Earlier this year, Bob Ambrogi talked about security and how lawyers should be scared - and take the subject more seriously. He made mentions of a few noteable instances in which lawyers were hacked and had to pay penalties to recover data, or in which they were sued in a class action.
We looked into the issue and found one notable case where three men hacked into multiple US law firms, accessing the email accounts of lawyers helping companies with major business deals (including one involving Intel Corporation). They used the information they found to trade, and ended up making more than $4 million. Officials are now warning law firms to be careful and watch for similar incidents, since their servers hold valuable information for hackers.
To help lawyers improve their security measures and prevent a breach to their system, we went out and interviewed cyber security expert Mara Glasser, who graciously provided a breakdown of what "cyber security" means and how lawyers can take their protocols to the next level:
I. Can you tell us about your background and your experience with cyber security?
I currently work as a Senior Cyber Intelligence Analyst for a cyber security company called Q6 Cyber based out of Miami and Tel Aviv. My experience and specialization in cyber fraud/cyber crime allows me to help my clients gain visibility into their adversaries and secure data that may otherwise end up in the wrong hands.
Armed with this information, I am able to provide proactive recommendations and solutions so that organizations can better protect their assets. Prior to joining Q6 Cyber, I lived in Israel where I worked in the cyber security sector as a Cyber Intelligence Analyst alongside members of various intelligence communities as well as with the private sector. I have an MA in Security and Counter- Terrorism.
Q6 Cyber is a cybersecurity company based in Miami and Tel Aviv. The company provides a wide range of cutting-edge cybersecurity solutions and services, enabling organizations to effectively manage and dramatically reduce the risk and impact of cyber attacks.
The company is led by former U.S. intelligence officials (NSA, U.S. Secret Service). Q6 Cyber serves customers in the United States and internationally across multiple industries such as financial services, real estate, legal, retail, hospitality, logistics, and investment management.
II. What is “cyber security” in plain English?
Cyber Security is comprised of practices, processes, and technologies that are designed to defend networks, computers, data, and, in general, all assets from unauthorized access which can lead to attacks and damage.
III. How hard is it for someone to hack my computer or device?
It depends on a lot of different variables such as the level of sophistication of the threat actor involved, the user, the system, and the policies of the organization. All of these variables set a precedent of how secure or insecure you might be.
However, whether we want to believe it or not, we make it a lot easier for the “bad guys” to get into our computers/ devices when we lack knowledge in how to protect our assets.
Conduct Penetration Tests
Starting at an organizational level, we at Q6 Cyber recommend that organizations conduct penetration tests. This is the testing of computer systems, networks, and web applications to find vulnerabilities that an attacker can exploit or take advantage of. Penetration tests are conducted remotely and do not require physical access to your premises. Every organization is unique and so the penetration test service is tailored to meet your needs.
When Q6 conducts these tests, we generally gain access through applications and devices that are not properly configured, often with default passwords still in place. Systems that are not kept up to date with security patches are generally easier to compromise than fully updated ones. When a user reuses the same password for all of their personal and work accounts, there is a higher chance that the user will be compromised.
With all of the recent data breaches, an attacker can get information to learn a user’s password to attempt to take over their account(s). The next most commonly successful attacks are those based on social engineering - such as phishing. In such cases, an attacker acts as a legitimate company/or person and attempts to get users to click on malicious links and trigger malicious software, which enables the attacker to gain entry. Basically, from these few examples, users can be their own worst enemy.
IV. What are some precautions I can take to protect my computer / device?
I think the preliminary step is to understand the controls that you have put into place; however, there are also some general practices that can help to reduce the chance of compromising your system and account credentials.
Keep Your System Software Up to Date
First, and one of the most overlooked items, is to keep your system software up to date - and do NOT run any pirated software. Secondly, I cannot emphasize enough the importance of having a strong, unique password, which makes it smore difficult for an attacker to compromise your system.
With data breaches such that targeted LinkedIn, Yahoo, and other websites occurring more frequently, an attacker looking to compromise a user or organization can build a list of common passwords from these breaches that can substantially increase their chances of success.
