6/15/2016

1

Claude DuclouxBoard Certified,

Civil Trial and Civil Appellate Law

Texas Board of Legal Specialization

Director of Education, LawPay,

Austin, Texas

FIVE EASY STEPS TO

BOOST SECURITY IN YOUR FIRM

James SparrowSoftware Architect

LawPay

Austin, Texas

6/15/2016

2

The Threat to Law Firms

CYBER SECURITY: WHAT ARE THE TYPES OF

LOSSES AND BREACHES THAT WE ARE

CONCERNED ABOUT?

1. Theft of intellectual property

2. Theft of sensitive information

3. Loss of reputation and trust, resulting in:- Loss of clients

- Loss of economic and competitive advantage

4. Business disruption and liability to third parties

6/15/2016

3

1. Fiduciary duty to keep client information secure

2. Constant handling of confidential information:- Financial

- Health Care

- Family

- Business

3. Law offices are the path of least resistance to obtain

sensitive information

WHY IS THIS IMPORTANT FOR LAWYERS?

Lawyers as Targets

6/15/2016

4

• CryptoWall “ransom-ware” is estimated to have cost users

over $325 million in calendar year 2015

• Spearfishing attacks – targeted attacks used to acquire

confidential information or install malware

• String of law firms breached in 2015-2016 to obtain data on

mergers and acquisitions and expose client information

• Now, more than ever, Lawyers need to take steps to protect

firms and clients

Malware and Hacking Threats

6/15/2016

5

In House Mistakes:

Losing or disclosing passwords, Losing laptops, iPhones, etc.

In House Mischief:

The "Insider Threat“ is the most significant risk that

companies face. Disgruntled employee alters or steals

company data: 1 in 5 attacks all across the country.

“Insider threat” is difficult to predict and prevent, due to

ease of copying files to a thumb drive, or e-mailing docs to a

personal email account.

WHAT OTHER TYPES OF SECURITY THREATS?

Insider Threats and Mistakes

6/15/2016

6

Universal Access Threat

1. Demand for 24/7/365 access

2. Results in access to confidential information- From anywhere

- On any device

3. Threats from:- Unsecure access (Wi-Fi access points)

- Greater likelihood for loss of devices containing sensitive information

6/15/2016

7

Most Lawyers get sued on a “negligence” Standard.

Typically that is:“Did the Lawyer act in accordance with what a prudent lawyer did or would have done in the same circumstances?”

At the present, there is no clear indication other than what a

reasonably prudent lawyer would do or not do under the

circumstances.

CHECK YOUR OWN STATE STATUTES!

Look also at state/federal Health and Safety Codes for “Duties

of Custodians of Confidential information.” Almost all lawyers

are “custodians”.

Standard of Care

IS THERE A STANDARD OF CARE FOR LAWYERS?

6/15/2016

8

WHAT ENTITIES ARE CREATING STANDARDS?

Privacy Standards

National Institute of Standards and Technology (NIST) at the

national level

Framework for Improving Critical Infrastructure

Cybersecurityhttp://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

May establish baseline standard of care for legal liability

6/15/2016

9

Standards for Privacy Continued

Other entities include:

1. The Federal Trade Commission

2. Federal Laws:- HIPAA, the Health Insurance Portability and Accountability Act of

1996, regulates the use and disclosure of protected health

information

- www.hhs.gov/hipaa/

- HITECH Act, the Health Information Technology for Economic and

Clinical Health Act, has additional requirements that modify HIPAA

3. State Statutes - Always check your own State Statutes!

Additional Sources of Privacy Standards

6/15/2016

10

Step 1: Cyber Assets Inventory

1. Document the cyber assets in your practice- Use our template to get started

2. Necessary in the event of a breach

3. Covers your:- Networks

- Computers and Hardware

- Software and Data

- Users and accounts

6/15/2016

11

Inventory: Network

Your Network:

1. Wired? Wi-Fi?

2. What is connected to

which networks?

3. Who configured it?

4. Guest Wi-Fi?

5. Who has Wi-Fi access?

6/15/2016

12

Identity Office Systems and Hardware:

1. Computers

2. Laptops

3. Mobile devices

4. Printers

5. File servers and network storage

Inventory: Systems and Hardware

6/15/2016

13

Inventory: Software and Data

1. What applications are you using?- Critical to business or accessing confidential data

- Do you have licenses for each copy?

2. What is the application responsible for?

3. What information is managed?

4. Where is the information stored?- Local to computer or device?

- On your network?

- In the cloud?

5. Include data backups- What is backed up, and where it is located?

6/15/2016

14

Inventory: Users and Accounts

1. Identify all the users with accounts on your system

2. What privileges does each user have?

3. Are these privileges necessary?

6/15/2016

15

Inventory Goal: Securing Systems

1. Each asset in the inventory must be strengthened- Asset is secured

- Accessible only to people or systems with need

2. Examples of strengthening include:- Replacing weak passwords

- Updating Wi-Fi configuration and securing connections

- Ensuring systems are up-to-date and less prone to viruses

6/15/2016

16

Step 2: Password Management

LET’S START WITH

PASSWORDS

Passwords are the

easiest way in to hack

our systems. This

includes passwords

to:

1. Networks and Wi-Fi

2. Email and other

accounts

3. Common websites

4. Clerk’s Office, E-

filing systems, etc.

