There is not one day in the news cycle where new cyberattacks are not part of the top news stories. But to think that cyberattacks are only targeting the government or international organizations is far from reality. Anyone can be the subject to them, and in this week’s conversation, Nathan Cucciare from N8 Solutions joins us to talk about it.
A 100+ team law firm that loses all their data in a matter of hours? Yes, Nathan has come across this and has also solved the problem, and what his questions will make you wonder is whether your law firm is prepared for a potential attack.
Cloud vs. Local, which one is the safest? Mac vs. PC, which one is best for your business? Is antivirus still relevant? Answers to this and many more plus actionable takeaways.
If you would like to book a discovery consultation with Nathan and find out if your law firm is doing enough to protect itself, you can submit a request here.
Send us your questions at ask@incamerapodcast.com
Enjoy the show? Please don’t forget to subscribe, tell your coworkers, and leave us a review!
Transcript
Liel: [00:00:00] The biggest problem in a cybersecurity incident response is understanding how the law firm is using its servers, its data, and who has access. I’m Liel Levy, co-founder of Nanato Media, and this is In Camera podcast where we believe cyber security should be proactive and not reactive.
Liel: [00:00:47] Welcome to In Camera podcast, Private Legal Marketing Conversations, Grace, how are you today, another week?
Grace: [00:00:53] Good. How are you, Liel? I’m doing great, Grace.
Liel: [00:00:56] I’m excited about recording the last episode in October. Can you believe how time is just flying by? Just flying by Grace.
Liel: [00:01:03] I mean, I know Grace, this podcast, is going to be one year old very soon and we need to plan some sort of party, I guess, and whatever a party means nowadays. So, yes, I know, but that needs to happen, Grace. So take it seriously. But let’s leave all of that small talk for another occasion, because we do have a guest for today, Grace, and we have a very, very interesting topic and relevant to talk about. So why don’t you do the honor, as always, and introduce our guest for today’s podcast?
Grace: [00:01:35] I sure will. So we have a very interesting guest and a fantastic friend of mine. As a matter of fact, we are very pleased to welcome Nathan Cucciare for a conversation on it. And cybersecurity for law firms. Nathan has 20 years of professional experience working with some of the best people in the field. And he’s also the founder of N8 Solutions, an IT consulting firm that aims to take or make it simple, honest and transparent. N8 Solutions was launched in 2010 with the intention of finding a better approach to manage IT services. Their goal is simple keep their clients happy. They don’t like to baffle you with jargon or keep you in the dark about your technology servicing. They aim to make it simple, honest, and transparent. To learn more about Nathan or Nate at N8 solutions, visit N8its.com. Nate, welcome to the podcast.
Nate: [00:02:29] Thank you. Thank you.
Liel: [00:02:30] Welcome, Nate. And we’re very happy to have you here. Honestly, the topic of cybersecurity is something that has come up before here. And I know particularly Grace is very, very interested and has shared with us a lot of valuable data about this particular topic. But now that we have you here, I want to start by talking about who should be concerned about cybersecurity. Is this something that it’s primarily a matter of interest for major bigger law firms that have multiple locations there across the state or national level, communicating and sending a lot of data through the Internet. Who really at risk here? Is anybody exempt from saying, I’m fine, you know, we’re a small law firm?
Nate: [00:03:20] The short answer is everybody needs to be concerned. And I think that’s what we usually run into, is small law firms think, well, why do I need to be concerned? You know, it’s small law firm. We can recreate. We can do this. Sounds great until you’re missing data or you don’t have disaster recovery or you don’t have the data backed up or you think you have the data backup and all your data gets wiped out. Most law firms that at least we interact with today work with electronic data one way or the other, whether it’s just something as simple as email or a full case management system where the data resides as well, there’s a lot of presumptions that everything is OK just because. So that’s what we usually run into. And it’s whether it’s a large law firm or small law firm, the same rules apply in security, at least in IT. If it’s sitting on a computer, you need to make sure that it’s taken care of. And that doesn’t just stop at security because you’re law firm may get infected or security breach. You have the other side problem of law firms with medical records, things that are hyper compliant documents that you’re keeping track of. All of those things fall off the responsibility of the law firm. A breach may not be a wipe out of your data. It may be, hey, we’re just going to take all of the medical information and start logging personally identifiable information like Social Security numbers or bank account information if you’re doing that kind of stuff.
Nate: [00:04:41] So it’s bigger than I think most people realize until they get hit with something and then they realize, oh, wait a minute, we really did need to care about this.
Grace: [00:04:51] That’s exactly right. How many times have you and I spoken about this so all the time. Right. Nate is our I.T. for Gacovino and Lake and for Persist Communications. So he has a unique perspective on all kinds of sides of this kind of question. Right. Of cybersecurity. So I’m going to have a question for you right now that, you know, it’s kind of loaded, I guess. But the way I look at it is there needs to be answered. Right? I know. I know you. And I love these loaded questions. What considerations do law firms or what considerations should law firms have or do they need to have about their I.T. systems? Security?
Nate: [00:05:28] First thing is it depends on which way you go. You have internal security, external security. So on the internal security side, again, just data that someone that works at the office gets to something as simple as that, thinking, you know, does a paralegal need access to everything that exists? We’ve walked in law firms that, you know, a paralegal will have access to the financial data because the data shares are not locked down, there’s no security that’s just open to everybody. So that’s one item that plays into the bigger issue of open connectivity from the outside of the world, that’s something that’s even bigger, obviously, that wipes out a law firm, that that causes data breaches, that does a lot of things. But it always starts at the internal security and how that’s laid out them. Like I said, you get concerned about things on the outside. Is it protected coming in? You know, we’ve come across law firms that my 13 year old could have gotten to the data from the Internet with no problem. And unbeknownst to the law firm, they’ve never had it looked at because they think we’re a 10, 15 person law firm. We don’t need all this. We pay a very low cost for the server. We for this product. So because it has a big name behind it, like a GoDaddy or Microsoft Azure or AWS they think it’s fine, no, it doesn’t automatically protect what you’ve got. So that’s the biggest.
