to say, Hey, look, you can't just do this way to doing this anymore? You have to change your ways.

Alex Pearce:

I think it would probably be both. And then they're related, as they're more breaches that affect law firms, clients are going to become more concerned.

Craig Petronella:

Right.

Alex Pearce:

Law firms are handling their data insurers wil want more evidence that you've ot some programs in place o the front end. I think all tho e things will continue to dri e more attention to this area. L w firms and the sort of the lice sing board in a state bar foc s on this as an ethical matter, and lawyers have an ethical d ty to protect client data.

Craig Petronella:

Yeah, isn't there some ethics and confidentiality that have to be?

Alex Pearce:

We have ethical rules that include competence and confidentiality, and notices have been interpreted as including implicitly or in some cases explicitly serve a duty to take reasonable measures to secure client information.

Craig Petronella:

But it's still kind of vague in the reasonable measures category.

Alex Pearce:

Right. Which I think I'm not advocating. I

Craig Petronella:

I think that it will probably be impossible. don't think anybody does. At least, maybe, NIST or some guideline.

Alex Pearce:

Yeah. I think as an ethical matter; we're not there. Anybody thinks we need to get there. But that's just another factor that might drive folks to pay more attention to this. Regulators say, Yeah, this is an ethical duty that attorneys have to take measures to secure client data there. Usually, the kinds of measures you need are appropriate to your operation's size and scale, the kind of data you're handling, and all that stuff.

Craig Petronella:

Do you think there would ever be a time where the consumer would then have the power to release their data to whom and when the healthcare industry trying to do with blockchain and health ID technology? Or the consumers then control their medical record history? And it's not in silos of different medical servers all over the place. They get to control their data with whom they get to share it with, and when, for how long, and can terminate it on their own?

Alex Pearce:

That's a different questiondata security. I think of that more as privacy showing you the right to consumers, the right to control information about them. And it's a right that has been enshrined in law in Europe for a long time. I think we're just starting to see it become a more prominent issue here in the United States, a great example of the California Consumer Protection Act.

Craig Petronella:

Do you think that's going to spread?

Alex Pearce:

I think it already is. And so, since the California law was enacted, I saw something the other day. I think it's maybe seven other states that have introduced bills that are not enacted yet. I've had bills introduced that incorporate some or all of the concepts that show up in California. People can ask companies what data the company holds about them, opt-out of having their data shared with other people, request that their data be deleted, etc. And so that as more states pass their laws, it raises the question of whether we're going to have a federal standard. I think most people would say, if we're going to have a standard, I'd rather have one. At the federal level rather than 50 different state laws that I'm trying to do.

Craig Petronella:

Right.

Alex Pearce:

I don't know how far we are from that. But I will say I've seen more discussion in the last six months of that possibility than I've ever seen Carolina or nationally.

Craig Petronella:

Have you seen anything in North Carolina yet?

Alex Pearce:

I have not seen anything resembling California law, anybody talking about anything resembling the California law in North Carolina. It's more, I think, in New York. There's a bill in Washington, and there's a bill in New Mexico. But again, I think as more states jump on that train, that will push people in Congress to start pushing for a federal law. And there's certainly been a lot more discussion at the federal level recently. It's an exciting time to be doing this work. There's never a dull moment for Dr. Sanders's security. I feel confident. We'll see in the future.

Craig Petronella:

Absolutely. With the California law and more adoption from other states, I almost feel like it's going back to the consumer to have some more control. Because with all the breaches, that seems like corporations don't have it under control. They did breach all this privacy and secure information that was supposed to be held confidential.

Alex Pearce:

Right.

Craig Petronella:

Pretty much, we're all victims. IRS was hacked. We're all having to deal with that through identity monitoring, protections, and different layers we have to put in place on our own and into our own hands. So it's interesting.

Alex Pearce:

Yeah, it's two different things. One is the breach, like are the companies that collect data about me protecting that data from bad guys. And certainly, there have been lots of prominent examples, Equifax, Marriott, or like all those situations would have people very concerned about bad guys having access to their data. When I give a company my data, as a consumer, am I entitled to know what they're going to do with it, who they're going to share it with? What happens when they do things with it that I didn't necessarily expect? And that's a little bit different issue than the sort of is my data being protected from bad guys. But that's the one that is rising to prominence, to your point about sort of consumers having control. There's been this because of things like Facebook, Cambridge Analytica, etc.

Craig Petronella:

And the recent ten-year thing?

Alex Pearce:

Exactly. It's mostly about big tech companies. As I get my data to big tech companies.

Craig Petronella:

But I think it's also awareness around people not realizing what they're giving up. They don't realize what they're accepting in terms of use, what they're giving up, what is open for grabs. And then the blurry lines through that and then what if something happens, like Cambridge. Now it comes to light. They get it. Okay, now I'm a victim of that too.

Alex Pearce:

Yeah. There's a philosophical debate going on right now that having people consent to big on privacy policies, they don't read anyway. Some people don't think that's an appropriate way to deal with these situations.

Craig Petronella:

Sure.

Alex Pearce:

But the other side of all this is that these companies are doing an innovative and interesting thing delivering people services they like and use. The trick is striking a balance between allowing companies to innovate and use data responsibly without allowing some of the things that people aren't comfortable with. It's a tricky balance.

Craig Petronella:

Yeah, for sure. I wonder if blockchain or technology like that could help secure, by default, some of the records that either attorney works with. I know, there's been talk about using blockchain technology for deeds in record management, local government levels, and things like that. And I wonder if that could further help with the security aspect?

Alex Pearce:

Yeah. I'm not as familiar with the use of cases on the security front for blockchain. But I've certainly seen discussion for things you're talking about, sort of chains of title, and even for supply chain monitoring. Or in the legal space. I've heard some discussion of using blockchain for like signatures and signature verification, and that smart contracts, all that. I'm not as familiar with the use case in the sort of cybersecurity realm.

Craig Petronella:

No, that's fine. I was just curious.

Alex Pearce:

Yeah.

Craig Petronella:

Cool. Cool. Thank you.

Alex Pearce:

Hopefully, I get something you can use.

Craig Petronella:

Yeah. Thank you. Appreciate your time very much.

Alex Pearce:

No problem. Thanks for coming.

Announcer:

Thanks for listening to yet another episode of cybersecurity and compliance with Craig Petronella. Listen to all of our podcasts on Apple, Google, and Spotify. Visit us online at Petronellatech.com to book a meeting with Craig about your business.