 Well, LaDirdra McKinney and I want to thank our panelists who have agreed to help shape and deliver this webinar. With us is Vivian Hessell who is the Chief Information Officer at Legal Aid Chicago where she's worked for many years. In this role, Vivian manages major technology projects, oversees the work of the Information Technology Group, and chairs Legal Aid Chicago's Program Evaluation Committee. Vivian regularly makes presentations at technology and legal aid conferences across the country and webinars on topics including legal and ethical issues, case management software and best practices. Since 2010, Vivian has been the on-site administrator for Legal Aid Chicago's case management software legal server. Before moving to the operation side of Legal Aid Chicago, Vivian worked for many years as a legal aid attorney handling a variety of poverty law issues. Thank you Vivian for joining us. Peter Lesser is the Director of Global Technology at Scadden Arps, which is a large law firm as most of you know that where he's worked since 2006, he's responsible for the firm's technology strategy, planning, implementation overseas, applications and user support, business systems, infrastructure and operations, security, very relevant here and development. As a result of Peter's commitment and service to the Legal Aid side of New York in 2006 and 2016, he received their Pro Bono Service Award. Peter currently serves as a member of the Technology Committee for the law firm Anti-Racism Alliance and he's also done a lot of broader volunteer work in the Legal Aid community beyond Legal Aid Society. Mike Donnelly is the, and thank you Peter for joining us, Mike Donnelly is the Chief Information Officer at Simpson-Tacker and Mike has been with the firm since 2004 where he establishes the firm's technology strategy and also oversees business information systems, infrastructure, mobility, information security, there's a link, applications development, user support, information technology operations and all other technology related functions. Mr. Donnelly initiated the Permanent Commission's CIO IT Assistance Program in 2014. That's the New York State Permanent Commission's garnering resources from several private law firms to provide IT assistance to civil legal services providers. And Mike and Peter, again, they've done a tremendous amount of volunteer work in New York and we've twisted, but we didn't have to twist their arms very hard, but they've also worked with the broader Legal Aid community sharing a lot of their expertise and also helping us build better practices and policies and security. So really excited to have Peter and Michael join Vivian and myself to help share their expertise in the use of security assessments as part of their broader security practice. So that's the, sorry, I've got to turn my phone off, it keeps ringing. And now my watch is ringing, I'm getting dinged all over the place. But so I wanted to actually start with a question with Vivian because of course, large law firms are pretty advanced in their security, they've sort of had to for a number of reasons and they've also been larger targets in the past. And I think a lot of folks have thought of security assessments or some of the other security services and actions that we might take in the Legal Aid community is maybe something that wasn't quite as critical. And so Vivian, if you wouldn't mind maybe sharing your thoughts on how you see security assessments being a fit for the Legal Aid community and maybe why you think they're important. Sure. Thanks, John. Thanks for that great introduction. It's great to be here. So years ago when I was still a practicing attorney and even after I moved over to the operation side, it was pretty common thinking in Legal Aid that we were flying under the radar. Nobody out there who was a cyber criminal really was interested in Legal Aid organizations. We didn't have clients with a lot of money. We didn't represent banks. We didn't represent insurance companies. We were always representing the little person, the person who didn't have a ton of cash or accounts to get into. And as time has gone on, it's become pretty clear that even just having an identity is valuable and especially with the pandemic and everything that's happened over the past 20 months, cybersecurity has really become something that everybody is thinking about. There's even been some instances where I know of Legal Aids being targeted and being the subject of attacks through ransomware. So we are all thinking about it more. And I've been thinking about technology assessments for a number of years and have been, you know, working hard to make them a priority for our organization. So I'm glad to see that people are talking about this more and that there are resources out there. Excuse me. And if I could follow up on that, I guess, why do you think as the technology leader for Legal Aid Chicago that it's, you know, I guess that it is important or that it's the right time and important for your organization? Well, any time is the right time, but it's particularly important for us now because we have a lot of people working remotely. We have, instead of one office, basically 250 individual offices, each one with its own cybersecurity issues, so to speak. And it's really important for us to be thinking about this from the standpoint of protecting our information for our clients, our staff, and our organization. And we also just want to make sure that our individual users are fully informed about how they can protect their own information, both at work and in their personal lives. I want to thank you, Vivian. I want to mention and I forgot to do this at the beginning that we really want folks to share their questions, their comments, their suggestions in chat. We're going to be monitoring what you type and it would really be helpful for us to get a sense of what you're thinking, what your questions are. We had a quick poll that we wanted to do and I'm not sure if we're ready to share that or share the results. Yes, sure. Okay, great. So, I hope everyone can see that. So we've got a mix of folks on the call, which is great and really glad to see that IT leaders are participating, but we want to be able to sort of address security assessments and security from sort of all perspectives within an organization. So you don't have to be just in IT, but we also want to make sure that we're helping IT leaders in their roles, helping lead their organizations for it. And some of these security projects can be challenging, especially when it's the first time you've conducted some of these projects. And then again, you see that a good over 25%, which is great, have either completed or started a security assessment. So that's actually