Liel: [00:06:53] Thank you very much for saying that, because I actually do have here a question that kind of goes back to people being under the impression that because they are using renowned names as a server for the website or they have some cloud solutions implemented, all of their data is backed up automatically and everything is good and secure.
Liel: [00:07:15] So a lot of organizations right now work out of the cloud right. Their CRMs case management systems are all cloud operated. So does that automatically sets them in a place where they are being protected by these cloud providers, if you may? Well, that’s actually giving them the CRM or case management software or communications system, but it’s cloud based. So what’s the line where they stop protecting you and you need to start also taking steps to protect your data?
Nate: [00:07:47] Right. The short answer is you can’t always assume that. So the answer is no. Should they be? Absolutely. Are they? That’s always something in question in the IT world, you know, and this is old school IT 20 years ago, we go assume nothing. You have to think of it is it has to be proven to you that things are secure. You can’t just go on that. Oh, because it’s this product, it’s secure because it’s and I use GoDaddy as an easy one because there’s a customer that had a server and GoDaddy that literally had no protection, no firewall, no protection. There was nothing stopping it. It was wide open to the world. And when we first walked in, you get a server that’s having hundreds of thousands of breach attempts daily and that’s on the low end with no protection compared to ones that we were protecting. Customers we have. Going like much bigger customers with a lower impact. So the assumption that because it’s a big name doesn’t necessarily mean you have to assume that you still have to go through and vet that you have to ask the questions. What kind of security do you have? What kind of compliance do you have? If you’re doing medical records and things like that, does it hold up for compliance if you’re doing financial transactions, credit card payment processing for whatever or passing financial data back and forth? You know, do you have those type of compliances? So just because it’s a big name and just because it’s a service, you still have to ask a question. There are services out there that do cover that. They will provide information that says here’s what makes us compliant. Here’s what makes us secure. Here’s how your data is protected. However, we run across often where you get a big name that you think has that and it doesn’t most of the time a big name, like a GoDaddy, to Microsoft and Amazon, big names. They’re not creating the product that you’re using. It might be based in their service, but it’s a third party vendor that’s created the product. So again, questions, questions, more questions and more questions are always important.
Liel: [00:09:43] Ok, so you’re bringing here a very, very good point. So you cannot just go from the cover and say, oh, it’s a big name, it’s a renowned software or whatever company. I’m protected. Now, if you’re putting up your data on the cloud, should you secure basically the connection in which it’s getting uploaded up to the cloud? Should you actually have a backup of all the data that you have on the cloud locally also, both? What are reasonable steps to take and when it’s kind of like an overkill?
Nate: [00:10:14] Well, in the backup world, there’s no overkill. How many insurance policies can you take out to protect something? I mean, you have to be reasonable what applies to your business. And like I said, it depends on what you’re using and asking questions. How is the data protected? You know, and in the same note, where does the data store how does it reside there? Do I need to have a copy? Do I have easy access to the copy? It’s hard to give a blanket statement on that because there are so many different variations of that specific instance, to say, you know, we’ve got backups here, you go out and get a service and they say, OK, you know, we do SSL connectivity, so that’s safe and our data is out in Azure. OK, that’s great, too. And the backup, you know, runs like this. OK, that’s fine. Is there somebody checking the backups for the backups compliant with regulation? What’s the restore times for a backup do. Do I care about the fact that I no longer control my own data? It now sits here and a third party, you know. As the data may sit in the Azure, but the Azure instance, the storage instance may belong to vendor B, and now you have to go through the process vendor B, you can’t call and say, I need my data, Azure. Azure is not going to care. Microsoft’s going to say, yeah, you’re not our customer. Vendor B is our customer. So you’ve got to verify these different levels of things. You know, again, all depending on the needs of the business and recovery time plus comfortability with am I, do I have access to my data when we need it? That’s always a question we get in small or medium-sized businesses and law firms especially, you know, there is a data breach maybe six months ago with a customer that, you know, again, we can provide information and put down a set of rules, but not being the actual business, we can’t enforce them. So we do have customers that we put out here, the guidelines, and this is what we recommend. And most of the time, while that sometimes they say, yeah, we’re going to do this anyway. Somebody went that route and did it anyway, hit with a crypto-virus, wiped out the entire infrastructure, we had to rebuild all the servers, disaster recovery, and backups. That’s what they’re there for. I think we have the entire law firm, roughly one hundred people back up and running, I think within 72 hours, which is pretty good.
Nate: [00:12:45] The law firm did freak out and they said, wait, wait, wait a minute. You know, thinking about that, if we wouldn’t have had you guys with the disaster recovery that we lost, one of our main focuses when we would, we work with everyone. We want to make sure the data is there. If they wouldn’t have done that, he was our law firm would have been done. We don’t have copies of this data. There have been massive breaches in the same room with other firms, other firms that are not ours, that have been literally wiped out. Yet they don’t have the data. There is no going back and saying, hey, we have all this case data sitting around. It was all electronic. The backups didn’t exist. No one was paying attention to it and just assumed everything was good. So like I said, there are varying levels of when you entrust your business into someone else, whether it’s a big name or a vendor that uses a big name, you still have to ask the questions. Prove to me why I can be comfortable that you have my entire business in your hands. And that’s at least what we do for for our folks.
