OM21: Proving Cybersecurity Due Diligence for your …my.alanet.org/events/specialty/handouts/OM21_Proving...OM21: Proving Cybersecurity Due Diligence for your Firm Presented by James

OM21: Proving Cybersecurity Due Diligence for your Firm

Presented by

James Gast David Myers

The handouts and presentations attached

are copyright and trademark protected and

provided for individual use only.

James GastCEO, SpliceNet Legal Tech &Legal Marketing [email protected] | 513.252.0212

Proving Cybersecurity Due Diligence For Your

Firm

www.linkedin.com/in/jamesgast

Who The

Heck Is

Jim Gast?

I’m veteran of Law Firm Tech & CyberSecurity and the CEO of SpliceNet Legal Tech who specializes in developing highly effective and secure technology systems.

• Law Firm Tech & Cybersecurity Expert Assisting 150+ Law Firms over 25 Years

• 75 Law Firm Cybersecurity Audits in last 24 months

• National Speaker/Writer on Office 365 & Cybersecurity

What you get in the next 90 min:

• What cybersecurity is beyond the “tech”?

• A standardized process for your firm

• How to assess your cyber-threat readiness and

mitigate it using the same tools we’ve used for

the last 7 years

• Give you a simple national peer-based cybersecurity

collaboration platform

Why You Should Listen!

“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.”

Andrew Groveformer CEO of Intel

A Quick Overview Of The Sophistication And Proliferation Of The Cybercrime Business

Cravath Swaine & Moore, Weil Gotshal & Manges,

&Mossack Fonseca aka

(“Panama Papers”)

The Evolution

Of Crime

Black Market Values

• Credit card details: $2 to $90

• iTunes account info: $8

• Credit card numbers (ripe): $190

• Card cloners: $200-$300

• Fake ATMs: $35,000

• Anyone can easily buy training, tools and services for committing fraud, hacking systems, buying stolen credit cards, setting up fake web sites, etc.

• Cyber-criminals even offer support contracts for their software

“We’re Just Simple Law Firm...Nobody Would Bother To Attack Us, Right?

• One in five law firms falls victim to cybercrime each year and that number is GROWING. (Source: National Cyber Security Alliance)

• Law Firms are low-hanging fruit because they don’t believe they are a target, and therefore have very loose or no security systems and protocols

$122,000 x 2Amount of money defrauded from Northern Kentucky Law

Firms Last Spring

Biz Model: Low Volume, High Margin

Biz Model: Low

Volume, High Margin

FDIC Does NOT Protect Your Firm From Bank Fraud

Caused By Hackers And Social Thieves And The

Bank Is NOT Responsible For Getting Your Money

Back!!!

Bank Fraud

400,000 NEW Malware

Threats Are Being Released Per Day

Source: AV-TEST

Biz Model: High Volume, Low Margin

Phishing!

“There's always somebody in an organization who will... open a malicious link or an email attachment.”

– Kevin Mitnik, 1990’s Former FBI’s Most-Wanted Computer Hacker turned Cybersecurity Consultant/Good Guy

Less Known & Thought Of Cyber Threats To Consider For Your Assessment

Shadow IT21% of your users are using Dropbox without your knowledge!Source: SpliceNet Cybersecurity Quiz, February 2016

Social Hacking97% “say” they would not attempt to view files on a USB stick they found. Social experiments show much higher.Source: SpliceNet Cybersecurity Quiz, March 2016

Wireless Use80% of people use public wireless without concern even though they consider it unsafeSource: SpliceNet Cybersecurity Quiz, March 2017

The New Frontier: MOBILE

What you

should not

email!

Generally PII is: first name or first initial and last name plus one or more of the following:

• Social security number, Driver’s license number, State-issued ID card number

• Account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.

As a rule the following should not be transmitted by UNPROTECTED email

• Medical records

• Financial records

• Credit card numbers

• Bank account numbers

• Retirement account numbers

• Investment account numbers

• Username or passwords or PINs

• SSNs

• Obviously, any firm data considered private/confidential

Often Skipped Password Concepts

Do not use personal passwords for work

and vice versa

Do not use the same passwords in many

places

Do not save passwords in browsers and apps

when prompted on any device or platform

Never email a password

Reset instead of record

Mobile devices that have firm email (or more) must have forced passwords

Ok we get it. We need to get busy but what do we need to do and

how do we prove our “Due Diligence”?

The 3 R’s

To maintain the requisite knowledge and

skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits

and risks associated with relevanttechnology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

ABA Model Rules of Conduct

Rule 1.1, Comment 8

It’s up to you to prove!

sorry…

3 Steps To Protecting Your Organization

1

Cybersecurity AssessmentEvery law firm is different. What’s lacking in your security practices right now? What policies do you have and how are they trained/reinforced? What 3rd-party cloud apps are you using? Are your systems truly backed up? Where are you exposed to risk? Whose job is it to make sure your network is protected, and how do you know if they’re doing their job?

2

Action PlanBased on what’s discovered, what do we need to do to ensure our systems, data and operations are secure from theft, compromise, corruption, etc.?

3

Ongoing Threat ManagementYou definitely can’t take a “set-it-and-forget-it” approach to security – your attackers aren’t!

Solid Cyber Strategies

Level 1 – End User Protection Technology

• Multiple Layers of Antivirus and Antimalware both active and scheduled.

• Software patch management for OS and TPAs

• Web filtering to prevent infected traffic from breaching the network gateway

• Advanced Spam filtering

• Mobile Device protection

• Least-Privileged Security Models

Solid Cyber Strategies

Level 2 – Next Generation Technologies

• Next-gen Converged Network Edge protection (Firewall)

• Behavioral Pattern Recognition software

• Data Loss Prevention (Email & Remote Access)

• BYOD Protection and Control

• Data Rights Management

• Network Device Control

• Penetration Testing

Solid Cyber Strategies

Level 3 – Policies, Education & Testing

• End User Training and Testing

• Technology Acceptable Use Policy

• Mobile Device Use & Loss Policy

• Corporate & Public Wireless Network Use Policy

• DR/BC Policy

• Vendor Standards, NDA, Confidentiality Agreements & Imposed Self Audits

• Employee background checks

• Data privacy policies

• Data Breach Policy & Action Plan

• Technology Change Controls

• End User Awareness & Testing

• Regular Plan Reviews & Testing

RAPID ASSESSMENT WORKSHEET

CYBERSECURITY ASSESSMENT TEMPLATE

CYBERSECURITY ASSESSMENT TEMPLATE

LINKEDIN GROUP FOR NATIONAL COLLABORATION & STANDARDIZATION

Law Firm Cybersecurity Due Diligencewww.linkedin.com/groups/8623243

NOWFOR YOUR

BURNING QUESTIONS?

Your Opinion Matters!

Please take a moment to evaluate this session.

Thank you!!