 Welcome, everybody. This is Sartreau with LS NTAP. I'm working with Northwest Justice Project to put together a series of trainings for remote work for legal services. First, this has been put on by Northwest Justice Project through a grant from Legal Services Corporation. I'll be working with Northwest Justice Project. That means we've got videos through the next few weeks to get everything up there. We've got some wonderful volunteer presenters here today that are helping us out. Alex Clark here is a security expert with Metria. We've got Joshua Lennon over at Clio who works on their tech side and legal. And then we've got Jeff Harvey from Community Legal Services of Mid Florida. Hi, everybody. I want to talk about improving cybersecurity at law firms. My name is Joshua Lennon. I'm the lawyer and resident at Clio. I'm an attorney admitted into New York. I'm very active on social media. You can find me on Twitter at Joshua Lennon. I'm happy to continue this conversation outside of that. I'm also the data protection officer at Clio. And that means that I do work a lot with our cybersecurity and data protection team. And that gives me, I think, a little bit of a unique insight when it comes to blending technology, the needs of lawyers, and working with vendors like Clio in order to improve your cybersecurity. So I've got a lot to cover. I'm going to race through, but we can always go back and talk about some of these things and questions, and I will be sharing a copy of my deck so you can dive into things in great detail later. My agenda, why cybersecurity? What are your top risks? How to eliminate those risks? How to recover, which I think is a very important part of a discussion for cybersecurity. Some new virtual lawyering risk that I think we're really starting to wrestle with in our new work from home environment. And of course, I want to save time for questions. So again, that's why I'm rushing. So why cybersecurity? I think there are four reasons. Your ethical duties, your legal obligations, your operational continuance, and fiscal prudence all come together. And we're going to jump through each of these really quickly. When it comes to your ethical duties, under the rules of professional conduct, which exist in pretty much every jurisdiction in the U.S., there's competency. You need to know the benefits and risks of technology. And there's confidentiality. You need to not reveal information unless impliedly authorized to carry out the representation or expressly authorized. And very importantly, under 1.6 on confidentiality, it's all about reasonable efforts to prevent the inadvertent or unauthorized disclosure. So we're not talking about that there needs to be perfect security. And I don't think there is, to be perfectly honest, but there needs to be reasonable security. And what are those reasonable factors kind of revolve around? They list eight. I think they talk about the sensitivity in the information, the likelihood of disclosure, the cost of employing additional safeguards. This one's really big because the cost of security is really dropping right now. And so not using security because of cost, I think, is no longer really a valid argument, a good chunk of the time. The difficulty of implementing the safeguards I think is very important as well that we're finding the difficulty is vanishing on a lot of these safeguards. The extent in which it affects your ability to represent your clients is another very important one. So is it cheap? Is it easy to use? Is it easy to use on behalf of your clients? And a lot of these factors were starting to be discussed in ABA's formal ethnic opinion 477. This is about securing communication to protect the client information. They often looked at email, but they came up with seven guidelines that they think lawyers should go through before they start picking online communication tools. You need to understand the nature of the threat. Who can access it? How? You need to understand how client information is transmitted and where is it stored. Jurisdictional issues often rise up around stored data. You need to understand and use reasonable electronic security measures, and I'll be going over those. Determine how electronic communications should be protected. Label client information confidential. We all have those disclaimers at the bottom of our email. They don't really protect anybody but the lawyers to send the email, but it's there. Add trained lawyers and non-lawyers. I think it's especially important for the organizations on and then conduct due diligence on your vendors. But in addition to those ethical duties, you may have legal obligations, your state privacy laws, your business area privacy laws, federal regulations that may impact. For example, every state in the union now has breach notifications laws. This is a great handy website put up by Perkins Cuey, a big law firm, where you can just go and quickly see what are the breach notification laws for your state. And if you're storing your information online and electronically or transmitting online, this is actually something that you are required to know and work with as a part of your own protection of data. We also know that the FTC has started to really enforce the idea of protecting data and preventing unfair and deceptive trade practices under section five. They came out in the FTC versus Windom Worldwide case where they found that Windom had poor cybersecurity and on three different occasions they resulted in fraudulent charges to their customers that exceeded 10.6 million. And from this case, which went up on appeal and then was ruled with a consent degree, the FTC established that they should have the authority to go after cybersecurity incidents for unfair practices. Now, what's important about that is they put together some really good guidance on what they seem to be like the standard of care when it comes to cybersecurity incidents. And I think what's important is that they recommend the businesses and organizations take reasonable and necessary measures to protect consumer data. The reasonable standard comes out again. So you may be like, we're starting to see a federal corpus of consent degrees and litigation on what is reasonable, and that should be guiding some of the choices that you're making. In addition to FTC guidance, there's also client business areas that may apply to you. If you're helping people, for example, with