Create Strong, Unique Passwords
According to the 2016 Verizon Data Breach Investigations Report: “Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords.” I suggest using a long pass phrase (ex: a few words combined from your favorite song), and using a password manager that has the ability to generate and store passwords for you.
Use 2-Factor Authentication
Additionally, I suggest using a 2-factor authentication process wherever possible to help reduce the chances of a compromise. It is important to understand and to clarify that those 2-factor authentications using SMS are no longer recommended by NIST (National Institute of Standards and Technology).
Instead, find a 2-factor authentication that uses a secure token such as RSA ID, or an application such as Google Authenticator (I use this for many of my online accounts). Other recommendations include locking screensavers for your portable devices, to help protect unauthorized people from using the device when left idle.
Remotely Wipe Lost or Compromised Portable Devices
We also recommend that organizations implement systems that allow them to remotely wipe a lost or compromised portable device to ensure that it is no longer able to connect to the organization’s systems. The key to all of this is to have a comprehensive series of overlapping security controls combined with strong monitoring, so that if something is to happen, it is noticed and resolved quickly.
Lawyers hold a lot of personal information about their clients on their personal devices. What precautions would you recommend for them to protect their client data?
Implement Strong Access Controls
Similar to the recommendations above, lawyers need to look at all of the different ways that client information can be compromised, and ensure there are overlapping controls in place. The bulk of client data should be stored in a well-secured, centralized location with strong access controls that limit a user’s visibility to only the required clients.
Limit Storing Client Data to Current Projects Only
The amount of client data stored on an attorney’s personal device should be limited to current projects, in order to minimize the risk of compromise or loss. Ideally, they should always use encrypted emails to communicate to clients and share client data. When this is not possible, Q6 Cyber recommends that users share files through systems that perform strong authentication (such as 2-factor authentication) and have role-based access controls, such as Microsoft’s SharePoint, OneDrive, or Google Drive, rather than through an unencrypted email.
Train Your Employees
Lastly, it is always recommended that organizations hold a company policy training session. This is used to inform and educate employees on company policies about security protocols and other security matters, such as what to look for when opening a suspicious email.
V. In your professional opinion, is it safer to store information in the cloud or on your personal device?
Move to the Cloud
I would say that data stored on the cloud is not infallible, but overall, is more secure than storing data on your personal device. Each presents different challenges and both need comprehensive security controls in order to fully protect sensitive information.
For example, a user storing data in a cloud-based system which is only protected with a simple password that is the same as the other passwords the user used on LinkedIn or other websites is not safer just because it is in the cloud.
Another risk with storing data only on your personal device is one Q6 has received calls from the offices of medical professionals and lawyers due to one of their office machines being infected with Ransomware. This malicious software is designed by an attacker to block access to a computer system (files included) until you pay the requested sum of money.
Have Regular Backups of All Your Data
The issue at hand lies here, even if you pay the ransom and receive your data, the attacker has your valuable data in hand. If you do happen to have sensitive data on your device always password protect the data. Also, having regular backups of all of your data is highly recommended.
However, data stored on a personal laptop that does not have the latest security updates installed, and which is used to conduct a wide variety of personal business, is at high risk for being compromised by malware - which would consequently put all of the sensitive client data stored on the computer at risk.
The data on the cloud servers are encrypted, which makes hacking a formidable task for criminals. Another benefit with storing your data on the cloud is the ease of access. Today, we don’t have to be in the office in order to be efficient and get work done. We can be on opposite ends of the world and access the data needed if stored in a secure cloud location. Not to mention, that this is probably the most cost-effective method of sharing data.
VI. What are some tips for lawyers to protect the data they store in the cloud?
The risk of physical compromise for data stored in a cloud service is relatively low, but the risk of compromise due to poor authentication controls is relatively high. Users are overwhelmed with password requirements and in order to be productive they have a small number of password variations that are regularly used (and reused across multiple accounts).
Support Single Sign-On if Possible
Attackers know this and, to no surprise, exploit it. We recommend turning on 2-factor authentication whenever possible. Also, if your organization is able to support single sign-on (SSO), this should be used whenever possible in order to minimize password burden on the user.