Liel: [00:13:42] The example that you just gave us here, it’s quite catastrophic, right? I mean, to lose your entire data in just one instance. Luckily here, the client had a way to restore through you, and that’s wonderful. But I guess many of our listeners may be asking themselves where what are the kind of things that can lead to you losing all of your data in an instant? What kind of attacks are these? Is this something that you can up to a certain way control? Is this an employee opening a harmful file without knowing or knowingly? You know, what are the things that can actually trigger these kinds of events?
Nate: [00:14:21] Yeah, you’re in the right realm. And that’s usually where we hit the here’s our I.T. recommendation versus what a company wants to do, what a firm wants to do. You know, security internal to your own environment is, you know, No. One, to everything we talk about when you walk in the environment that has little to no security and everybody, has access to everything and everybody’s an admin on their machine and everybody has full rights to all of the critical data that runs the business. As I kind of mentioned, we’re users could see financial data when you have that going on. That’s just a powder keg waiting to go. So you’ve got all these people here that have access. That’s good. That’s fine. Maybe you have a firewall and it’s blocking connections from coming in and it’s a good firewall. And that’s great. However, the problem comes into play here. Security breaches usually will happen from the back door. Someone has let something in. It’s not necessarily going to be oh they breached your firewall. And, you know, they’ve gotten it and they’re using these exploits that can happen. I’m not saying it doesn’t, but it’s usually not. It’s usually that, you know, user one got an email that says, hey, this is yours and it looks like it’s from their boss. Hey, I need you to go to this website and give me some info. And amazingly, people will click on it and they’ll go put their password in and then log in to something and start putting passwords in that get key log somewhere else or it’ll be a drive-by and drop in a remote connector into their machine. Now it’s got access. Now you have a way to get in. Crypto viruses have been the biggest thing on the threat scale this year, at least and beyond. The cryptovirus drops and it says everything this person has access to encrypt it and lock it, including system files, leave just enough so that machines run, but lock out everything else and it spreads as it is a virus, like a virus. It crypto locks all of the data leaves a little note on your desktop that says click here to pay us two bitcoins, which I don’t know if that’s still eleven grand. Twenty-two grand. That would pay us ransom for us to give you the key to unlock all your data. And usually, there’s no case they’re not going to give it to you. There are companies that have paid the ridiculous ransom where some work, some don’t. So going back to the people on the inside, keeping things secure, keeping things segregated internally, that’s always the easiest way in. For hackers to get access and take down a company is usually the back door in because somebody clicks on a link that they’re not supposed to, but they don’t know what it is.
Liel: [00:16:51] Nate, thanks for clarifying that, and yeah, I mean, it makes sense right now here’s another and I’m going to call it a myth because it may or may not be true. Well, we’ll see what you have to say. But people saying, well, I use a Mac, right? I use Mac and those machines are not easily hacked and the people cannot. They’re privacy centered or focus there have better security systems, you name it, true or false.
Nate: [00:17:18] I would go on false. It’s a lower rate of transmission when you have a million Windows machines and one hundred thousand Macs. Well, yes, the rates are going to be lower because you have fewer machines. You know, it’s they’re not they don’t have the same targeted back base. Macs get infected just as windows get infected. They have similar. And again, they’re not the same operating system. They can be targeted in certain ways to go the same way. So, no, it’s I always,my opinion has always been it’s a false narrative to say, you know, Macs are more secure the more they’re just targeted less.
Liel: [00:17:56] Fair enough.
Grace: [00:17:57] So I’ve been accused of being a Mac hater because of that exact comment that I’ve made. I agree with you. There’s less you use Mac. Yes. It’s not that you dislike it. It’s just there are fewer people in the business environment that use Mac. So there’s a less targeted base. I completely agree with you. And I feel the same way because my daughter likes to click on a lot of things and hers has definitely gotten viruses for where I had to clear it out and roll it back and fix it.
Nate: [00:18:27] So, yeah, Microsoft has always been, you know, a business in general. It the compatibility of the things that it does is fairly universal. Mac has a place to, whereas I use a general we’re window shop, we do Windows, everything being a Microsoft partner, everything’s Windows. However, there are times that a Mac is sometimes easier. I don’t need everything. I need a browser. I want to be able to know. I also like iPhone. So I can’t I can’t really say that I hate Mac or anything I do. Mac has some good qualities for it, but from a business standpoint, not so much. It’s great for for communication. It’s great for, you know, your Face Time was one of our favorite things to use to where we’ve actually we’ve actually gotten the right of going. It may be worth sending my iPad to all of our customers because it’s easy to face time with everybody. It makes perfect sense. So, yeah, it’s not a Mac hate problem. It’s not a you know, this is better than that. It’s they kind of have different places in the marketplace, in my opinion.
Grace: [00:19:29] And compatibility in general, like you said, I mean, for business processes, Microsoft is just the way it’s easier. It goes with everything else that I need to do. I understand that. So I’m going to ask you another kind of it’s loaded but not loaded. And you kind of touched upon it while we were talking about it, which is what are some of the, I guess, inherent risks of not having the right systems in place?
Nate: [00:19:53] Inherent risks of not having the right systems in place. I mean, that’s kind of an open-ended question. There are many variations of I could probably tackle it and I think. The right systems for what you’re using as a business are obviously important, the right systems to manage security are important, backups are important, antivirus is important. All the things that go with the risk that you’re dealing with data encryption bit locker, for example, is another area of concern as well as that. You know, as a business and especially law firms, you have to look at what do we keep in our office? What data do we hang on to? What’s our process? What do we go through? And those are where you have to weigh out, OK, what do we need to spend money on? What do we need to buy as a product? What do we need as a service? You know, there are varying levels of what you can put in place to mitigate things that happen. So I guess it’s very long-winded, my brain’s going in here are all the things that you can discuss and I think it’s. Important to verify what you need as a business and see what does that take. Everything in IT and for as long as I’ve been in it is seen as a cost center. We have to pay money for this. Oh, we have to pay money for that. We have to pay for these guys. The service that back-up these products, this application. However, you know, there are two things that it does.