higher than I expected and that's wonderful. And six are in the process of getting one going. There are a few that are looking to raise money that are sort of committed or they're interested in moving forward and which is great. We have 63% of folks who want to learn more about security assessments and decide, I guess, whether and when and how it might be a good fit. So that's great. Thank you. So I want to turn to Michael Donnelly. Mike, could you maybe describe a little bit about what a security assessment looks like and I guess why it's been important for sort of larger law firms and maybe a third point would be how you sort of incorporate security assessments into your broader security work. Sure. Thanks for having me. You can object to that multi-part question if you wanted. OK, it's OK. This is the hardest thing to deal with today, then I'll be good. No. So we've been doing security assessments for a long time since a couple of years after I started here. You know, as Vivian, you just mentioned the attacks that are going on, the ransomware attacks are becoming more and more prevalent. Those bad guys out there upping their games, we need to up ours, right? I recently, we meet with FBI every now and then just to kind of get their take on anything new happening in the world that we should be aware of, you know, law firms or other lies. And one of the points that that agent mentioned and go at home a few times is that more and more the attackers are going after small organizations that might not have the level of tools in place or policies or procedures. After all the indication, things of that sort, so they find it easier to get in and they're, you know, they're making you pay this ransom or we're going to you know, we've encrypted your data and we're going to take it. And so we we're obviously trying to avoid that. We're all trying to avoid that, whether you're a legal services provider, whether you're any organization on this call, Simpson Thatcher, you know, Scad and R.P. Morgan, where the case may be, where we're all under attack. And so so that's why it's really important because what we have. You know, Peter's listing things that we have things like, you know, vulnerability scanning and endpoint protection, you know, reforms, we have a very solid team, I would say here at Simpson there, you know, that's when we built that up quite a bit over the years. We have outside providers that look at our activity and you warn us that they see something unusual. So we have all these things in place, but having someone come in and do a security assessment, a third party unbiased view where they look at, you know, different controls, different aspects of your information, security, your policies and with them, their own set of tools, their own approaches and at the end of the day, they'll bring forward a set of recommendations where they have made some findings. I have some notes down here, so I want to make sure I drive my point to them. So they'll do an in-depth security risk assessment. And then the day they're going to make certain recommendations, high, low and medium priority, high, medium and low priority about things that they feel you should do. Now, in the beginning, we had a couple of, you know, very high priority things that we were missing. And so if you get those, you need to hop on them. But at this point, you know, we're not getting too many, but we do these assessments every couple of years, and we also do penetration tests every year. You often a couple of times a year, and that's where you're actually asking someone to try to break into your systems. And we can talk about that more. But that's that's my answer to your multi-part question, John. Thank you. So again, so you're doing all this other security work, you're doing this day to day monitoring, but having this, as you said, that sort of independent entity come in to kind of check, you know, your all this work and kind of give you another opinion, another perspective. Peter, if I could turn to you and you know, about more of the mechanics, you know, about finding a firm to conduct the security audit, you know, whether you work with, you know, multiple firms or what your sort of process is there, what are some of the things you look for in a vendor and maybe what are some of the options? I think Mike might mention penetration testing and sort of the broader security assessment to talk a bit about some of the mechanics. Well, so to start, how are we going to find someone to do a security assessment? At some level, a security assessment is like your annual physical. Every year, you want to go to someone who is an expert who can take a look at you and say, hey, based on comparing you to the other people, hundreds of whom I see, here are the things that are outside of the norms and things that you should think about doing that might make you healthier. How do you find the doctor who does that? Is the exact same way you're going to find a firm that will do a security assessment? You're probably going to talk to your friends, people who have been through checkups before. Do you like the doctor you're working with? You'll talk to your peers and ask them, have you used someone for an assessment that you felt provided particularly valuable information? I will say in our case, there's one thing we do that is the complete opposite of that annual checkup analogy. Mike mentioned pen tests. We have an annual pen test and we actually have a policy that says we must have a pen test in each year annually. And our penetration test at a bare minimum every year, we have people come and try to break in from the inside of our network, break in from the outside of our network, look at our wireless infrastructure. And our policy says not only will we do that every year, but every year we'll pick a new provider to do that so that we get a new fresh set of eyes, not someone who looked at it last year. And so for our pen tests, we try to bring in new people every year. After a three year rotation, we might use someone again. In addition to our pen tests, we are certified against the standard, the ISO standard. And in this case, we do the opposite. Our ISO auditor, who also comes in annually, we use the same ISO auditor year after year after year. And in this case, we wanted to build a relationship with that auditor. And so I think the larger organizations are looked at by many different experts, some of which might be generalists, some of which might be specialists. Some you may want fresh eyes, some you may want consistency. And so I think there are a variety of ways that you'll come to find the people who will do a good job. But what you really want is someone that you feel has really dug in deep and given you good information. I will