The SSO works when a user logs in to one client and is then signed in to other clients automatically regardless of the platform or domain by used by the user. For example, when logging into your gmail account you are simultaneously also logged into your Youtube account. SSO performs one strong authentication of the user and passes that authentication to the various systems that the user needs to access.
"In addition to authentication, users should be vigilant about with whom they share files and folders. Only those with a legitimate reason to have files and folders containing sensitive information should be able to access them at any given time."
Finally, when shopping around for an appropriate cloud service, make sure that the service supports the latest TLS encryption and uses HSTS (HTTP Strict Transport Security) to minimize the chances of the data being compromised while in transit. The likelihood of an attacker breaking into an Amazon Web Services or a Google Data Center and stealing a hard drive is incredibly small.
As mentioned above, the data compromised through cloud services is almost exclusively done via weak user passwords, misconfigured access controls, or bugs in the software that provides access to the data.
VII. Why should lawyers take this seriously? Have there been important or notable hacks recently that can illustrate the seriousness of the situation?
We hear this a lot: “It won’t happen to me”... well hopefully it won’t, but most likely it will at one point or another. Recently, it was publicized that over 1 billion Yahoo user accounts had been compromised. The security industry cannot stress enough the issue of password reuse.
Imagine a criminal who has access to the over-1-billion user accounts now likely has your compromised email address and password. Think of how many of your accounts (bank, Dropbox, etc.) that you may use the same password for. For all of these, the criminal can potentially also have access.
It is no secret that law firms are a prime target, as they hold a lot of sensitive data. Earlier in 2016, 11.5 million leaked documents known as the Panama Papers were made public. These leaked documents detailed financial and attorney-client information belonging to wealthy individuals and public officials. The victim of the breach was Panamanian law firm Mossack Fonseca. This breach not only may have financial repercussions, but also can affect an organization’s brand reputation.
VIII. Thank you Mara! As a closing thought, is security better today than it was, say, a year or five years ago? What are providers doing to ensure security for their customers?
As technology advances, so does the sophistication of cyber attacks and the threat actors involved. Hacktivists, cyber criminals, and state-sponsored groups have remained one step ahead. I would say currently, a big challenge that can be traced back to the user is one which I would call “human vulnerability.”
Attackers have increased their method of social engineering attacks, crafting highly targeted phishing attacks that entice users to click on malicious links. Organizations not only have to worry about the threat of cyber attacks but also disgruntled employees that are involved with releasing sensitive data and engaging in malicious activities with the data.
I believe that security starts at an organizational level with that organization putting proper security controls in place and making sure that their employees understand proper protocols. A penetration test is a good starting indicator on how secure an organization really is.
I am a big believer in company training sessions that help employees visualize and learn about what to do and what not to do. Clarifying exactly which 2-factor authentication to use, what internal password policies to follow, and what different types of social engineering attacks exist, can help to prevent and deter a compromise that can have consequences far beyond financial.
Lastly, an individual should always use proper security protocols - such as using strong passwords, not reusing passwords across accounts, and using a 2-factor authentication whenever possible.
Welcome to the fourth and final interview in our Legal Profession Q&A series! Today we're chatting with Caitlin Moon, inspired lawyer and passionate entrepreneur, about alt legal, millennials in the workforce, mental health, and so much more. Having both founded her own law firm and a communications consulting firm, Cat has no shortage of expertise when it comes to using your law degree outside of the courtroom and we're so lucky to be able to share her insight with you today. Without further ado, here's Cat's exclusive interview:
Q. What exactly is the concept of “Alt Legal” and why did you choose to pursue it as a career?
A. “Alt Legal” means different things to different people, I think. At its core? The idea that someone with a JD uses his/her education and experience in a non-traditional way — not necessarily by leaving the legal profession altogether, but pursuing a path diverging from a traditional private or government sector practice.
Often, a lawyer pursuing an alternative legal career is following a passion that intersects with skills. For example, you love to write so you create a blog that grows into a platform serving the legal profession (like David Lat). Or you turn your love of writing into a novel … about BigLaw (like Lindsay Cameron). Or you’re a tech early adopter and after being a change agent for your firm, you now bring new technologies to a wider audience in the legal profession (like Dan Hauck).