Nate: [00:21:25] One is efficiencies in the business. You know, are you doing things that can be made more efficient by technology in general? You know, will things move faster? Do we need to have one person that opens the envelopes every day or could we use that person to do a couple of things that are more advanced? That’s really a simple one, I guess. And then the same thing on the flip side with security. What kind of security? Like an insurance policy. How much do we need? Do I need to be up, back up, and running within the same day? You know, that’s costly. Am I OK to be down for three days? You know, we have customers that usually go, oh, we’re fine for a couple of days. There’s only been probably two, maybe three instances in the last decade where one of our customers has been catastrophically breached and it’s generally because somebody didn’t listen, but they’ve been catastrophically breached. And generally, we ask in the beginning, how long do you need? How long can you be down for? And they’ll say, oh, you know, a week’s fine. And they get hit and they go, oh, my God, we’re down. We’re down. There’s nothing we can do. What are we going to do? You told us a week and that’s what you have to pay for. You want a day? It gets costly, not necessarily by the services we provide, but the products or applications or things that you need to put in place to make that happen.
Grace: [00:22:41] Right, to sort of backtrack on what happened to begin with because they don’t pay attention. Right. And I mean, so I know both of us kind of I think a lot of times can speak and you speak, you know, on a more layman’s terms to make people understand what, you know, a little bit more about cybersecurity. But I had kind of a very specific question about blockchain. I’ve seen this blockchain thing. That’s what I’m to call it a thing because I don’t know exactly what it does or what it is. And I’ve seen it on like these Docusigns or Zohosign and those types of things. I understand that that’s some kind of component of security. What is it? Is it something that, you know, you could explain a little bit just because I again, I keep seeing it and I, I kind of want to pick your brain about that.
Nate: [00:23:29] Can you give me an example of where most recently you’ve seen it?
Grace: [00:23:32] Yes. So in ZohoSign, there’s an administrative option to add a setting where it does a block chain date time stamp.
Nate: [00:23:41] Ok, OK. You know, blockchain generally, like any other kind of encrypted data like digital rights management or encryption, is generally going to encrypt data to say, hey, look, I can take a word document, you know, for example, any just regular word document. I can say, hey, I’m going to decompress a word document. If you rename a Doc X Files dot zip, it actually separates it out where you see it in different components. Here’s the text part. Here’s the formatting and you can dig through it. You know, there’s plain text and documents that you can read into. Block chain, bit locker, different encryption technologies are going to say, hey, we’re going to actually lock the data. So if I pull your hard drive out and it has all these built lockers example bitlockers is enabled. I’ll go non-bitlocker locker. I can take the hard drive, plug it into something to read all the data, and pull the files off it. That’s no problem. Bit Locker. If I pull the drive off and plug it in, all the data is encrypted. There’s nothing I can see. It’s encrypted data. You need the decryption key that’s either on the machine itself or depends on your locker. The key exists somewhere else to basically decrypt the data as you’ve logged in to say, hey, you can look at this now, assuming in the example you gave same thing, there’s an encryption key that’s going to show you the data.
Grace: [00:25:05] I see. OK, so it’s just another level of security essentially with whatever.
Nate: [00:25:10] On the general world, anything that you have that is of importance. And that’s financial. That’s medical. That’s anything that’s personal information. Things like that should be encrypted in some capacity, should be. We can only get everybody to listen.
Grace: [00:25:29] Well, that’s I clicked on that button and I thought that it was a good idea. So I just I was like, OK, another level of security and some kind of a hippo authorization or one of those, of course, I would like to edit so that thank you for the very good explanation that helps me kind of understand where I’m going with the blockchain thing, at least a little bit. And go ahead, Liel.
Liel: [00:25:49] So I have a question. Grace and I’m going to call it a little bit more of a philosophical question because this blockchain thing was a little bit too technical.
Liel: [00:25:59] I’m kind of like wondering if this society, you know, in the US, we’re just not so concerned as a whole about privacy issues online. Right. And I’m thinking if we were to have something like they have in Europe with the GDPR policies in place and such, our mindset would change and we would be more concerned about data and privacy and where data is being kept and that sort of thing. What’s your take on that? Do you think it could influence the way that we go about security and data protection in many of the things that you try to solve and are solving for your clients?
Nate: [00:26:44] Yeah, I mean, anytime you’re talking about data privacy, I mean, obviously. Everybody should care about it. Everybody should understand what’s happening, what’s not, and, you know, that’s where compliance rules generally are coming in, like HIPAA, like PCI compliance, and in other words, it’s ISO certifications. All of these compliance compliances exist. The problem that we always think, at least in opinion at least, is that there’s never a clear cut way on some of these on what does that exactly mean? You know, who’s using HIPAA because law firms, generally, anybody that’s in law, in law firm industry that is doing anything that involves a medical anything should be thinking about HIPAA compliance. HIPAA compliance is about medical records. Right. And it’s user medical records. What type of compliance actually do. Everybody, I think has the idea of your job is to protect that medical data, to make sure that, hey, it’s secured and it’s taken care of. But what exactly does that mean? You know, what the test, I’m trying to simplify it. What’s the checkbox list that says, hey, here are the things if you have to have to be HIPAA compliant. And that’s kind of the problem, I think that we’ve seen and some customers, obviously, we are not, before I go too far. We are not regulations experts in every compliance component that exists in the US. Obviously not. However, it would be easier to implement and easier to push if there were very specific sets that, hey, look, here are the things that you can do that make you HIPAA compliant. The questions will come up. The law firm has a medical record. It sits on their server. They’re responsible for that. Are they responsible for digital rights management? Say, hey, it’s locked down. So, you know, outside of his organization, it can’t be read because it’s it’s locked down in here. How about email breaches? If your email is breached in the medical record exists and it gets forwarded off to a third party that, you know, a hacker will say is at the law firm’s responsibility, that their email has now been breached, those are always questions that we run across. So it would be good to have better guidelines specific to HIPAA compliance and IT. Obviously, I think, you know, you walk into the doctor’s office, they’re not going to say, hey, Bob Smith has this problem in the lobby. And then everybody knows that I think. Right. Perspective, clarity on, you know, what gets you to HIPAA compliance specifically. I mean, there are rules and regulations and there are recommendations that sit out there. And there are people that this is what they do compliance to that degree. Trucking company I used to work for many years ago, we would have auditors in often making sure that everything that was being done was compliant. And in the trucking industry, obviously medium-small law firms, they’re not going to have a full-time auditing company coming in once a month and saying, I’m going through all of your stuff. I’m pretty sure the cost would probably be astronomical for Law Firms. So, yeah, I’m getting some higher-level checks and balances that were clear I think would go a long way.