foreclosures, the mortgage lending rules under the Consumer Finance Protection Board, Bulletin 20203 might apply to some of the work that you're doing. If you are working with criminal justice organizations, you may be subject to CEGIS and the data security requirements that come there. So there's a lot of information that can be coming your way that creates legal obligations on behalf of cybersecurity. Another good reason for cybersecurity is operational continuance. We probably have all heard about DLA and their hack with malware that shut them down. DLA, one of the biggest law firms in the world, they put roughly 3,600 attorneys and support staffs across 40 countries on lockdown. And these lawyers had to go into courtrooms and say to judges, we need a continuance because somebody somewhere clicked a bad email and it took down our entire system. Don't be that organization. And then lastly, there's the cost when it comes to different types of cybersecurity incidents. And we know, unfortunately, from IBM's security cost of a data breach report 2019, that the average cost of a data breach is $3.92 million or about $150 per record. So the cost of not getting this right really adds up quickly. And when you consider, according to eDiscovery vendor logical, that if we pay $150 per record in a cybersecurity incident, and the average case contains over 130 gigabytes of data, 6.5 million pages of data, that is actually a ridiculous amount of risk that you could be facing as a law firm or legal aid organization. All right, so what are your top risks? I actually think in terms of area, it goes from outside in your biggest area of risk is your employees. Your next biggest area is failure to plan, failure to invest. And then finally, there's this small threat of outside actors. And so when you start planning your cybersecurity and working to address it, start with the greatest surface area that of employees, that's your greatest risk. And how do we know that that's the greatest risk? Well, according to Verizon's 2019 data breach investigation report, 60% of all security incidents were caused by insiders. So that's six out of 10. And what actions were being used that impacted those insiders, social attacks where people just call them up and say, Hey, I need these information. 28% were malware, 21% were causal casual events, and 15% were misuse. So it's really easy actually for people to kind of game your systems if you aren't adequately prepared to protect them. And we know that most law firms aren't adequately prepared. If you look at the International Legal Technology Association survey, there's a huge amount of risk that's being associated with law firm data, because they don't invest and don't utilize the tools. The biggest one here is the 96% have no two factor authentication for internal access. That just blows my mind. And then lastly, we know from Gartner that at least through 2022, and admittedly, this is before the pandemic. So this may even go longer now. But they find that 95% of all anticipated cloud security failures will be the customer's fault. You guys are the risk. You're your own worst enemies. So how do you eliminate those risks? Well, if we go back to the FTC's guidelines that they issued as a part of their authority, they actually came up with 10, I think, really good, really simple guidelines to work our way through this. And again, I'm not going to read them all, we're going to you can read these at your own time. But there are a couple that are just really like sensible control access to data, put procedures in place to keep your security current, like update your apps. All of these are things that you should be taking a look at. And when we look at most cybersecurity legislation like HIPAA for medical records, they tend to come up with three different types of safeguards, administrative, we have a policy, physical, we lock our doors, technical, we lock our data. And if you can put those three together, they work really well, and they should complement each other. I actually picked this graphic intentionally, because I think your goal should be to start with the administrative and work your way through to technical. And I'll show you some examples of this right off the bat. For example, cybersecurity safeguard, you may have a corporate policy of don't click on malware. You probably should have that policy, to be perfectly honest. But you may also implement a technology that actually screens for malware and attempts to remove it before your employees can click on it. So you shouldn't rely on one versus the other, you should rely on both together. But once you do that, you should have appropriate safeguards in place. If you're using Google for nonprofits, for example, in their Gmail, they do have certain types of scanning capabilities to remove spam and malware. It's not 100% effective. But it's better than not having it. And so you should use those things together. Your cybersecurity habits should be kind of circular in nature. You should vet a tool. You should set it up to make sure that it has the appropriate limitations. You should train your employees on it, both lawyers and non lawyers. You should run your backups because no cybersecurity is perfect. And so backups should be a part of your cybersecurity plan that you should monitor. And it just goes around and around. So if we look at vetting, the ABA does have some guidance under their vendor review, reference checks, for example, what are their hiring policies? For example, here at Clio, we actually do a criminal background check for every employee I've had to go through it. Make sure that they've got an agreement that recognizes your type of secure confidentiality needs. An example on Clio is that we recognize the confidentiality needs of lawyers in our terms of service and that provides some extra contractual protection in addition to some of the technological protections that we use. Make sure that they're using confirmed technology. So this is a trust but verify moment. Here, and again, I'm just providing examples from Clio, but all of your providers should do this. They should have a security page where they talk about who's watching the watchman. Here, for example, we use McAfee Secure, which scans our servers to make sure that they're up to date. They have no obvious flaws. We use trustee, which reviews our privacy policy and make sure we're up to date and our promises