We have spoken on the Ethics of Data Security at Bar Associations across the USA, and we continue to get more and more questions around the topic of data security. I decided to turn to our go-to expert and bring you answers from the source with this Q&A session I had with Tim Rettig of Intrust IT.
Read Part 1 & Part 2 of this interview.
Mark: What can a law firm do to keep communication secure and confidential while also providing great client service? What are steps they can take and what should they be careful about?
Tim: Definitely one of the things that we are seeing more and more of is some type of secure portal where your clients can upload and download any type of secure documents. CPAs do this as well. When I submit all my information to my accountant at the end of the year, I’m not emailing it to him. Instead, he gives me access to a secure portal where I login and upload my documents. When he finishes my taxes, he provides that information on the portal as well, so I can download it. No confidential files should be sent over email.
A law firm should do something similar for their clients as well. It can give them peace of mind. I cannot imagine working with an attorney that doesn’t have a system that would allow me to feel secure about my documents and case information. Personally, I would go look for another attorney, if my law firm didn’t offer that. There are many simple document portals available, a very popular one is Citrix ShareFile. ShareFile has a client portal feature where a law firm can change the logo, the URL, etc. to make it look like it’s part of their firm. It also has very good security on the back-end where you can store documents securely. Clients can come in to reset passwords abd upload and download documents, then you can synchronize the documents out of the cloud and into a secure server in your office.
Mark: Good point. There are also some legal specific document portals like, netdocuments. Box.com has some legal specific features too. Also, many cloud based practice management vendors have document management as a part of their features. My Case and Clio both provide a client portal interface and have some document management functions.
One more thing that is specific to legal, lawyers should also make sure the cloud vendor is willing to hold documents based on the law firm’s requirements. You don’t want a vendor that is going to give up documents based on a legal request or a formal subpoena without involving the law firm whose documents are being requested. Be sure to ask these types of questions if you are looking at a cloud based document vendor. I know Box has a legal package where they can do it correctly, and the most of the legal practice management vendors I know have these items covered in their terms of use, but lawyers should be aware of this.
Tim: That’s a good point to mention, like Google Drive, their terms of use most of the time say they have access to or own the data and can do with it what they want. Another thing to think about is that it can be better to have, more of a customized proprietary portal, rather than using what some people call a public cloud (like Dropbox or Google Drive), because it’s too easy for a third party to pretend to be you by providing fake Dropbox links to phish your clients. Having a specific portal with a URL that’s customized to your firm gives the client peace of mind that they know this is specifically a request from their attorney and not a hacker.
Mark: A lot of firms have the problem of being everywhere, courthouse, hotel, office, even Starbucks and realizing they need a document or some information from their systems, whether in their email, on the office server, or in the cloud. Public Wi-Fi is something that people assume is secure, they assume that the provider must have thought about security, that’s not always the case, is it?
Tim: That is correct. First I recommend—and I do this myself—that you use a provider you trust and can control, like your mobile provider, instead of public Wi-Fi you can often make your phone a hotspot that only you can interact with.
When you have to use public Wi-Fi, it’s a good idea to use a VPN product. This is a little different then the usual way people think of VPN, where you used to VPN into the office to get to your shared file server drives. The VPN of today encrypts all the traffic coming from your laptop and sends it to a server somewhere out on the internet and unencrypts it and sends it to the internet from there. That way, if you happen to be on public Wi-Fi that is compromised, or maybe it’s actually a hacker that is providing what looks like public Wi-Fi, a VPN would encrypt all the data coming to and from your computer so it’s less likely for anyone to be able to read the data.
Unfortunately, these new VPN tools really came into the spotlight a few months ago when the government voted to remove the limitations on ISPs so they can now sell your browsing history. All of a sudden this came into the limelight because people now want to encrypt their internet traffic so that their ISP can’t see where they are going on the internet. Right now, I don’t have one to recommend because this issue caused all the VPNs that were good to have an influx of traffic, so we are testing and waiting to see which vendors can scale and handle all that new encrypted traffic.
Mark: We briefly touched on viruses, malware and ransomware earlier; do you have anything else to add around this topic?