Liel: [00:30:07] Thank you so much. And yes, I agree. I mean, a lot of these regulations, as you’re saying, they can be somewhat ambiguous and it’s not always or they were not always created specifically for the digital world. Right. And so the adaptation of them to things that are now happening through digital means are sometimes kind of like open for interpretation. Right? Depends on who you ask. Depends on the answer you will get. Now, going back to that, in what I just said about, you know, now in the digital age, now that we are in the midst of a global pandemic. So, you know, a lot of law firms continue to work remotely, have their team working from home, from their own Internet connections sometimes, who knows, maybe using their own personal devices. Right. To connect and work from wherever it is that they are. Quick checklist of things that law firms should be keeping in mind now that they’re under these circumstances. Right. Because when they’re all under the same office, same roof, same Internet connection, same IP, you have some level of control. Now, what happens when your team is scattered around the city or the state or the nation?
Nate: [00:31:13] Chaos, yes. Unless you have us, then it’s chaos. And I say that kind of tongue in cheek because. In our, it’s hard to say what everybody else does. I can tell you what we do, all of our customers have always had the ability to work remotely. It’s the underlying fabric of how we design infrastructure. It’s there doesn’t mean everybody’s using it doesn’t mean we’re going to implement it all over the place. It means that it’s there. One of our customers when the pandemic hit and they’re in a big city that literally said everybody’s done, you have to go home. They had no hiccup in business because everything was already configured for people to securely remote in and work from home. People weren’t connecting with their personal machines into the actual data set. They were getting in via a different method that got them into the network securely and kept things segregated. Their whole machine was not running any data through it specific that will say screenshots and keystrokes where the extent of the risk they went into the pandemic and, you know, the seventy-five two hundred people there kept functioning, their law firm didn’t have a hiccup in it. They have other law firms, same problem,s or similar similar circumstances. Obviously, everybody’s got to work on. They had no way to do it. The law firms that they worked with, they just went under because there was no way for them. They didn’t have it pre-built. They didn’t have, you know, and that’s probably extreme. And I’m sure that others have come into play and said, hey, we need to, you know, create these road access components.
Nate: [00:32:46] But we’ve seen some that they’ve just said, oh, we’re just going to have people use their machine at home, which, again, from a law firm perspective, I would think. When people are running data through their personal machine at home, which there is no security that you can guarantee there, there’s nothing you can say, oh, yes, they’ve they’re now going to log in it. Maybe it’s a website that that their case management system and then maybe it’s publicly available. Now, the people are you know, we’ve made our website publicly available. We’re going to download all of our data locally and work on it there and then upload it back into the system. Now now you’ve got a different risk at hand. You know, all of the people that aren’t under the lock and key of the business. Now, you’re assuming that their computer is secure, assuming that they have antivirus, assuming that they have a firewall, assuming that they’re not already infected. Those are the things that worry us, our customers. We generally go out and we’ll say, hey, look, here’s how we’ve got things up to security. Make that connection. You either go this route or a recommendation is going. We have another customer that literally bought laptops for everybody in the company that we’re under the control of it inside. We’ve locked the laptops down. They are secured. Their connectivity works like this. You know, we generally try and discourage and say, hey, look, you know, your personal machine from home sounds great, but the risk that comes with it may not be.
Grace: [00:34:13] That makes sense.
Liel: [00:34:15] So to be bulletproof here, you actually need to be bulletproof here, you actually need to have control over that machine, right?
Nate: [00:34:23] Ideally, I mean, there are other things that work in a similar capacity. And I’ll use an example specifically, like a file-sharing company, not naming any names, has some security apparatus in it that says, hey, before someone’s allowed to hit the files, go through and check to make sure they have antivirus, make sure they have certain security things in place. And they do enable things like multifactor authentication. So it’s not wide open to the Internet. There has to be some level of, you know, the person logging in is the person logging it, which is good and fine. But there’s a customer that they didn’t look into that and they started turning things on and we brought up the same things we’re talking about here, going, hey, look, if if you’re turning this on to the world, what protections are in place? Well, it’s this big company. They have protections, you know, not necessarily let’s check or we check. They do have them, but they come at an even higher price. So what they thought they were paying on an annual basis to the company went up three or four times the amount just to enable security, which may have changed the decision to use that as the product of choice. We end up with that a lot. People will jump into something and say, hey, yeah, this is great, it’s a big company. They do this and we find out, yeah, but you didn’t actually buy all the things that cover you. That’s more money. And that may have been a business change decision change if they would have known earlier. Yeah.
Liel: [00:35:46] That’s you know, read the fine print or not even the fine print. Right. Like the accountants get better informed. So that’s certainly something that we are learning in this conversation. Now, I for the last question before we actually wrap up things here, I heard you repeated quite a few things a few times. Right. Antivirus firewalls, backups which of these things. And I mean, I’m sure there’s going to be at least a nurse here that are going to consider having or initiating a conversation with an I.T. specialist if they haven’t done so yet.