to our customers. And we use Digisert to take a look at our encryption and make sure that we're using the appropriate encryption that is right for us. And these are public pages that you can click on each certification to see something like this. The certification is current and here's a report that you can go for. You should also be trusting but verify your own personal technology. So I recommend that you encrypt your hard drives. This sounds like a lot of work, but actually if you look at Macs and Windows, they both have built-in hard drive encrypting technology. And this is something that we at Clio force as a default setting in all of our computers, such that if a computer is ever accidentally left somewhere, say at a grandma's house, grandma can't get into it. And so that hacks it. When transmitting data, you want to make sure that you are encrypting it in transit. And so the most important thing you take a look at is in your browser, HTTPS. The S is for Secure. What that really means is that it's creating one-time key transcriptions. That certification I just showed you before from Digisert is actually how Clio does this. And it creates a one-time key between you, the user, and our servers. And all the data in between is encrypted. This is really important because you will be working from a private internet connection, which your organization may not control. And so make sure that you know that AT&T, Verizon, Comcast, whoever is providing the internet, isn't setting you up for a man in the middle attack. You want to control data at access sensibly. Make sure that the tools you use have permissions that limit what people can see. And you want to use passwords intelligently. I am a big believer in a password manager, but you can actually force certain types of passwords and many types of tools, including a certain level of entropy. This is a tough concept, but passwords are easy to guess when you kind of broadcast what the rules are. You need one capital letter. You need one number. You need one symbol. Well, that tells a computer what type of password they should be randomly generating to try and get through. And so instead you want to look for passwords that have a high degree of entropy. So it could be like two or three random words combined, but memorable to you or a password manager that keeps track of these things and creates longer and more complex passwords. Use tools that require strong passwords and even maybe expire passwords automatically after a period of time. So that way you know that if somebody's device does walk off or if somebody does leave the organization, even if you forget to turn off their account, it automatically loses itself on top of that. This is probably the most important tip I can give you today. Make it hard to unlock without two factor authentication. Given that we are now giving everybody work from home tools, it means that anybody with an internet connection potentially has access to data online, right? And so we know that there are hackers attempting to break into systems because they know more and more people are using them every day. So what I highly recommend is that you mandate that all of the tools you provide your users require two factor authentication. And how does that work? It means that when you log in using your email and password, it also requires you to pull up a separate one time code usually from a separate device. And so here I've shown you an example from Google Authenticator. It's the one on the left. And it generates these short little like 10 second long codes that are constantly updating based on paired timing. And if I don't enter that code while it's active, it means I can't log in. And this seems like a really like onerous thing. And I have to be honest, I do this probably like 20 times a day right now. But Google, when they did a study found that a security key, the bottom left here, blocked 100% of automated bot attacks, bulk fishing attacks, and targeted attacks. It was the single best method of securing your online accounts, period. And this is from their 2019 research on effective account management security. So I cannot recommend enough that you turn on 2FA. You should do it immediately during this presentation, but I'm okay if you wait till the end of it. You should be using secure communication channels. I know texting is actually a really strong communication channel for legal aid organizations. Unfortunately, it's not very secure. So take a look for things like client portals or I'm a big fan of signal for secure communications back and forth. It's just like texting, but it's an app. And use these tools as a part of your cybersecurity habits that set up train backup monitor again include backups. This is highly important. Clio actually provides the ability to do a backup. You want to do I think at least two backups. You want a cloud based backup that can be accessed in the event of a natural disaster or force relocation. And if you're the IT person and you've got your vetting in place, a local backup is actually highly encouraged as well. So that way one or the other based on where you are. And lastly, monitor access. So use things like who's logging in from when from where are we detecting unusual activities? Like why is somebody logging in from Belarus? That should be a warning flag. And if you have all of these tools in place, you should be in good shape to go. It doesn't 100% protect you though. And that's something that we have to recognize. We're looking for reasonable security because there's no such thing as perfect. So as part of your cybersecurity plan, you should have a plan to recover the ABA and their formal ethics opinion 482. So the lawyer should be prepared for a disaster. Getting hacked is a disaster. You should be able to recover from them. And in 483, they listed your duties if you are hacked. So they said you have a duty to monitor. You have a duty to stop the breach and restore your systems. You have a duty to determine what occurred and you have a duty to notify current and former clients. I think that's also tempered by the breach notification rules that we talked about before. I think this is a simplification of the National Institute of Standard and Technology, the federal agency's security framework for improving critical infrastructure cybersecurity, where they did something very similar as well. Identify, protect, detect, respond, recover. And