Tim: On ransomware, I mentioned the new endpoint protection software that are now offering services specific to ransomware. The one that we are providing to our clients as part of our IT Services contracts has a one thousand dollar per endpoint, up to a thousand endpoints, so it’s a one million dollar guarantee. It’s kind of like insurance. If you were to get a ransomware on your computer and we weren’t able to roll it back or stop it, we’ll pay the ransom up to $1000 per endpoint. You may be able to get similar solutions from your IT provider. Of course we are also happy to help anyone out with this too.
The other thing to look at is your cyber-insurance policy. They are evolving very quickly and you can buy coverage so that if you were held at ransom that you would contact your insurance company and work with them to decide whether to pay the ransom or not, or whether you want to recover your data, how much time you’re going to lose and then if your insurance policy is going to pay the ransom and what the deductible is. That’s definitely a conversation to have with your insurance company.
The other thing I would recommend, it’s good to have a bitcoin account that you have open with some money in it, because the fact is, if you are held ransom and you do decide to pay you need to be able to pay quickly with digital currency. For example, a company came to us with ransomware on their accounting system and it encrypted all of their accounting information at the end of the day. The ransom was around $700 or they could recover from the backup at the end of the previous day. 70 employees worked all day in their system and all of that work would be lost.
So, they looked at the cost of 70 people working all day versus paying $700, and the cost benefit worked out to be cheaper to pay the ransomware, but they needed to have bitcoin to pay it. It takes some time to get bitcoin setup so that is why they came to us, we have a bitcoin account for these reasons and we were able to help them pay that and get back to work. Of course we were also able to show them why they got ransomware in the first place too.
It’s interesting that many of the people I’ve told to do this years ago have made all kinds of money because Bitcoin has been going up like crazy in value. People I talked to that bought bitcoin as recently as one year ago paid about $500-$600 a coin, now it’s valued at $2400 a coin. It’s not something to put your life savings or retirement into but it’s something to look into and worth it to have money out there just in case.
Having a backup by syncing to a cloud service like Dropbox or box isn’t fool proof either. We’re seeing that it’s difficult to recover if you use a cloud service where you’re syncing or replicating files out to the cloud. If you get ransomware on your laptop, it encrypts all your files that are in your local Dropbox folder, then those encrypted files get replicated out to Dropbox. There isn’t an easy way to go back and restore all the files from Dropbox, you have to do this one file at a time. However, there are third party products that will back those cloud products up so that you can recover back to that snapshot.
If a cloud provider like DropBox or Box were breached and all files stored encrypted, you would have a backup from a third party. One large organization that is using Citrix ShareFile had us setup the systems to replicate all of their files out of the Citrix ShareFile onto a server that they own, so if something were to happen to that share file, they would have their files. Also, if something were to happen where their files were encrypted or deleted, they would be able to get them out of the backups on the server.
Mark: With the cyber-insurance, some basic policies may have mentioned cyber stuff in the basic policy, but lately some of the updates have been to limit that more than to expand it. I’m assuming it’s because they are limiting it so they can sell specific cyber liability insurance? Are you seeing that?
Tim: Yes, the stuff in the past that was an “oh by the way” or an add-on is now getting severely limited because they want to sell you a specific cyber-liability policy and normally to be elibile, there’s a questionnaire they will ask you to fill out. A lot of the questions cover what I talked about earlier: are you updating systems on a regular basis, do you have firewalls in place, do you have backups? They’re going to have all these factors that help them identify how big of a risk you are so they can comfortably sell you a policy. At the end of the day the cost is associated with risk, and cyber-insurance has become a bigger risk for many insurance companies as the threat has grown.
I can tell you that property management company I mentioned earlier that had that half million dollar loss would have liked to have that policy in place because not only do many of the policies cover if you’re hacked or someone gets into your system, but if also social engineering, like a wire request that comes in and because it looks like it’s from the CEO it goes through. It is extremely beneficial to have that type of expertise available on retainer as well as forensics so if you were to be breached you would have those experts available. Otherwise, many times, if you call a cyber forensics expert after the fact and you don’t have any tools in place, they’re going to say they only work with companies that they are engaged with on a regular basis or pay a retainer. Your insurance company can help provide those resources if you have the right policies.
Mark: Tim, is there anything else we haven’t covered?