Liel: [00:36:22] Right. We’ll, make sure that Nate’s contacts are on the episode notes, but which actual solutions can a law firm, you know what steps can a law firm take and say? Well, you know what? We’re just going to put up these steps into place. We’re going to buy this software or this hardware so that we are better protected. What are a few things that law firms can actually do by themselves to just be better prepared until they can actually bring on board someone like you to actually build a whole infrastructure of security here?
Nate: [00:36:55] You know, the first thing that that is the most important that anybody is doing is always disaster recovery and backup. You know where it goes. I don’t want to say it doesn’t matter. We try and stay fairly vendor agnostic. We have some things that we literally run through our company to our customers that, you know, obviously, we think are the best for that situation. But backups, backups, backups, making sure the backups are actually backing up, making sure that, you know, what you think is backing up, confirm that the backup is actually successful and make sure it’s actually backing up the important data. The first thing we run into is that, yeah, we’ve got backups. OK, let’s take a look. We look at their backups. Yeah, it hasn’t run in six months. It’s been failing for this reason. That happens more than you think. And it seems like common sense. But people think the backups there and it’s running, but it’s not. So backups to the nth degree to make sure that there’s a copy of it is always the first thing to look at no matter what you do. Antivirus is, you know, I would say is I want to say is a dime a dozen, but there are some that are better than others. It depends on what you’re protecting. You know, if it’s just desktops versus if it’s servers with advanced applications on it, you know, antivirus is always important. Well, but backups cover are the coverall, no matter what happens in antivirus, is not going to protect you from everything that ever happens. And I think people get the wrong impression of thinking I have antivirus, I’m fine. That’s not how that works. Generally, you’re going to be OK. It’s going to protect you against a lot. If it’s a good antivirus, that’ll happen. However, zero-days do happen, exploits do happen and things do happen that get around an antivirus.
[00:38:33] That’s you know, the crux of it, people have thought for the last 20 years, we have antivirus, we’re safe. No, it’s good. It’s a good deterrent. It’s going to do a lot of things. But there is nothing that is going to protect you as a business, as an organization, as actually having backups on top of the backups. I would say the other thing that’s important and should be for business as well as what’s our recovery time looks like? How much time do we actually need? What can we actually live with, with being down in getting our data back and being back up and running and assume the worst catastrophic event. You know your office disappears off the face of the earth. Hopefully no one’s hurt, but it falls off the face of the earth. Now what? OK, we have backups, but it’s going to take us two weeks to get the data that, you know, for some business to go, yeah, we can live for two weeks. No big deal. You really have to think about that, though. Other businesses go and you know we need it today. If we’re down a day, we’re losing X amount in revenue or we’re losing X amount in business, or we have deadlines as a law firm that the court generally is not going to tell us. Oh, OK, we’ll find another time, some other day for you guys to come in and defend your case or work or put your case through. So backups are always important. And like I said, in my self, for all new customers, we do a free discovery and look through at no cost to say, hey, that’s our first interaction with anybody as we’ll walk through and run through all of the things that we do, checks and balances on and give a report that says here all the things we find that you found that you need to do, 90 percent usually end up going with us.
Nate: [00:40:15] And we usually fix all those problems. But we say, but you don’t have to. That’s what the idea of a free discovery is, take it. Use it. If you have it, great. If you want to go somewhere else, that’s great to always go through and make sure. And then once you have done that, always make sure that to keep up on that like anything else in business you do it once doesn’t mean you never look at it again. We did it last year. You still want to go through and verify, you know, every year that you’re, or more frequently, that you have all of these things in place and that in the event that you do get wiped out from a data standpoint, you know that you have data that’s being tracked. You know that the data is safe and secure and you know that, you know, you can recover your business. You know, like I said, the big business that said we can be down for whatever reason, we’re back up in three days at that point realized how important that data was as a law firm and how the impact would have been.
Grace: [00:41:09] So, you know, it’s funny because I think a lot of businesses do, at least here in Florida in particular. Right. And you can attest to this, they have disaster recovery plans for the business. Right. Where they put in all these plans and, you know, business continuity plans and all this that the other. And sometimes they include infrastructure, which is you. And a lot of times, though, I’ve noticed they don’t, which is, doesn’t make sense to me because particularly in Florida, I mean, what happens if everything goes down? You know, do you have a backup data center? Do you have this? Do you have that? You have this. You have that. All the things that you just said. So that kind of brings us a little bit to what I would say, the close of the conversation. What are three actionable takeaways from this conversation that people can just basically say, all right, this is my checklist, I’m going to take it from this or it doesn’t have to be a checklist. It’s just three items that they can say, I’m listening to you right now. What can I do today or over the next maybe month to help my infrastructure, my I.T., my cybersecurity?
Nate: [00:42:18] I know that’s actually a loaded question. It depends on how you prioritize your business and what your needs are. And I guess I’ll go with the general, you know, backups and use backups and disaster recovery really interchangeably. For this reason, there is a large company in Florida who is very, very big and not a law firm. But I mean, a couple of thousand people size company in Florida that has an I.T. department that was breached. And the crypto ask was ridiculous. I mean, it was big. And someone gave us a call and said, hey, can we get your opinion on this advice on this? This is huge. You know what? Should we pay the ransom? Should we do something with it? And the recommendation was, OK, well, let’s take a look. What do you have any kind of that discovery. What do you guys have for us? Right. Oh, yeah, we have backups. So why can’t we serve them? We can’t find the encryption key to actually unlock the backups. So backups are important. Disaster recovery is kind of the bigger picture of a backup, but documentation of your backups kind of goes along with that as well. So the number one thing, what are your backups? What’s the retention time? How quickly can you get to recover? Do you have, you know, the actual information to recover the data? Like I just explained in that case.
