Woven Legal is proud to introduce you to Rob Harvey of Online Business Systems. At OBS, he is the Managing Director of Risk, Security, and Privacy and a cybersecurity expert. He shared some of his insights about the biggest cybersecurity risks out there and what law firms need to know to protect themselves.
MG: The 60 Minutes Report on hacking has gotten a lot of attention, and I know you’ve noted a big increase in hacking in your industry. What does that look like and how do you know this is happening?
RH: At OBS, we don’t have a security operations center any longer. We now work with a partner called Agile Blue that monitors those things. But I also subscribe to many blogs and feeds and see this increase across the board. Some feeds are even dedicated to the dark web, where there has been a lot of chatter and activity related to hacking, too.
MG: Can you explain what the dark web is?
RH: Not everyone can access the dark web. Basically, there are 3 levels to the internet (probably more). One level is public-facing like ESPN.com or CNN.com. On the next level down are non-indexed websites, intranets, and pages requiring logins. This level is sometimes called the deep web. The dark web requires special tools, software, etc. to gain access. Tor sites are part of this group. Criminals/hackers prefer this to keep their identity anonymous.
MG: I’ve read that many hackers are being recruited through the dark web.
RH: There are always different types of hacking going on. There are good hackers and less ethical ones, such as a bad actor trying to get entry into organizations to steal data or spread misinformation. Some of the information that’s come out recently is showing that there are more people attacking Russia through cyber than most people realize, especially in light of the activities with Ukraine. This highlights the role of state actors in cybersecurity issues, too. This is in addition to individual criminals or groups of criminals. Those make up three tiers of users of the dark web.
What happened with Russia when the invasion of Ukraine first occurred is that the government was really controlling activity. If you think back to the pipeline gas activity around a year ago, many people wanted to know, “Why would Russia attack us?” It was more about being a disruption because it had a big impact on the U.S. economy.
Even smaller attacks like ransomware are important to know about because they can impact individual people or companies. In a ransomware attack, people are pressured to pay money to get access back to their data or to prevent leaks. Where that money goes, however, is the main issue. It can be a violation of federal law. For example, if you get a ransomware attack from China or other countries banned by the FTC, it’s illegal to pay that ransom.
MG: What kinds of things should companies be thinking about doing if they suspect these kinds of attacks?
RH: Many entities first try to power off their machines. If you shut down your computer, any forensic activity gets lost because it’s in the memory of the machine. This isn’t a great first step, which is why we work with companies to plan for possible threats and responses if those threats were to happen. We help these companies come up with standard operating procedures for the most common kinds of security threats.
My recommendation for small and medium-sized organizations is to look at companies offering virtual CISO (Chief Information Security Officer) services. A fully loaded CISO is out of reach financially for many smaller companies, which is why outsourcing to a virtual CISO helps by securing similar services for a fraction of the cost.
We have a phased approach when it comes to virtual CISOs. The first phase is about discovery to determine the regulatory and compliance needs of your industry. Many companies, for example, haven’t done a risk/threat assessment or a penetration test (a simulated cyberattack on a computer system, performed to evaluate the security of the system.) That’s where we start. From there, we come up with a roadmap to protect our clients.
MG: What about HIPAA-related issues? For our clients who are Personal Injury attorneys, for example, there are often medical records going back and forth between opposing counsel or files stored on digital servers. Any particular tips for attorneys tasked with safely handling their clients’ sensitive personal information.
RH: This is where industry expertise comes in. Being able to have the technology and training that goes beyond basic IT and security support is so important. Honoring CISO processes is critical, and it’s an evolutionary process that should always be adapted as needs change, too. Too many small firms, for example, don’t even do basic security awareness training with their staff. So a staff member gets an email with a phishing request or link and it’s human nature to click on that. We try to plan ahead for the human factor. It’s one of the weakest links of security.
This is why there is a difference between security risk assessment and threat risk assessment. Security risk assessment is about controls like making sure every employee has an eight-character password with uppercase letters, lowercase letters, and special characters. A cyber risk assessment is trying to understand the threats that could harm your business.
MG: How do law firms rank in terms of being targets for these risks?
RH: For a law firm, it depends on the clients they represent, the data they’re holding, and the visibility of that.
MG: Are there certain operating systems with more risks?
RH: In the past, Microsoft was more targeted because they had open architecture with their devices. For example, you might have pieces of your computer setup from Seagate, pieces from Nvidia, etc. With Apple, Apple controls every aspect of the pieces inside their devices. However, these days every one has the potential to be impacted as these hackers are getting savvier.
MG: What are the biggest things people should be concerned with right now?
RH: The biggest issue in the past year is the SBoM, which is the software build of materials. Think of the SolarWinds issue last year. (Threat actors) introduced the software and some code that was then propagated as an update to their systems and then updated out to users. This caused a lot of vulnerability issues. This brings up the risk of zero-day attacks, which is when a vulnerability has been discovered and the vendor has not created a patch yet. Google, for example, uses a bounty program when they release an update. Good hackers will share with Google what they found.
MG: What are the biggest threats to a law firm?
RH: Lawyers and consultants have something in common. They’re experts in their field and they don’t like to feel dumb. Both have big assets, too: client data. If someone could suddenly delete or lock all your private data and hold it for ransom, that’s a major threat for law firms. Ransomware is probably the biggest threat for lawyers.
MG: Can we talk a little about blacklisting and whitelisting? Could you explain what this is, please?
RH: Think of it like answering some of these questions: What are you allowing? What are you not allowing? Who are you blocking? What are you not blocking? The key thing to remember is how you protect what you don’t know? There are frameworks that can help show some of these weaknesses. For example: identify, protect, detect, respond, recover. This one walks you through tasks and actions to protect your interests. This is really important for law firms, who might not realize all the ways they could be exposed to risks. Think of the plugs in your walls for your phones, for example. What’s to stop someone from hacking into that and accessing private data? Copier printers are another big risk. Printers have hard drives in them with images of what has been scanned.
MG: How do you combat communication hurdles with prospective clients who are clearly uncomfortable asking about potential threats to their systems and data, when you know the need exists for them – and your company can help them get to a better place?
RH: Leverage the concept of keeping all your assets in the cloud with proper protections in place. This might be an opportunity to bring in consultants to help uplevel the technical aspect. We like to start with the same framework to make things accessible. First, we start with looking at risks and controls and then look for ways to detect those threats. Having access to someone who can answer those difficult questions, like a virtual CISO, is key, too. Each company is in a different place and has a different risk appetite, too. People must consider the question, “What are we willing to spend to protect our data and assets?”