say what you want is the opposite of an IRS audit. When you get an IRS audit, you want them to find nothing. When you have a security assessment, you want them to find things. You want them to come back and say, and Mike said it well before, high, medium, low, these should be your priorities. If you can deal with these high items, you will most certainly improve your posture and the medium ones may be a step down. But you want that road map. You want that. Here's what you should do first. Here's what you do. And you also want someone who can work with you through the process. You don't want them just to say, go do this. After you do some of it, you want to talk to them again and say, hey, did this really satisfy what you told us we should do? And so I do think there's a process involved. This will probably take way more time than you think it's going to take. But after a while, you get in the rhythm of it. I will say there's a last thing that that Mike and I will share that you will have versions of for the large law firms. In addition to the assessors who we engage to come in and look at us, our largest clients assess us every year. And they can be as detailed and aggressive as our paid consultants. I believe many of you will see the same thing from your donors. Your donors will ask for all this information about you. And while they may not have asked a lot about your technology in the past, given what's going on in the world, and as Mike said, the bad guys are now looking at the smaller and midsize organizations. I believe this is one of those places where having your ducks in a row will also make your organizations look really good to those who might potentially provide funding to you. Right. So maybe a competitive advantage, even in the nonprofit space, that you're really protecting client data and keeping your operation a little safer. You know, I'm going to use a slightly different word than competitive. This is an area where we can all help each other and all do better. And it's interesting. Mike and I would never refer to each other's firms as competitors. We'll always use the term peers and insecurity. If one of us looks bad, we all look bad. And so I do think from a community standpoint, I'm thrilled to be working at a law firm because law firms do refer to each other as peers and this is not a place we should compete. It's a place where we should work together and all of us will improve through the process. Well said. I see Sarin has a question just about some of the most common high priority issues that I guess, Mike or Peter, that you've seen or that you're seeing in the broader sort of legal assessment environment among your peers. Name one because it really depends on your environment. It really depends on maybe where you haven't updated. Just I'm just totally anecdotally. Maybe you you're on a an endpoint protection tool that maybe they're not keeping up with the Joneses, right? And they let their product fall behind a little bit. Hard to say it runs the gamut because I was going to be no information security sophisticated. So I think I have to punt on that one almost. Yeah, I'll jump in. There are some that I'd say I think of as the ones that across the industry in general come up most often. Very high on the list is patching. Do you keep your systems updated? And this is generally the area where people fall behind and it puts them at the greatest risk. The problem being whether your organization has 10 or 20 people or 200 or 2000. We all have the same number of patches to apply. Maybe we have to apply it to more computers. But in some regards, it's as much work for the small firms as the big. So it becomes really challenging when we look at where people are breached most often. It's all because of bad patching practices. So I do think that one comes up most commonly across the industry at the complete other end of the spectrum. Some of the big firms have gotten onto very good practices. We have strong policies. We have staff that enforce the policies. But I will say taking care of your technology systems is more like taking care of your garden than your car. Every day of the week, it's something different with your garden. Was it sunny this week? I do something. Was it cold this week? Did it rain? And so when you take care of your network, things keep changing. This year, one of the hot topics is how are you protecting the backups of your systems in case you get ransomware? So today and whether you're assessed by clients, you know, your professional assessors or for us, the brokers who sell us cybersecurity insurance, they're going to ask a lot about backups that you do. And then you disconnect from your network. So if you have malware, the malware doesn't go to your backups. And so that's sort of a hot topic at the very high end of the spectrum. Yeah, I could add one more thing, John, although not something that it's something that we've had in place for a very long time. And I'm hoping that most or all of you do as well, which is two factor authentication. I just mentioned that because we've had a couple of clients, you know, smaller clients who were compromised came to our attention because, you know, we were involved in the deal and something came up and we were able to resolve it. But they were they were low hanging food because they didn't have two factor authentication. Yeah, no, and it's interesting because we're seeing certainly, you know, at least from our vantage point, a lot of firms that that have cyber liability insurance with with their insurers mandating quickly that they get, among other things, the multi factor authentication, they get the offline backups in place or they just won't renew. And now, yeah, more of the funders, I think, Peter, to your point, are asking more questions about the security practices you know, of the individual organizations. There are several other questions that I'm going to definitely get to, but I want to actually turn to Vivian if we can to maybe address how I guess what, if any sort of barriers, obstacles do you see in in sort of the uptake of security assessments in the legal aid community? And I and again, I think the good news is we already have more than a quarter of the providers today. Now, we may be exceptional, the folks on this call, but quarter of the providers on this call who have completed at least one security assessment. But what do you see? Maybe that might help the remaining 75 percent or so providers to move forward in this regard. Sure. Yeah. I mean, and that is great news that we're seeing about twenty five percent, twenty six percent or whatever it is today of the providers on this call that are already getting immersed in tech assessments, which is fabulous, higher than I expected to see. You