Nate: [00:43:41] And are you sure that you’re actually backing up all the data that you think you’re backing up? You know, if you have current I.T., it should be, hey, what are our backups? What do they look like? What’s the status of the backups? Do we have a report every day? Are we getting confirmation that they’re being backed up? And have they been tested or are we making sure that we have a process for that? So backup backups, backups, more backups, and everything else about backups is always number one. You know, after that, then you start going into the security of the network. You know, how secure is our network? You know, what do we have protected coming in? How secure is our data? How secure is our internal network? Is it just open? Everybody that’s here is not open that everybody is here. You know, what do we have going on there? I think those are probably the top two and then three is obviously antivirus and things that go with it as well to try and protect against that. So like I said, it’s a very that’s a very open-ended three, because there are some big things that you really can start drilling down into. But I would say backup data security and antivirus if I pass it down to just a few words, which I usually also.
Liel: [00:44:51] Actually, all of those are very good takeaways.
Liel: [00:44:54] And I really think what you say there about documentation is so critical. Right, because how many people have all of these systems set up into autopilot yet they wouldn’t know how to use it, how to implement it, how to restore broken system or anything like that, because they just either don’t have the know-how they did not document. Well, the setup part of it. It’s so common, Grace. I mean, I’ve seen this so many times happen, and it’s very worrisome, not obviously in the sense of data breach or such, but when we’re setting up campaigns or something for our clients or anything like that, hey, we need access to your domain registry. We need access to your server. I have no idea. They don’t know how to access like they don’t have access to their Google my business. They don’t have access to any of the things that they actually should keep almost on a safe log. Right. Because this is so important. They have so much built into that. So…
Nate: [00:45:47] Underlying everything we talk about documentation, password security, that kind of goes hand in hand, which we really didn’t talk about. And but that’s something else to add in that mix as well, documenting the data so that you have, you know, where everything is secure and passwords. So the password password, which amazingly still happens in the twenty-first century, people still use the password and then ask, why did we get a data breach? Well, your password is a password. That’s not a hard one to get back. It’s brute force now. Yeah. So you’ve hit those nails on the head. I think that are important too is making sure that security and documentation exists as well and vetting everybody that wants to touch the items that are coming into your business. And we didn’t like I said, I could go on for days about it. But that’s one other thing that you need to make sure of as well as, you know, having good IT also, you know, puts the best interests of your business in play, not, oh, what? The vendor wants this. So we’re going to give access. Oh, that vendor wants this. Give him access. And that’s kind of what we play for all of our customers is our best interest is our customer. We act as if we’re their company. We don’t care about the vendor, and sometimes we don’t care about what’s in the best interests of our company, so long as it doesn’t cause any major issues for us. We want to make sure that we’re filling that role. You don’t let people into your network and say, yeah, go ahead and access our server and do whatever you want and whenever you want, and that’s OK. So oversight, transparency, information, documentation on all the things that we’ve talked about in this whole conversation are always important.
Liel: [00:47:27] Absolutely. Nate, thank you so much for taking the time to share so much information on this. It’s really mind blowing, right, when you start thinking about it. So thank you. Right. If our listeners would like to contact you and potentially set up one of those discovery calls, they can, right?
Nate: [00:47:42] That’s right. We’re always here and we’re always looking to help here.
Liel: [00:47:45] You can only win with a deal like that, right?
Nate: [00:47:48] So it’s free and I’m really free with nothing attached to it. I think my dad still says that to this day. But and like I said, the biggest thing that we offer is just a free discovery and a report to say, here’s what we found and there is literally nothing that puts anybody on the hook for that.
Liel: [00:48:06] So, yeah, no, we’ve advocated about this here a lot. We’ve talked to some great service providers, vendors that serve the legal industry. And really when they say. You know, we’ll be happy to share with you in this disclosed opportunities that are identified. It’s not going to cost you. They really, really mean it, right. So definitely, if this is something in an area of concern, jump on it. And it’s another thing. We don’t talk a lot about it, but it’s not easy to find the right partner. It’s one of those specialty services that it’s still hard to come across. Right. He’s one of those things that you want a recommendation for. You don’t just want to go with someone. You want someone that has a badge that’s approved by someone you trust. And so coming from Gacovino and Lake and Persist. So you can pretty much say that people would be in good hands with you. So great. Thank you again for being part of this conversation. And stay safe.
Nate: [00:49:04] Thank you.
Liel: [00:49:10] Grace. What a great conversation and I know I always say that we have great conversations, but this is just really like eye opening, right? Because it takes you back a few steps above your organization and is making you look at things from a big picture standpoint. Right. What would happen if or am I prepared for that? And I think that’s something that we cannot afford. And I’m just saying we every business owner that relies on data on the Internet not to be well protected and have things in place, Grace. And so I know both of us take this very seriously and make sure that we have the right protocols in place. But that doesn’t mean you don’t have to constantly be asking the right questions and making sure that you are revisiting your systems frequently so that you’re always relevant, you always have the right solution. And as soon as you implement something new, whether it’s a new piece of software, a new procedure, you also make that part of your protocol. Right, Grace, you were talking about infrastructure. So I think there’s a lot to digest here from this conversation. Nate gave us so many good insights and takeaways. So what would you make our true takeaways here, Grace?
Grace: [00:50:28] So I’d start with what I consider the checklist of what needs to be in place at the most basic level. To me, those are, as he said a thousand times, disaster recovery and backups, which is considered a part of disaster recovery, right.