“Alt Legal” also makes room for professionals who don’t have law degrees to bring their expertise to the legal profession — especially in the areas of technology, process management (e.g. agile, lean), and business development. I’ve observed that the profession hasn’t traditionally embraced non-lawyers, but this is shifting. We can learn a lot from how other professions have innovated.
I think there’s room for lawyers who continue to practice but do so in non-traditional ways to be considered part of “Alt Legal,” too. We’re slow to change our ways, but the shift is picking up momentum — I consider collaborative divorce, firms leveraging technology to improve service delivery, and the use by firms of proven, iterative systems from outside law to all be examples of this.
My journey away from solely a traditional practice and into an “Alt Legal” role is explained below in response to #2 ...
Q. What is your current role? What does a typical work day in your life look like?
A. My “Alt Legal” work has included coaching and consulting with lawyers on building a law practice that sustains them on multiple levels — financially, of course, but also in ways that fulfill other important goals and needs. I’m a fifth generation lawyer, and with 17+ years in practice, I know well the toll this work takes, both professionally and personally. (Sadly, there’s a reason why the rates of depression, substance abuse, and suicide are so high for lawyers.)
My path to doing this work was actually serendipitous. In 2006, I formed a small firm with two other women. We eventually grew to four partners and an associate (all women). In this process, I took on the role of figuring out everything about running a practice (and firm) — from the best way to manage a case (it’s not what most lawyers think), to how to shift from hourly to flat-fee (it’s easier than most lawyers think), to using technology to get a lot more done with a lot less expense and effort (it’s not as scary as most lawyers think). After doing this work for myself and my firm, other lawyers started asking me about how we do what we do. And they started asking me to help them do the same thing. So I did!
Eventually this work evolved into coaching/consulting, focusing primarily in my areas of passion: communication, design thinking, and agile methodologies. My client base now extends beyond the legal profession.
I also maintain a limited business transactional law practice, working with a small number of long-time clients. I have one associate, who handles wills, trusts, and estates for my firm.
Q. Did you go to law school? What did your experience look like leading up to your current role? Internships, degrees, previous jobs?
A. I earned a JD from Vanderbilt. But before law school, I earned a Masters in communication, taught at the university level, and worked as a journalist. These experiences have contributed as much (if not more) to my work in the legal profession, as my law school experience. Frankly, I can’t imagine being a lawyer without a solid background in communications — these are the skills that make me an effective counselor and advocate for clients (and not what I learned in law school, or from the communication modeled by most attorneys).
During law school, I sought out atypical work experiences, including clerking for a solo criminal defense attorney. He sent me (alone) to a high-security prison to meet with clients (one of whom was James Earl Ray) — quite an experience for a first year law student! I also clerked for a small business law firm, and for my father (an attorney and elected official). I had no interest in a corporate BigLaw experience, I think largely because my model for what it means to be a lawyer was shaped by my father, my great-uncle (a criminal defense attorney), and my grandfather (a judge) — all of whom practiced in a small community and were more committed to access to justice than to reaping great financial rewards.
Working with entrepreneurs in my law practice definitely helped propel me in my current direction, as well. Much of my work with and for clients went far beyond simply setting up legal entities and drafting contracts. Drawn into business design, strategy, and development with clients starting new businesses, I learned a lot about how to create an enterprise from nothing but a vision. So in many ways, my law clients inspired me to become an entrepreneur myself.
Q. Do you there think there’s room for law grads to play an important role in the development of legal technology?
A. Yes! I think legal technology needs contributions from both inside and outside the profession. Lawyers have much to offer, though this contribution will be most valuable if it’s informed by more than their legal experience and expertise. For instance, a firm grasp on legal design, grounded in human-centered design theory, is crucial for any lawyer who wants to contribute meaningfully to the evolution of legal technology. Without a deep understanding of, and empathy for, the consumers of legal tech (legal professionals as well as “clients” of the profession), the industry will never reach its full potential.