if you are able to work through kind of all of those five steps, which have an increasing degree of complexity, depending on the needs of your organization, you will be in good shape when it comes to cybersecurity. You'll be able to meet all four reasons for having it, except for the last, and that's the fiscal prudence. I actually recommend that law firms and legal aid organizations take a look at cybersecurity insurance. According to the American Bar Association, only 34% of law firms have it. This is important because most cybersecurity incidents are not covered under commercial liability insurances or professional malpractice insurance. I just want to give you an example of what is covered if you have proper cybersecurity insurance. This is from Alps. They are a provider of cybersecurity insurance to private law firms. But if you take a look at their types of plans, you can see what they cover and how they help. And if you don't specifically have this type of coverage laid out in your current insurance plan, it's time to look for more. Last thing, virtual lawyering risk. On the internet, no one knows you're a dog and now we're all on the internet. It's a classic New Yorker cartoon. So I think there are four areas where we're going to have to get really better about when it comes to working from home. The first is know your client, the ABA's gatekeeper commission. Actually, there's some really good guidance on how to vet clients if they are an individual or if they are an organization. I recommend you take a look at that. I think we need to get better about fraud and anti-money laundering regulations as a part of our own current fiscal processes and that includes collections if collections are there. So getting comfortable with wire transfers, getting comfortable with electronic payments via credit cards and knowing all of the different cybersecurity requirements behind each of those is something that we're all having to build up on speed right now. And the last one is decorum. We need to make sure that as we work apart, that we're working harder to work together. We've all seen those funny incidents of somebody who unintentionally goes to the bathroom with their laptop because they believe the camera is off. Don't be that lawyer, but also know that judges are watching. We've seen several articles right now of judges who have commented on the fact that it's inappropriate from counsel to argue from the pool side. It's inappropriate for counsel to argue in pajamas. And so we need to maintain our professional standards even in a pandemic situation. And I think these are all risks that we need to work upon linked to our own use of tools and cybersecurity. I'm going to hand it back to Sarteris now and we'll take questions from everybody at the end. You can reach out to me. Here's my contact information. And I want to thank everybody for the opportunity to discuss this. How did I do on time? Sarteris, you're on mute. Excellent. Thank you. One quick question here. Any suggestions on training staff on things like malware or just those social hackings that are the biggest kind of internal threat? Yeah. Actually, there's a ton of great training provided by privacy companies, if you believe it or not. So there's a company called Trust Arc, for example, that has some really great courses that are available online. You can track people's process through them. And it gives you a record that everybody's gone through them. So such that you can demonstrate we've done the training, everybody should know this information. So we've taken our reasonable steps in the event that something does happen. So look at privacy companies and their online training courses. Many of them are provided for free or at low cost. And I highly recommend them. With regards to two-factor authentication, what are some of those suggestions if a particular program does not have that as an option? I know that some of the technology here used in legal services have not enabled that. And besides really pushing on those particular vendors, are there external solutions that can add that to a current program? Not really added to a program, but what you might take a look at is user management programs. So it could be that an individual tool doesn't have two-factor authentication, but they might have a user management program that does. So we've all had tools where you can sign in using your Google account. And you can turn on two-factor authentication for the Google account, such that when somebody signs into Google, the two-factor authentication is required. And then that security is then carried over to the secondary tool that doesn't have two-factor authentication. So that might be one way around it. So OCTA OKTA is actually a very popular user management tool. Microsoft has, I think, really impressive user management tools as well. So if your organization is using Microsoft Office 365, you can use a good chunk of that to carry over some of your security onto third-party vendors. Now, excellent tip there, using the authentication through another program that controls the users there. So thank you, SART, for having me be a part of this. My name is Jeff Harvey. I'm the CEO of Community Legal Services in mid-Florida. We're an LSE-funded organization and work to assist citizens in 12 counties and clients in 12 counties with their legal issues. So we've been asked, and SART asked us to be a part of this, to kind of give the little perspective on what we have gone through in our experience as it relates to COVID specifically, because we have, I believe, been very successful. So I'm going to kind of start with, you know, what was our experience. So just as kind of a note, prior to this pandemic, we had no work-from-home policy. As a matter of fact, generally, the approach in the firm was you are not permitted to work from home. We did have people that occasionally work remotely, but probably nothing more than somebody taking a laptop home to kind of catch up on, you know, a Word document or something like that. The general consensus was no work-from-home policy. We began planning for this on 9 March 2020. Now, the benefit that we had, at least as an organization, we're going to call it a benefit as an organization out of Florida, is that this would not, was not our first experience with a disaster type event, but this was very different because unlike the disasters that we typically deal with