know, in terms of barriers, it's I think a little embarrassing to let people come in and see your house when you feel it's it's messy. But the flip side is that they will get to know you better and they will help you figure out what you should work on first. You know, and that's the whole idea behind having that technology assessment done is that the provider will be able to help you prioritize the needs that you have for your organization so that you can address them in a rational and predictable and efficient way using the resources that you have, which is, of course, very important for nonprofits because we always have a very limited amount of resources. So, you know, at Legal Aid Chicago, we do a technology survey of our staff every year, and that helps us to identify their pain points and how our technology is performing. But we also look a lot, learn a lot about what people are doing and how they're doing their work. And that helps us to also recognize where there might be holes, so to speak, in our security. So, it might be a little bit daunting to some to start this process, but I would certainly encourage you to just dive in, talk to people that you know, talk to people on this webinar, talk to people that have been through a technology assessment or even are just thinking about doing one and understand that everything that you're doing is certainly manageable. You know, this year at Legal Aid Chicago, we applied for a grant from the Legal Services Corporation to do a technology assessment, and it was the first year that we were actually eligible to do that. But that is one of the ways that we kind of got past some of these barriers of whether or not this was really going to be a priority for us, because we've always looked at it from the standpoint of what else we have to do. There's so much we have to do. There are so many projects. And we have a small, a relatively small IT team. So we had to prioritize, but the technology assessment really needs to be a top priority at this point. And so our fingers crossed, we get the grant and that will help us to actually get the tech assessment done. I mean, and a good point about LSE, it sounds like they're going to continue to support tech assessment security assessments for all LSE funded providers. And obviously not everyone is, but certainly I think it does help if you can get funding, certainly in Legal Aid and money does help make it easier. But I think it's what you're talking about. Again, it's the interest of staff. It's really getting people on board because if you're not ready to actually, and I want to turn to sort of those questions too, to do the work, you can hire a vendor to come in, but it won't necessarily mean that you're improving your security environment. And so maybe, Mike, if we could turn back to you and I'm looking at all these questions, these are great. And we specifically are leaving a good hunk of time at the end of this round of questions for the panel to go through them. So please keep the questions coming. Also, I'd add if you, again, if you're one of the 26 percent of folks who completed it, completed security assessor, maybe you could sort of share in your comments, your experience and how it went for you. And maybe some of the things you might lessons learn that you might do differently, either in terms of your practices and maintaining your security or how you would engage a firm to do your next one. So, Mike, I guess, how how how do these security assessments typically proceed and what should what do you think? And again, in smaller scale, of course, in legal aid, but but how how should providers prepare for them? You know, is this is this a should it be sort of seen as a major project that they're going to need to devote, you know, tens or, you know, maybe 100 hours to on their end to to work with the provider? Any idea of like sort of the fallout from these assessments in terms of the work to clean up or improve? I mean, is this, you know, as I think Peter was alluding to, this is, you know, kind of a pretty, you know, significant commitment to continue to work on post assessment. They definitely are big projects, John. And then, you know, so it does we look at it when we go through these things as all hands on deck. And so, I mean, how do we, you know, proceed? You know, I think we had on some of these things before, you know, like when you want to pick a vendor to work on on a project, Matthew, a consultant, you know, usually try to look at three or four. We try to mix them up, right? And so because I said before, you want to you want to get different approaches and maybe different tools that they use, different levels of expertise that they bring to the table. So so we do that and we pick it. And I think the other important point is you you can't boil the ocean, right? There's there's a lot to information security. So if we're going to do a controls assessment, we'll pick most we'll pick certain controls. I pick data management, inventory management, network access control, application security, pick three or four to focus on. And I think, you know, it is so when you do that, you're there's a there's a good couple of weeks ramp up time you're with your security team and providing the the consultant and the company doing the assessment with different policies. And they're going to ask a lot of questions about about your your policies for, you know, whatever, Windows Server Security. And we there are questions about 0365 you have security. And again, your multi-factor authentication and role your various roles that your organization, you know, level of administrative access to your various systems. And that takes a lot of time to gather all that together. And there's a lot of back and forth. So usually there's a good couple of weeks of those meetings going back and forth with. I realize that everyone's team is built differently, but you have someone who oversees your laptops and your desktops. You have someone who oversees your your mobile devices, right? And so all those subject matter experts have to get involved. And it has to be it has to be and emphasize that that is a high priority, right? Because again, we're trying to protect our protect our client data, we're trying to break our firms data, your organization's data. And that's what it all comes down to. So, yeah, it does it does take a big commitment, it does take quite a bit of time. And, you know, I would say the beginning to end, you know, three to four weeks by the time you go through the process that I mentioned, they write their report, you have a summary, you have a very detailed session, you're with the company, it's done the assessment to an executive review with some of our senior partners as well. So, yeah, it's time