What tools do you use for identifying and protecting sensitive data?
DK: Fortunately, I’m not handling much sensitive data these days, other than my own. I do try to think carefully about whether the method I’m storing or transmitting data makes sense for that data. Being vigilant about whether I’m on an https site is also on my checklist. Otherwise, I focus on the basics—full disk encryption, strong non-reused passwords, and multi-factor authentication wherever possible. Several years ago, I heard the term “data hygiene” and it made a big impact on my thought processes around data protection.
AP: Encryption of hard drives, password protection on documents, and faxing (not e-faxing*) of truly secure documents. See my article on e-faxing and why unlike traditional faxes, which offer top of the line security, e-faxing (either when you e-fax out or when your recipient uses an e-fax service to receive) is inherently insecure and should be regarded just like unsecured emails.
GS: There are multiple protocols. We use Sharefile for encrypting our email and are mainly using cloud-based products for storing client data. Those products are certified GDPR-compliant. We regularly train our staff in identifying threats, particularly phishing.
What is one thing an attorney can do to reduce cyber data risk in their firm today?
SE: Make sure everyone in the firm, including attorneys, are trained to recognize phishing and spear phishing attacks. Missteps by people are still the leading cause of cyber attacks. Make sure people know security by obscurity is not an effective practice
DK: There are several “one things.” I might put requiring multi-factor authentication for any admin-level accounts at the top, but an aggressive password policy and keeping software updated would be other contenders. And don’t forget user training. Social engineering and “spear phishing” have done a tremendous amount of damage.
AP: Three things: 1) Stop e-faxing, 2) Encrypt all PDFs being emailed that contain sensitive info, and 3) Avoid discussing sensitive information in non-encrypted emails.
GS: We paid for an independent third party threat assessment which was a smart move. We trust our IT folks, but the independent audit has made our clients more confident that our house is in order.
Does your firm have currently have liability insurance and an incident response plan?
DK: I’m not in a firm, but, in addition to what others have mentioned, a robust backup process is an essential part of any security plan.
AP: Absolutely as to both! It would be malpractice not to…
GS: Yes, we have both in place.
What cyber threats keep you up at night?
SE: Again, it’s the human risk factor that is a big cause. It just takes one weak link, one misstep, and your whole system will go down. People that work in firms and especially lawyers don’t seem to want to threats seriously and/or take the time for training that’s critical.
DK: I worry about the cumulative impact of all of the poor security practices we see these days. My good security practices can be dramatically compromised by your poor practices. There’s a great notion called “herd immunity.” I like to think that my security practices help protect the whole herd from dangers.
AP: The court e-filing systems getting hacked is a nightmare scenario as far as I’m concerned. Just the other day, our e-filing system in New York went down for a few hours. It was terrifying to think what would happen if all of the submissions had been lost. Even just from a 24-hour period… (Always make sure you keep your confirmation emails and e-filing receipts, in case you later have to prove you field something timely.)
GS: One weak link employee who clicks on a malicious link in an email. The bad guys are getting more and more sophisticated when it comes to making the emails seem real.
How do you keep up with the latest cyber regulations, threats, and strategies for defending against attacks?
SE: I subscribe to the Advisen service which keeps pretty current. I also subscribe to a variety of feeds and try to read them every day.
DK: I’m not sure it’s possible to stay fully on top of everything these days. Bruce Schneier’s blog, Schneier on Security, has always been a great resource for me. There are some tech news and cybersecurity podcasts that do a good job of covering breaking issues. The tech news podcasts will probably help you the most unless cybersecurity is your focus or area of strength. Watching for updates and security warnings for the software and cloud services you use from the vendors is vital. Installing those updates is more important than ever these days.
AP: Attend all tech conferences I can fit in my schedule and constantly keep up with tech industry news. Do not wait for the latest security info to trickle down through legal industry publications and CLEs.
GS: I talk to the experts. We attend conferences on cybersecurity, read up on the subject, and consult with our IT team and our outside consultants.