where you go hunker down for a couple of days and then the hurricane comes and it may or may not hit you, and if it does, it probably isn't going to hit all of your offices and all of your service area, you can get right back to work. This one was one that was going to affect the entire service area, and there was really no reason anticipated at that point that we should have to stop working just that we weren't necessarily going to be allowed to work out of the office. So we started this planning effort on March 9th with an anticipated moving to a work-from-home somewhere around the 23rd of March to Monday. And as things progressed within the state, paying attention to the governor's orders and directives, we moved up that starting to move people home to 18 March. So really in about nine days, we went from planning to having people home and it took us just about two full days to kind of get the entire force from home. We were fortunate enough and we're claiming this is success that we have in just those two days by 20 March, had 100 percent of our staff, which is about 110. That includes about 20 or so part-time employees, as well as front desk staff, and all of the staff, administrative staff, finance staff, all of the different staff sections, fully functioning working from home by that 20 March date and had really no interruption of service. A couple of things that we've had minor issues as it relates to somebody didn't have a printer that they could use or somebody didn't have a fully functioning scanner that could handle the volume that they normally would use. And so we've had to provide some kind of in stride improvements in terms of purchasing having a drop ship to people's homes, but absent that there was really no interruption to service or the business operation. And we are currently right now in the process of assessing lessons that we've learned, as well as looking forward to what is it going to be like to go back to the offices and what precautions are we going to have to take from there and then how do we codify all this so that five, 10 years from now, if we run into this type of thing again, there will be some historical document within the firm that they can refer back to. So some things that we did that were initial consideration that I think allowed us to be successful. First of all, when we went through the planning effort, we focused on what tools, training resources, and space do people need in order to first and foremost be able to do their job. And we looked at this really as kind of a building block type thing. So as a lot of the conversation just prior to this was around cybersecurity, cybersecurity to us is something that's very important. But I feel and I think the firm's approach has kind of been that sometimes that term can give it a bad rap. It's not just cyber, it's not just your computer, but it's all things security. And cybersecurity just as a discipline just happens to kind of work its way into all the other pieces. So whether it be somebody working at their home on a case file that's left open on a table that other family members can come by and read, or it's somebody from the accounting staff having a box of checks, those types of things. We're really looking at all of those different areas from a security standpoint to include what one would normally consider a cyber security piece. So the building block approach here is basically first and foremost, what do they need, what do they need to have, and what do we not have yet as a firm that people need to be able to do to operate just as efficiently as they do when they're at the office. And then from there, starting to assess risks and creating a list of things that we know, things that we think we know in terms of what the future will look like, and the requirements that we have got to ensure that we meet. Whether those be grant requirements, ways that our systems work, or levels of security for certain systems. And we really classify those into two areas. What can we do right now as we're preparing to get out the door? And then what can we improve over time? And so what that allowed us to do really is to prioritize the things that we could handle and with the limited time that we had. And then kind of make a list of the things that as soon as we got home, and we knew that we were what I would call initially operationally capable, then when we go start going into improving our position or improving our circumstances, we can move into those things and not waste the front end time with that. One of those things that we had to do right now is test. So I think within two days of starting the initial planning effort, as an example, we have a call center, as I'm sure a lot of legal aids do. It is fully attorney staffed. The attorneys will answer the phone and go right through a very quick intake process and immediately get to advice and brief services if possible on issues. That is a web and I'm probably not a great tech guy when it comes to this stuff, but it is one of those web hosted voice type of scenarios. So we knew that we didn't need to run any hard lines to be able to continue to operate the call center from home, but we had never tested it. So we immediately sent a couple agents home and had them work there for the day. Then we sent a couple different agents home on a separate day and had them work there for the day. That helped us identify a number of things that we would not have thought of towards the end of the planning effort or could have been catastrophic from a call center perspective at least had we not figured those things out early on. So we listed out of those items to our list of requirements and were able to move forward with that. We also tested and really this is kind of my last point on the slide is that you really got to look at all the different areas of business too. So not only did we test the call center which from an LSE type program does the bulk of the volume and is the bulk of the business, but we tested can the accounting staff do remote bill pay? Can the accounting staff do remote deposits? How are we going to ensure that mail is distributed across the firm when not everybody's in the office to receive it? So as we went through those and tested those things it helped us learn a lot about ourselves and the types of things that we needed to prioritize. And really the last thing that we did that I think was very helpful was in