consuming, but it's it's it definitely pays off. Mm hmm. Great. And, Peter, I guess, could you talk about some of the maybe in some ways we have, but I don't want it, but some of the outputs, you know, that you get from the assessment and maybe again, you know, sort of the work, the follow up work, if you want to add any more comments there, I mean, I think you touched on this earlier, but. Yeah, I think for us, when we bring in assessors, there are two very specific things that we want them to provide us. One is we want a business level report as an output, something that we can share with our management committee, our policy committee, our executive partner, something that's not written as if it is technically ease, but that's written at a business level so that our attorneys, our partners can read this an appropriate group and understand what was the result. We also want the complete opposite. We want a highly technical detailed report that is actionable. We don't want any fluffy stories. We want here's what's wrong. Here's what you have to do to fix it. Go do it. And so when we craft the statement of work, which becomes part of an agreement, a services agreement, we make sure that we're very clear that we're looking for both types of deliverables as well as their work with us to take the deliverables and do the actionable items. Once we have those, we go totally different directions with the two types. As I said, one we're going to go to management with. The other becomes part of a process that we internally have that's quite rigid around change management. So our security team analyzes all of these recommendations. They look at the priorities from the assessors and they then look at what other things we might be doing. Is it something that's about to be fixed by a project underway? Is it something that they're particularly concerned about? And they're going to start now working, as Mike said, with each of the different teams. Is the recommendation really for our networking team or for the team responsible for servers? Or is it software we should be putting on our desktop computers? And so making sure all of the right people get the right recommendations and make those recommendations part of their upcoming plans. And our security team tracks these from when we get them from the assessor through the point where we say these are totally complete. They're no longer an issue to us. And so I think the key is getting those reports and working with them. As Mike said, it may take a few weeks a month to get the report. Once you get the report, it might be months and months and months to implement the recommendations. Don't assume that it's four weeks to get the report and then we have a report. The hard work comes after you get the report. And you really have to be committed to doing it. The other thing I'll say, and maybe we've glossed over something we should have said earlier, not all the recommendations they'll make are purely technical. They're going to make recommendations around should you have different policies? Should you write those policies? Should you share them? Should you have procedures that are well-defined work this way when this happens? And some of them are the easy ones like you didn't put a firewall here. But the policy ones can be way more challenging. And so a good assessor, especially if you haven't done this before, is really going to look at this very broad set of issues which you're wrestling with and giving you recommendations across them. Over time, as your security team and your IT organization does this more frequently and gets used to it, becomes a little more mature, you may focus more in specific areas and say, this year I really want to focus on this one topic because I feel this is where I'm a little further behind. But do not underestimate how much work you have to do after the assessor does their work. And again, I guess in the legal aid context, it's also it may be months of work, but it also may be funding cycles. We may have to get into another fiscal year. So you're going to be budgeting for some of it. And Mike mentioned like for instance, if the endpoint security that you're using on your laptops, maybe that vendor's falling behind and you need to switch out to a new product or that again, next generation technology typically isn't cheaper than the prior generation, unfortunately. So it may be that you need to up your endpoint protection budget a little bit. And again, that that may take a budget cycle, it may take an additional grant for a lot of providers. But I like I love what you said about you're not going to boil, you know, you don't want to try to boil the ocean here. And I think Peter, you were alluding to that that they're probably your first assessment is going to be a little bit broader. But as you go forward, you're going to be looking to maybe focus in on on on areas that that may need a little bit more attention or where you change things maybe more substantially. Vivian, I guess if if if we could I guess turn back to you and and you know, the the like the LSC grant, you know, specifically sort of required, you know, support from, you know, from the executive director of the organization. You know, how and, you know, and Peter and Mike were talking about sort of the need, you know, for the assessments to talk to the leadership outside of it, right, that they're we're not speaking geek. We're talking about risk and risk management, which lawyers sort of understand and appreciate. How do you how do you feel we can best get leadership on board and how important is that within legal aid and maybe how big of a challenge is it right now. Right. Well, it's going to depend a lot on the organization. So at some organizations, it's going to be a much bigger challenge than at others. But LSC is helping this process with the technology assessments that they're funding by requiring the executive directors in the grant application to agree by submitting a letter of commitment that they will implement the recommendations in the technology assessment report. So it's, you know, at the beginning that you're getting that commitment. But it's important to choose a vendor that you think your executive director and other senior management is going to listen to, right. And the vendor that who's doing the assessment could potentially write two different reports. The summary report could be the one that speaks to the leadership to the lawyers to the other people that are making decisions at the organization that may not be involved in the technology. And then the more detailed report could provide the nitty gritty about what you need to do to improve your network security, to address issues with your firewall, to address issues that involve your users to