Q. How do you think the legal industry will change as more and more millennials enter the workforce?
A. If the generalizations about millennials hold true, then their impact on the legal industry should absolutely move it in a positive direction. Millennials value collaboration and cooperation — and we need a much greater degree of both, within the industry and with other industries and professions. Millennials rely on technology that delivers true value, and simply works. Hopefully this will drive the creation of better legal technology. And, perhaps most obvious, a shift from primarily financial values to more socially-driven ones could trigger a positive sea change in how both the legal profession and the legal system operate.
With all of this said, there are strong forces committed to maintaining the status quo in the legal profession. My biggest fear is that millennials will give up and move into other professions and industries due to the snail’s pace of change. This is a continuing, and serious, problem for our profession: those who could do the most good leave out of frustration that things will never change. Personally, I’ve had this feeling often myself, and is a big reason I’ve expanded my work to include other professions, and now spend a great deal of time working outside the legal industry.
Q. What role does entrepreneurship play in choosing to pursue an alternative legal career?
A. Success in Alt Legal requires an entrepreneurial mindset, I think. It’s definitely not the place for someone who wants a steady paycheck every two weeks, guaranteed for the next X number of years. You’ve got to be willing to take chances, risk failure, and go in a direction that, at times, feels very much as if you’re swimming against a very strong tide. Prepare to be rejected. A lot.
The flip side? Pursuing an alternative legal career that gives you the opportunity to do the kind of work that truly satisfies you and ignites your passions is infinitely more satisfying that toiling away in a law firm.
Q. If you decide not to go the route of becoming a lawyer, what are some other ways that a law school grad can work towards social good?
A. If you’re passionate about doing work for social good, you can take the knowledge you have via law school (about legal process, the justice system, legal theory, etc.), and apply it in almost any arena. You don’t have to practice law to create (or work for) a nonprofit committed to social justice, or advocate for those who are disadvantaged or underserved.
For example, I’m very interested in alternative methods of dispute resolution and see this area as one having tremendous potential for any law school grad interested in improving access to justice — outside of the typical litigation practice trajectory.
Q. For the lawyer looking for a total career change: what lawyer-specific skills do you think are transferrable to other industries and jobs?
A. For those who’ve been in practice, see below. If you’re reading this and are contemplating law school (or are a 1L or 2L) and aren’t sure you actually want to practice law, definitely read this advice from my friend Jennifer Alvey, a career transition coach for lawyers.
If you’re already a lawyer and are looking for a change, my advice really is more universal than lawyer-specific. The transferable skills you should pay attention to are those things that you’re both (a) really good at, and (b) really enjoy doing. Lawyers get good at things that we don’t really enjoy doing (which is one reason we seek Alt Legal opportunities!). So the last thing you want to do is go looking for a new career based on those skills. Instead you want to focus on what you do well as a lawyer, that you also enjoy doing. Make a list. And start researching other jobs and industries that utilize and value those skills.
I believe any skill a lawyer develops during his or her legal career transfers to work outside the law. The key is identifying those skills you have that you also enjoy using on a regular basis.
Q. What are some of the key ways that individuals in the legal industry can work to reduce stress, avoid depression, and improve their overall mental health?
A. What a great question! I’m pretty passionate about making the legal profession a healthier one, and have written a lot about what individual lawyers can do to create a work life that supports a person physically, emotionally, and intellectually: get moving, practice gratitude, meditate, practice yoga, commit to continuous improvement through lifelong learning. Lots of research validates engaging in all of these (which explains why you see many people recommending them for anyone who wants to be less stressed, more productive, and happier). I’ve also conducted my own personal experiments with all of these. They really work!
Q. What role has networking, social media, and digital marketing played in the development of your career over time?
A. Intentional networking is key to creating a successful career, whether legal or alt legal or outside of legal completely. I’ve been in the workforce since well before social media and digital marketing existed — so I’ve relied primarily on in-person networking with others who’ve both taught and inspired me. My total career spans 24+ years and if I’ve learned nothing else, it’s this: You are better when you are surrounded by other really good people. A great network both lifts you up and stretches you. And it also gives you a place to contribute, which is a key element of professional satisfaction.
For me, social media and digital avenues have simply expanded my ability to create a really exceptional network. Connection is the common element — connecting with peers, mentors, mentees, clients. Your network should include all of these people, whether you meet them via Twitter or in person at an event.