Tim: One of the other things we haven’t covered that we’re starting to see is solutions that are being provided by email vendors. Email is such a common way for threats to be sent into a small organization, email tools, like Office365, now offer advanced protection, I think it is only a $2 a month per user upcharge, on their current plan. It can be added to any plans. It has what they call “safe links”, when somebody puts a URL into an email it actually changes the URL, so that when you click on it, it goes through Microsoft’s proxy server before it gets out on the internet, it checks and tracks who clicked on what links.
This helps with forensics. If somebody were to be tricked into clicking on a malicious link and Microsoft didn’t identify it, you would be able to see who clicked on the link and when and how many people clicked on it.
The other feature is called Safe Attachments. One of the problems with newer threats is how fast they deploy when opening a malicious attachment. With Safe Attachments when you get file in your email and launch it, the attachment is opened in the cloud so basically it is ‘detonated’ and they monitor it for 30 seconds or a minute to see what it does with their sophisticated monitoring and tools. After they’re able to identify what the code looks like, if it’s encrypted, or if it is going to start reaching out to a remote server then it will quarantine and notify you. If it all looks safe, it will show up in the email on your system.
Mark: I imagine that most law firms, like other small businesses use an Office365 type of hosted Exchange server, or they use Google Apps. Does Google have similar features?
Tim: I don’t know. There are third parties that offer things like that, I don’t know if Google itself has started to offer that built in to their servers yet.
Mark: I’ve come across many lawyers, where it’s bobsmith@verizon.net or joethelawyer@aol.com. At GNGF, we always recommend going with a quality hosted email provider like Office365 or Google Apps. But some people don’t want to change their email off the old platforms, is there anything they should be worried about or is that okay?
Tim: I always recommend using a more sophisticated email hosting service, especially because so many of these threats are through email. I can’t imagine having a business email address that’s still AOL or Verizon or some cable provider. To the client, it’s going to look totally unprofessional and none of the more sophisticated security tools we use with small businesses would be available to them. It would be very good opportunity, and it’s so inexpensive now, to have these really good security tools available and a vanity email that looks like a real law firm.
Furthermore, it will give you an opportunity to reduce the amount of spam you’re getting as well. What Microsoft or Google has in terms of anti-spam algorithms is significantly better than AOL, Yahoo and Verizon and any of those consumer grade companies. Along those same lines, I also recommend that you do not publish your email anywhere on the internet, like even on your company email. Robots are going through sites and looking for emails and then adding to the spam list, to send malicious emails, that’s the worst thing to do.
To see if it’s published anywhere, if you take your email, put it in quotes and put it in Google, and just search and see where it shows up, if you have relationship with that site, ask them to remove it. I did that years ago for our business and contacted people to have them remove; now I have our email address as a Google alert to make sure it doesn’t show up.
Mark: Are you saying that as a business you do not have a corporate email?
Tim: Correct, we do not. We did in the past and the majority of what it got was spam and some of that spam included malicious attachments. We now have a form on the website to contact us and a popup chat. The chat gets the most use.
Mark: If a law firm wants to know if they are doing things right when it comes to internet and data security, see how they’re doing, make sure they are meeting the standards, what should they look for if they are reaching out and talking to somebody for an audit?
Tim: Nowadays there are such good vulnerability and scanning tools available to IT Services companies like ours. For just a few thousand dollars, depending on the size and complexity of your firm, an IT firm can give you a very detailed audit of where those vulnerabilities are and what you need to fix. It’s also all about prioritizing. There are critical things, there are high priority things, and there are things you should get to over the next year. It’s also very helpful both internally and externally. Once you are confident in your data security you can provide this to any corporate clients you work with. Many large corporations require proof of data security audits. That’s something we do for our clients on a quarterly basis for larger companies, for most of our smaller companies clients we do this about once a year, at a minimum.
This interview has been edited and condensed.
There you have it, I am glad I had this interview because even though we are very security conscious at GNGF, I even learned a few things that we may want to add to our policies and procedures here at GNGF.
If you are interested in having an audit performed, I would recommend Intrust-IT. We personally use Intrust-It for our own data security needs at GNGF. After answering just a few questions, Tim said he can provide a quick quote for a customized network and data security audit for your firm. Click here to fill out a short form and we will have someone from Intrust-IT reach out to you.
Leave a Reply