incorporate policies or create policies and then roll out those policies to your users to make sure that everybody understands what is required of them, what is appropriate use, what is not. And I think most consultants who do this work are going to be able to tailor the report, so to speak, to the needs of their client within reason, right. Because the whole idea is that they are going to come in and take a look at what you have and where you are in understanding best practices, they're going to be able to make recommendations for you across the board. That's the idea. It's all about how we can improve. It's not a compliance audit. It's about how we can do better. And I think at Legal Aid Chicago we're actually doing pretty well. Just to tie back to a couple of points that Mike and Peter made earlier, we've had funders ask us for things like a data breach policy. Do you have a data breach policy? And we do. And so that gives us a leg up, so to speak, with those funders, perhaps. But that's not the end of the story. There's a lot more we could do to do better. So that's the idea behind getting the technology assessment. And I guess, just starting the conversation early, talking with your executive director early on, I'm lucky at Legal Aid Chicago. I have an executive director who's very open to discussing these ideas and understands that it's important to follow best practices. He comes from a large law firm environment, so I think that may give him a little bit of insight that he wouldn't otherwise have. Great. I want to maybe now turn back to some of the questions from the participants. And I'm going to summarize. One of the threads was around the use of cloud services to potentially improve or reduce risks, improve security. So there is that question of whether on-prem or cloud. And I know, actually, Peter, you and I have had a discussion about how, in some cases, large law firms have had to and maintain on-prem, even though it wouldn't be something you'd necessarily recommend to smaller organizations. But in the context of this webinar, how would you sort of approach or what's the value of the security assessment for the providers who use various cloud services and tools? Because obviously, as you mentioned, there's the Wi-Fi, there's your firewalls, your servers. But what about the cloud elements? Because we're, I think, almost every provider at this point is using at least like 10 different cloud services. Well, I think the cloud services at some level, at a level of complexity that most people are not getting. And if your cloud provider is one of what I'll call the usual suspects, Google, Microsoft, Amazon, they have more security engineers than any of us have. Any of us will ever have. All of us have put together. So there is part of it that they're doing. And I'll say they, from organizations of that size, have done a great job in putting up portals with information about their security so you know what they're doing and you can see their certifications. And all this is great. It does take some part of the hard work out of our hands. But if we look at a number of the breaches that have occurred over the last couple of years, many of them have occurred on those big provider's platforms because the customer didn't configure their use of the service in the ideal way. And so while those organizations may have lots and lots of great security people, that doesn't take 100% of the onus off your hands and onto theirs. You still have the responsibility for looking at what options you can leverage, configure, optimize to ensure that things are really secure. And so if you're using a third party for an assessment, you should ask them, have I configured my use of O365 or Google apps? Have I done this the best way? And I know a few people have talked about multi-factor authentication and single sign-on. And all of these are options available to you in the cloud services. And when done in the ideal way, offer you incredible benefits. But they don't magically happen on their own. And so a little more work to it. As you said, the large law firms may use the cloud a little less than smaller providers. And there's some specific reasons why. But if you ask us, is it because we think they're not secure? Absolutely not. That's large law firms' reticence to using some of those providers have more to do with control. And everyone take this in the spirit. It's meant lawyers love control. As soon as you give something to someone else, you give up a little control. The first time I had a conversation with our technology committee about what the cloud really meant, one of our lawyers said, wait a minute, are you telling me we're going to pay someone else? We're going to give them all of our clients information. And then we have to pay them again to get it back. And I sort of laughed. I said, it's sort of like that. But the idea that you're giving something to someone else, they didn't love the idea around. And so there are reasons I would say for midsize organizations, the benefits far outweigh the risks as long as you do your homework. So you can't just say, I'm using this, I'm using Microsoft Azure for my servers, and I'm good. That's the recipe most likely for disaster. It's just a question of when, if you're not managing. And Mike, I guess, so I know your firm has done at least some cloud services. I mean, has that been something where the security assessment has actually sort of made suggestions for improvements? I mean, has there been some utility there in terms of security assessments in cloud? It's definitely been part of the discussion, although we've done so very carefully. That is making our move to the cloud. We do have an Azure instance. We do have a couple of applications running up there. Most of our core applications are still on-prem. Our document management, our email system is still on-prem. But we're making our way up there. And as Peter alluded to, it's not because we're Luddites. It's not because we're afraid. We have certain clients that insist that we keep their data on-prem, which is a silly concept. The situation there is that it's in the cloud, so therefore it's not safe. And that, yes, in the beginning that was probably true, but it's certainly not true any longer. As was said, we've said it a couple of times. You need to do your homework. You said it, John, just because you set yourself up on Azure, you're good to go. Now, it's not the case. You have to set up proper security controls. You have to set up that multi-factor authentication. You have to set up role-based security and administrative rights on the appropriate level. And all those things still apply in the cloud as they do in your on-prem environment. And there's certainly a lot of advice out there that you can