every single one of those areas whether it be building security, the call center, what does a front desk staff worker do when you're not having walk-ins and they're working from home to routine things like the mail. We ensured that there was somebody across the firm that was appointed to be in charge of ease and at least figure out a solution and then make sure that it got tested. And then just this is my last slide. I didn't have a lot of slides, but what helped us? So I think again one of the things that really helped us is that we've been looking at cybersecurity now for a couple of years and again I say cybersecurity, but I really mean security as a whole. And that started formally with an assessment that we had by cyber excellence in 2019 and I believe Dan McCarroll is on the phone. He works with cyber excellence and they were extremely helpful. They were helpful in helping us understand a little bit more about ourselves in terms of where we had risk. Up until that point I think we had a penetration test of some sort that had been orchestrated by I don't know if it was LSE or a combination of other LSE programs and we looked into it and the results that the IT director gave us at the time was we're impenetrable. Well if we're impenetrable then the DOD or the federal government should hire us to run their cybersecurity because they're not impenetrable. So initially looking at that realized that there are a lot of things that we may not realize that we don't know, things that we don't know that we don't know and they have been very helpful with that. They've also were helpful with helping us start to think about it in terms of what has been using as the acronym CIA, confidentiality, integrity, and accessibility. Every system, every piece of data that we have has to have some sort of balance between how confidential is it, how much do we preserve its integrity, and then and then how accessible is it. And so one of the things that we looked at is that in our firm we tended to err on the side of accessibility and not necessarily on the side of confidentiality and integrity. So what did that tell us that told us that there are oftentimes where we think we have data on information on things and that may not be the most trustworthy data because the number of people that had access to it and had the ability to influence it and change it caused those things in the question. And then really the last thing that they helped us with is understanding why it's important to the staff. So as the endpoint of that cybersecurity assessment we had a staff training and they were able to kind of get in front of my entire staff and let them know some of the things that they need to be concerned about what's their part of it, you know why cybersecurity isn't just the computer aspect of it but has to do with physical security and a number of other areas. And it really influences to go through the staff education process. So from that point in early 2019 we have been working with a company at a Tampa call, no before, and probably every two weeks to a monthly basis we've got these little short sometimes they're five minutes, sometimes they're 30 minute I guess column webinars or online trainings that we go through that just kind of provide constant reminders on what are potential threats, what are potential vulnerabilities. And really that's been the approach is looking at what's the risk and then when you get done with assessing and figuring out what those risks are, then looking to the improvement process and that improvement process is kind of a cost benefit analysis, what's the cost to correct it versus the cost to not correct it. So early on in 2020 we started conversation with emergency security because we knew we had a lot of work to do in terms of addressing a lot of the things that cyber excellence had identified. And Gorov is on the on the call as well somehow I'm logged in as him, but you know one of the things that they helped us out with that was one of the perspectives that Gorov and his team have is Gorov is actually a lawyer and has done a great deal of pro bono work in his 10 years a lawyer. So he was able to not only look at it obviously from his expertise on the security side but also through the eyes of the rest of most of my staff was looking through this. And so he was able to initially when we started had these conversations to help us kind of separate you know what is what is really truly important and what is going to cause some catastrophe and can really be fixed and addressed for a very low cost versus something that when you look at the risk either because it's not probable or if it does happen it's not going to be that big of a that big of a dealer that much damage, but the cost to improve it might be significantly greater than we want to spend. And so so that that was helpful going through that somewhere in the in the beginnings of talking about working through the assessment piece we quickly went into reaction mode and that's because that March 9th date hit and we shifted immersion securities focus from hey help us work through some of these issues and give us another assessment to hey help us get home and make sure that when we get home we're as secure as possible. So a lot of things that they were able to do for us not just additional IT support to a degree but I think the real important piece is identifying some of those that people use the phrase low hanging fruit that we could address and get after while we were either transitioning from home or as soon as we got got back to our homes. And again that that all followed that idea of the cost to correct and cost to improve. And then I think the last thing that's really been helpful for us is that the firm as a whole has embraced this culture of constant and consistent improvement and it's it has been through webinars like these the the know before stuff and then the conversations that myself and my leadership have with cyber excellence and emergency security and companies like that to kind of help us start to see things a little bit differently and really I think that allowed us to get home quickly and allowed us to be secure but really just to share with the question that I had a board member asked me at a meeting right before this you know what are you going to do if this happens again how are you going to be able to do this again and the answer really needs to be it's going to be better