Grace: [00:50:45] If something happens. What if just like you said, Liel, if something breaks down as something, it doesn’t matter if anything happens to your data, what’s going to happen? You need to have that in place. You need to know that your backups work, that you have access to it. You know, when we were talking about encryption, that, you know how to access it, not just having access to it. Right.
Liel: [00:51:05] I think Grace, to be very honest with you, that whole kind of like contingency plan needs to obviously have the right assets to be implemented. But it really needs to describe what happens step by step. If something were to happen, like who gets contacted, what the message is, what information needs to be sent out on that first communication that goes out, what happens with the clients during the time of recovery? Like it needs to be very comprehensive. I know we were focusing a lot on the technical aspect side of things here, right. On the actual recovery of data. But you also need to have the contingency of how the business continues during operating and how do they handle, you know, the impact of it to the front facing customers, partners, you name it. So I think I’m just looking at it from an operational standpoint, you definitely need to have all that very, very well documented so that when bad things happen, you don’t have to start rethinking things. And, you know, what’s the other part thing, Grace, that I’ve also learned, this is particularly working in hotels, right. Where you actually need to have all kinds of contingencies in place.
Grace: [00:52:25] As evacuation plans.
Liel: [00:52:27] Exactly right.
Grace: [00:52:28] Business continuity plans.
Liel: [00:52:30] Right.
Grace: [00:52:31] What happens to the guests that are in your hotel while it’s happening?
Liel: [00:52:34] Yeah, so here is a few things that I can share. Rehearse it right. Literally rehearse it set up at least twice a year times where this is actually going to be rehearsed. And you actually go through the entire motions to see whether everything works and the systems are in place.
Grace: [00:52:50] So that’s a really good point.
Liel: [00:52:53] Now, the other one, Gracies, after a rehearse document your feedback and make adjustments, because chances are you’re going to discover that something could have been done more efficiently or something did not work as expected.
Liel: [00:53:06] So you need to make sure that you’re constantly updating this document so that you have the most relevant and efficient version always available at hand. Right. Needless to say, if you ever have to use these document for a real-life situation, then, of course, you’re always you also need to go back and document and actually say exactly, leave a precedent of how things actually worked, what worked, what didn’t, so that you can take considerations for if it ever happened again. So I think that’s a very, very good take away. What would you say are the other couple of things that we can take out of this conversation?
Grace: [00:53:48] So I think it kind of goes in hand-in-hand with the disaster recovery and backups. And I know I’m being just slightly technical in terms of that. And so I appreciate you bringing it to the more business-oriented side of it. But you need to have firewalls and antivirus and get your vendors. Like to me, those are like just three very, very specific things that you have to do. You have to have a firewall in place for your business and you need to have an antivirus for all the computers and all the systems that you have in place as well. And before you get to those or have those in place, you need to vet them.
Liel: [00:54:24] Yeah, I totally agree with you, Grace. And I also think, you know, kind of going more towards the actionable, long hanging fruits that people can control themselves. Read the fine print, make sure that you’re choosing the right level of program or solutions or membership. That’s for your business, right? Usually. And I just kind of like giving a real life example. If you were to opt for a solution for personal use, I’m just talking software here. Personal use. It’s one has certain it’s bundled in a certain way and then you have the business solution that it’s bundled in a slightly different way. Now, usually, the personal use is going to be considerably cheaper. Right. But potentially it’s going to lack on all of those security related matters that are actually important to you. So that’s something that you should start potentially paying more attention to. Yeah, maybe only one of your team members needs access to that particular platform, but maybe it is still worth to buy a business level membership for that software so that you get the additional protections that are actually aimed at protecting your business, so that I would certainly say it’s something that you should go back and check whether your software is actually working to keeping you safe and your team and your data safe. So that’s just kind of like one way to see and to take a proactive step on being better protected. Grace, one more take away.
Grace: [00:56:13] So I think the third takeaway is just going to take away from what Nate said. And even you know, this is something that you need to look at. It’s a continual improvement process. So don’t just one and done it like most of us like to do. This is got to be looked at on a regular basis. Make sure it still meets your needs. If needs change, meaning the size of your organization gets larger, anything your infrastructure changes, literally physically changes because you have new lines in new access points, whatever that might mean. You know what? You have new users that are working remote. Now, this is COVID, right? So just you have to look at your current systems, review all of it, and just make sure that you continually improve it and that you’re always up to date on all of this stuff. Right. The firewalls the antivirus and all the systems that you have in place. You got to continue to improve it, make sure it stays the way it needs to be or safe.
Liel: [00:57:10] Yes, Grace, I agree. And you know what? I’m going to take it a step further and I’m going to say have the conversations with the experts. It’s worth it. Look, Nate here is offering a very thorough analysis. And it doesn’t cost. Right. That’s his organization. But you know what, Grace? Even if you were to pay for something like this, it’s 100 percent worth it. Right. Like the insights that you get and what it could actually help you prevent. It’s really, you know if you think about it, it’s invaluable. He was just telling there are some stories about some incidents and what has happened or so you put a price tag to that, right? You probably can’t right, particularly not that being your business, not being what your employees and clients rely on. So all that you really can put a price tag. So one hundred percent, don’t be shy about it and take the right steps and plan for it. You know, and as Nate said, you know, he gave us already some insights of things that you can do internally to take some initial steps to protect. And then as soon as you can and you’re in a better place, bring the experts on board, because that’s always going to get you way more protected than any other step that you can take will. Grace, let’s hope that there is room for recording a podcast next week and yeah, looking forward to that.
Grace: [00:58:34] Looking forward to it.
Liel: [00:58:36] All right, great. Stay safe.
Liel: [00:58:40] If you like our show, make sure you subscribe. Tell your co-workers, leave us a review, and send us your questions to ask@incamerapodcast.com. We’ll see you next week.
Leave a Reply
Your email address will not be published. Required fields are marked *