follow to give you that. I don't know how to quote-unquote everything in the cloud. It's still years for us, but not a decade. I think in our case, we're looking at three or four years now. We'll have all those core applications at the most. I'm looking sooner than that. There's a question, I guess, for the whole panel about funding needed. And obviously, again, a lot of the providers have, well, there might be some with three or 400 people, but a lot of providers are 200 or 30 or 50. But if they're going to raise money for a security assessment, how should they approach pricing initial security assessment project? Any thoughts? I know that may be hard sitting from a vantage point of thousands of lawyers and 10,000 staff, but... I would defer to Vivian with our first answer, but only because she's been there, done that. Thanks, Mike. And so what I can offer is that we, meeting my IP director and I, started talking to various vendors about three or four years ago about what they could do and got bar park figures about what it would cost. And all of them were willing to tailor the work to something that was within our budget. That said, at the time, when I was explaining that it might cost us $40,000 or $50,000 to do a technology assessment, I wasn't getting great reviews in reception from our finance team because that's a significant cost for us out of our annual budget. So it was something that we decided we needed to plan for, and that's basically how we approached it. Now, luckily, LSC has come out with this grant option that gave us a little bit of an edge and an opportunity, so to speak, to apply. And if we get the grant, then we'll have funding for a technology assessment, but the most that we can get is $35,000. And so that's what we'll have to do is work with a vendor who will be able to provide that assessment for us within that budget. Right. And certainly scope and work to budget, and maybe also the priorities. And actually, I think one of the things, Peter, you may have mentioned that the pieces that you know you're changing, I mean, I guess that's a lot of providers are in the middle of some major technology project. And I think that that may be, you know, make people may be thinking that, well, you know, wait till I'm done with my project. Is that sort of like a fallacy? There's always going to be the next project. I mean, how do you decide when, right? And I think Vivian, you said now, but like how that it's understandable, I think for folks to feel like this is, you know, their environment's a moving target. So if I do this assessment, it's going to be out of date. You shouldn't wait. And I'll go back to, it's like your checkup. You should think about doing it annually. It should become part of your process. And it is great to have an outsider with a clear view come in. And there's no reason to wait. There'll be always a reason to wait, and you'll never accomplish anything. So my suggestion is do it and plan to do it again a year later. And, you know, finding a provider who will work with you, who understands that you are a nonprofit, the financial constraints may be different than Mike's firm or mine. You be upfront about that and see what you can do to work with them and, you know, have them structured in a way that is digestible or consumable to your organization. It's way better to do a little than to do nothing. And I just want to suggest that folks, if they have a chance to look at the chat, there's been, you know, a lot of good suggestions, comments, you know, about better security practices, and including patching. I know actually, I just actually saw with one of our clients, their insurer did a external scan of their environment and gave them a report. Like, you need to take care of the filing things. Fortunately, it looked like they were all fairly minor, except for one thing that's hard for a lot of organizations, and that's moving off of the terminal server environment being, you know, right on the internet, right? Getting that at least behind the VPN. But you're going to see in some ways some of the, I think, insurance companies for sure, but potentially other funders who will be looking at your environment. They won't even tell you, they're just going to look and they're going to, you know, say that, or if it's city agency or state agency that you need to do these things. And I think what's harder is doing them really, really quickly, like with no planning at all, and without sort of the benefit of a partner who's going to help you figure out how to get it done, you know, and done economically wherever possible. I mean, I think that's the thing that some extra time may make it, you know, very, you know, sort of affordable. You may have a lot of the technology and it's just a question of sort of change of the configuration. So I'm just looking for some other questions. And again, the MFA's come up and single sign-on and the value of that. And certainly, I think you would all agree, you know, using cloud services, single sign-on becomes even more important. So you don't have 50 different accounts that you're managing independently. So really glad to see a lot of folks are moving forward on that. Yeah, on the single sign-on piece, you know, having a single set of credentials that works across multiple accounts, not only makes it easier for your users, it also makes it easier when you have people leave that you can disable that one account and protect the information so that a lever of your organization doesn't retain their access. And it is a critical element to security to do that well when people come on and when they leave. Also with a single set of credentials, you're in a better position to aggressively enforce good password policies through the single sign-on vendor and say, oh, yes, you do have to change every 90 days. You know, if you have 10 passwords for 10 separate systems and have to change them every 90 days, your head will explode. On the other hand, an SSO provider will allow you to change it once. Now you've got a new password to all 10. It's a great element that's good for the organization and good for the users. Yeah, well, and I guess that's a really good sort of segue into sort of this other, you know, piece that I think Vivian, you sort of started on. And I think we've all talked, or you've all talked about it a little bit, which is, you know, again, making the security environment fit sort of the organization, the culture, the priorities that you have. When you're working with security firms and doing these assessments, is there some negotiation? Is it well, they help you figure out a better way? Okay, here's a challenge. Here's a problem that we've identified. And then you do, you know, horse trade a little bit. Well, here's the issue