than we did it last time. And so we've already started that process of trying to record that information identify and assess the things that we didn't work so well maybe even look at changing some of our policies because it relates to other disasters you know in the in the past for hurricanes we used to take our laps up home and cover up our screens now we might consider taking everything home that we need to work from home just in case we have to work from home so with an organization like many of you with that idea of first take care of your people and then immediately transition to taking care of the population you know there's been a lot that we've learned out of this. So it's kind of my last comment before I'll take any questions I cannot emphasize this enough and I've heard it on ABA webinars I heard it I heard it earlier from Clio and I have told everybody that I can at least in the state of Florida and now to the greater legal services community get an assessment. Assessments can cost as much as $60,000 and they can be as low cost as finding an organization that knows what to look for and giving you a checklist and looking for it yourself but when you look at not getting an assessment is like not analyzing the facts in somebody's case before you get ready to walk into court. You really don't know what you don't know and that's where you have the biggest risk and so you know I would I would strongly recommend everybody who's thinking about this and thinks that they've done it well or thinks they haven't done it so well to go get an assessment because some of the things that you think might not have been so great might actually have been better than you realize and some of the things that you may not have even thought of really can become an issue so that really concludes my my part of the presentation. I'm open to questions. Thank you so much. We've got links to Novi4 and Ningio in the questions box so that people can definitely check those out. What was the most surprising thing that came out of your assessment that you didn't expect? Out of the assessment I think the most surprising thing that came out of the assessment was we didn't realize when we're talking cybersecurity how how much it it isn't necessarily about computers and one of the things that we're getting ready to work through right now that really has got a huge vulnerability to the company and does a lot to address that that CIA that confidentiality integrity accessibility balance is the creation of a governance committee. You know we'll take members from all across the staff and look at okay who needs access to what why do they need access and if it's outside the norm based off of business practices what additional controls are we going to put into place because it's you know it's pretty standard practice in a lot of offices where somebody writes down the password and puts it underneath their mouse pad or or we just say hey why why shouldn't everybody have access everybody needs access and instead of looking at individual controls for example a legal server on what can you access a legal server yes everybody needs access to legal server they don't need access to everything and doing that hard work and really trying to make those tough decisions it's very easy especially when the IT department or other departments aren't talking about it together to default to one of the other and it leaves the firm open to risk and there's there's you know nobody's even identified it to have somebody make the decision so I'd say that that's what how I'd answer that Excellent. Another question that came up here which is are there antivirus malware projects that products that either you guys would recommend and what is there any difference between that and kind of hitting on bloatware or other things so what what are you guys using and are there things you would recommend there so we we use and again prior to a lot of this experience we just use Windows Defender right and so that's one of those things it's like low hanging fruit is is you know can we can we add antivirus software and with work from home you know what is it going to cost us to get a VPN license for every for every laptop we use silence it's a artificially intelligence space so it's a it's a little bit more adaptive and from a price standpoint for a legal aid organization and you know I don't see it as being ridiculously expensive I think it's reasonable for sure it was pretty easy to deploy and as a matter of fact we upgraded and we did that starting the day that everybody was working from home and we're able to do that remotely by promoting into people's computer and dropping it in there so you know and that was something again that that if you have a good cybersecurity company that's helping you out they may have some resources to help you do that if you don't know how to do that yourself it's also got some incident response capabilities as well so you know we talked earlier a little bit about insurance and one of the big risks is it's not so much the legal aids data because you probably get a lot of that public record it's the client's data we got to worry about that that's really what we're going to have to be the most vulnerable and so you know there's all kinds of federal and state laws that get triggered when you start letting other people's confidential information out and and and I think they've got a lot of additional assistance on top of the insurance piece that that would help with that with that product so there was another question from the community here has it even be used coronet for monitoring data flow of organization files such as client files or other similar monitoring software to try to see if there is data leakage or if information is getting out we have not done that I know and I believe Dan and Gaurav are both on I don't know if either one of them are available and they want to answer that question from their standpoint because they get to see kind of other other companies I do know sorry if it's okay I know we've been taught you and I've been talking about really looking at this ever security piece and the assessment piece and what that entails and trying to put together something for a few weeks from now so some of those questions I would say potentially stay tuned if LSE approves approves us to go through and do another one in June. Yeah there's definitely a lot of interest in the assessment