we have internally and come up with maybe an alternative approach that improves security without necessarily saddling your users. I mean, I think that's, there's always this sort of tension between, you know, I don't want to say perfect security, because that's a misnomer, but between good security and access and usability. But how does security assessment sort of work in a way that really is tailored to your environment and to your firms? Sure. Well, you know, you're right, security is never convenient, right? That's the whole idea behind it. If it were convenient, it wouldn't be secure. So we've heard some grumbling from our users when we rolled out MFA and we still need to roll out MFA in other places. So it's a work in progress. But to answer your question about working with the assessors who will do these reviews for you, I have found that everyone that we've spoken to was willing to have a conversation about the end product. Because, you know, what's the deliverable? That was always a question that I asked when we were looking at assessors. And the deliverable is going to be the report, but that's really the beginning, not the end. You know, what are you going to do with that report? And sure, it's going to help us to identify areas where we can improve and it can help us to potentially reduce our cyber insurance premium and maybe, you know, give us a little bit of a leg up when we apply for grants with various funders. But the idea is that we're going to roll it into our practices and our procedures and everything we do. You know, going back to one of the things that Peter said about having assessments done every year, that's really the whole idea is to make this part of your regular practices and to have the conversations with the vendors about what they are recommending in their report and how you would actually achieve some of these goals that they've identified, prioritizing them, and then how you actually go about achieving them. And I found that that vendors are very willing to have these discussions. And John, I wouldn't, I'm taking a little offense at the horse trading term. I think when the assessors make an assessment, they'll come back and say, here are things you can do to improve your posture in this area. It's not just the one size fits all, any improvement you make is better than where you were. That doesn't mean you have to get to perfect. And as you said, there is no perfect. But what there is, is better than where I was 10 minutes ago. And the key is, if I can make us better than where I was 10 minutes ago across 20 different areas, hey, that's a great step in the direct, the right direction. And maybe a year later, there are different 10 things I do, and so on and so on. Great. And I'm just looking again at the comments. If folks have any other questions, please, there were some that were answered by others, which I love when there's dialogue going on in the comments. But if you have any other questions, please let us know. And I just want to give Vivian my computer an opportunity for any sort of last thoughts that they might have, they'd like to share. And obviously, again, sorry, there were a couple requests for some resources. And I think Ladirja and I will take sort of all these comments and think about what we can come up with and provide through a loss end tap. I saw some really good suggestions there. And so if we can make that happen, even to some extent, even if it's not as complete as we might like, we'll try to do that. But any last thoughts? And again, any last questions, please add them to chat. I'll start just by saying dive in. Go ahead, do as much as you can, whether you have a tiny budget or a larger budget. Get something started so that you can have an outside party come and look at everything you're doing. And think of it as an opportunity to improve. It's not an audit like the finance team has to go through. It's really how can you make everything better for everybody that you're working with? Wonderful. Thank you, Vivian. Yeah, I'll jump in with my comment when people ask how big is your organization and how many people do you have really doing security? So we support about 3,800 people using our systems each day. And our security team is 3,800 people. If everyone in your firm isn't part of making the situation better, they're part of the problem. And you have to educate them and make them aware of the situation. And if you get their buy-in and they're part of the solution, everything will go better. And that's my strongest recommendation that will give you the biggest bang for the buck. Fantastic. The points I wanted to make are I'm not part of this particular topic, but certainly closely related to it are your weakest link is your people. I'll see your strongest link. So your security awareness, I know that the topic has been discussed among this group. And we certainly emphasize that. There are many different forms of that. I'm not sure what you all use. I know a resource that I often recommend to someone, you know, a small company, whatever, that's still trying to figure out what they want to do with security awareness that's no before, KNOWB4. They have a lot of free resources online. And of course, they will also want to sell you stuff too. But I would take a look at that. And phishing tests, if you can afford to do that, if you can figure out a way to do that, it's just all about the education. And so if you can, and sometimes I'll get a call from a partner like, I hate to bother you with this or email, I hate to bother you with this, but I got this email and I think it might be, you're not bothering me. Call me at home or whatever the case may be. I want to know. So yeah, keep everyone involved and has to be top of mind. And not at all judgmental. As you're saying, I mean, I think this is, we've got to work collaboratively. We've got to be supportive. We've got to educate. I think you've said all this that this is, and really in some ways I think that does link us back because the assessment is about education. It is about educating the non-tech on your environment. It's about educating your tech or your contractors, whoever you use. I mean, legally, we don't typically have large teams doing a lot of this work. So it's few people with multiple hats, but I think it sort of really goes along with that sort of theme. So again, I really appreciate your willingness to help with this topic and be panelists on this webinar. And I really appreciate the comments and folks showing up. So thank you. I hope everyone tunes in to the remaining three webinars coming up. The next one I think is November 2nd. I think it is. Yes, it's November 2nd. November 2nd. Same time, same channel. So again, thank you very much. Have a great rest of the day.