portion that both yourself and Joshua mentioned because a lot of organizations just are not aware of what they may be missing in these areas and I think your analogy with the get the facts before you jump into the case is very very relevant there I'm going to turn it over to Alex Clark I'm here we're running a little bit behind because of the technical issues but I'm are there some major tips that you would like to add to this Alex I'm going to attempt to make you presenter but even if presenter doesn't work let's go and let us know what kind of your major tips would be Alex. All right I lost my internet connection like five or six times over the course of this last hour so I'm sorry about that I'm going to go ahead and just real briefly what I do I used to be IT director at Legal Aid of Nebraska and then I was IT director at Catholic Charities of Omaha and since and also had some time at a Fortune 500 construction firm on a cybersecurity project in in the fall last year I've been doing consulting work full time since then so the the division of my business that is the information security consulting business is perimeter and I I was going to go in depth into the first few critical information security controls from the Sands Institute's top 20 I think in the interest of time what I'm going to do is I'm going to skip those and I'm going to mention that if you want to do something like a self-assessment a great place to start would be those Sands top 20 and the the first few they call them like the top five those are sort of the and these are the first two anyway that you'll see those are those are seen as the I think most critical foundation information security controls that that you should really attack before even you know worrying about more more advanced stuff like like pen tests or things like that and I think it's it's important to start with like the Sands Institute's framework does lay out with inventories before anything else because essentially if you don't have a rigorous policies and approach to inventory of a loud hardware and software assets everything else you do is going to be really built on a rotten foundation because you are going to be dealing with issues like uncontrolled bring your own device where where you are dealing with issues like employees using personal devices for work purposes and on those personal devices you can't really secure any of you know ensure security of any of the data on there you're going to be dealing with shadow IT and rogue use of cloud services so until you until you have inventory systems covering basically all allowed hardware all allowed software and policies about what data can exist where you really can't manage IT and you really can't hear it so the top threats I see I think as Josh mentioned like the top threats are really not like hackers like from outside so much as like practices of your own employees in the terms of like I don't really consider phishing and business email compromise to be like hacking in the traditional sense it's really just scamming and tricking people right so the biggest the biggest threats I think and these are actually when I've talked to professional pen testers you know where they get the best bang for their buck it is the same place that I think I think cyber criminals do too is starting out with phishing attacks password reuse attacks business email compromise social engineering if you have employees that use the same password for everything in personal and at work or you have users who you know the way that they comply with your password rotation and expiration policies is just to put a new number at the end of their previous password these are the things that are tend to be the most dangerous as well as I think the other presenter mentioned you know the the principle of least privilege and you know being rigorous about that and implementing it in your case management system like yes everybody does need access to legal server but they only need so much access so these are some of the top threats some of the top mitigation projects that I would I would look to implement in 2020 would be multi-factor authentication for all critical systems containing client data training education on password hygiene mandatory usage of of password managers and issuance of licenses to something like last pass enterprise to your employees is a very good idea if you do that you can head off the issue of people storing passwords in spreadsheets or storing and exchanging passwords in email it's much better for sensitive information like credentials when they have to be stored somewhere to be stored in a secure system training for staff on business email compromise business email compromise as well as spoof or look like emails what what those types of attacks are related to is the you know the fake email or perhaps even even real email if if an email account is compromised from from an executive saying hey I need you to buy um 10 10 gift cards and send me the numbers on the back or the email that looks legitimate that goes to the finance department and says hey you need to pay this invoice wire this money or send this check to this address um written policies on privileged account issuance and use um and after after you've done kind of all of the above you have um gone through and maybe looked at the stands institutes top 20 which again that's a free framework um you can consider engaging with a consultant um like me or and there's also many others for something like a social engineering attack or a weak password audit or attack or a fish test so um tried to keep this brief since I know that we're already over time and I skipped quite a bit but if you have any questions for me you want to talk um my contact information is there feel free to connect with me on linkedin as well um lsn tap email list um it is linked at lsntap.org join the community that email list has over a thousand legal services uh individuals and it is the best place to ask questions of the community and get help related to any of these things if we end up doing other things we will post those out to the list serve and also do a follow-up email to anybody that's out there that attended this or attended the others looks like that covers all of our questions thank you so much to our presenters we greatly appreciate it take care stay safe and we will be there on the community list to help you out and answer your questions