6/15/2016

17

Use a Password Manager

1. Use a password manager- Provides secure storage for all your password

- Depending on which you choose• Works on single computer only, no sharing

• Secure shared access across computers and devices

2. What is a password manager?- Separate application downloaded and installed on computer or

device

- Easy to create a different, strong password for every site

- You only remember the passphrase for the password manager

- This one password must be strong and complex. Avoid:• Dictionary words (with or without numbers at either end)

• Foreign words

• Slang or jargon

• Names or dates associated with you

- Use:• 12 or more characters

• Upper and lowercase

• Numbers and symbols

6/15/2016

18

Multi-Factor Authentication

Other steps to secure access: Use MFA

1. Multi-factor authentication

2. Requires password + code to access account

3. Code is texted or accessed from smartphone application- Example: Google Authenticator

4. Codes change each use

5. Substantially reduces account hijacking

6. But don’t stop using strong passwords

even when MFA is enabled!

6/15/2016

19

Step 3: Fortify Your Network

You can significantly reduce the risk of access through your Office Wi-Fi:

1. USE YOUR PASSWORD MANAGER to generate a strong passphrase for

your wireless network.

2. REQUIRE NETWORK AUTHENTICATION, selecting WPA2-Personal (Wi-Fi

Protected Access 2) for most small practices

- May appear as WPA2-PSK or just WPA2

- Do not use WEP or plain WPA

3. USE A SEPARATE GUEST WI-FI NETWORK for clients or visitors who need

Internet access.

- Most Wi-Fi routers today support one or more guest networks

- Enable WPA2-Personal authentication for your guest network as well

4. PROVIDE ACCESS to your private network (as opposed to guest network)

and intranet/LAN only to those with a clear and ongoing need

5. CONNECT YOUR OFFICE SYSTEMS, printers, file servers, etc to your private

Wi-Fi network or LAN, not the guest Wi-Fi network

6/15/2016

20

Wireless Router Settings

6/15/2016

21

Step 4: Protect Office Systems

Your office computers can be a treasure trove for an attacker,

and there are multiple routes in, from open network

connectivity to targeted malware. Fortunately there are a few

key tools at your disposal to counter these threats:

1. Automatic updates

2. Antivirus/Anti-Malware

3. Firewall

6/15/2016

22

Enable Automatic Updates

Enable your

operating system’s

automatic updates

and apply

application updates

as they become

available. Many

active viruses take

advantage of

problems for which

fixes have long been

available.

6/15/2016

23

Install Antivirus/Anti-Malware

Install anti-virus/anti-malware on all systems, enable real-time

checking, and schedule full computer scans weekly at a

convenient time

6/15/2016

24

Enable Your Firewall

Enable your operating

system’s firewall to

prevent external

connections. Some

software applications

may require specific

exceptions to be

configured to allow

access from other

computers on your

network, but the vendor

documentation should

make this clear.

6/15/2016

25

Step 5: Secure Confidential Info

Lawyers have both an Ethical responsibility and a legal

responsibility to secure confidential information. Here are

some tips to assist you:

1. USE OF HTTPS ADDRESSES: When handling sensitive information within a

web browser, always make sure the address starts with “https”. Most browsers

will highlight the address bar and let you know the connection is secure

(Eg., thus a website which reads “County Court Records” in the email, may be

disclosed as “PhishingExpedition.ru” when running the browser over the website).

Data transmitted over a properly secured connection is encrypted and prevents

an attacker from tampering with or accessing the information sent.

2. WHOLE-DRIVE ENCRYPTION: Data stored on your computer or a network

storage device also needs to be secured. Most modern operating systems

support whole-drive encryption. Once enabled, you can be comfortable that if

your computer were lost or stolen, the data stored on it cannot be accessed by

anyone else. Learn How to Enable this encryption!

6/15/2016

26

User Training

Always remember that insider threats and human error are the

prime avenues of data breach and privacy loss.

Train your staff:

1. Use password manager

2. Never disclose passwords- Exception: Client access to secured

Guest Wi-Fi network

3. Never disclose confidential

information over the phone

4. Immediately report any possible

disclosure of confidential

information

6/15/2016

27

HOW DO I ENSURE MY CLIENTS CAN OBTAIN

THEIR DIGITAL ASSETS?

Prepare for Emergencies

Anytime there is a death, including the death of a lawyer, the

potential for the cyber threat increases.

According to a 2013 Harris Poll, 93% of Americans who

have digital assets aren’t aware of what happens to digital

assets when they die.

Just like having a Will, every lawyer should have some very

safe and secure location where his own staff or trusted

fiduciary can disclose what his or her digital passwords are, or

the access code to the password manager. (Again, always

check your state statutes.)

6/15/2016

28

HOW DO I ENSURE MY CLIENTS CAN OBTAIN THEIR

DIGITAL ASSETS?

Prepare for Emergencies

ULC - FIDUCIARY ACCESS TO DIGITAL ASSETS COMMITTEE:

Since 2014, the "Fiduciary Access to Digital Assets

Committee" of the Uniform Law Commission (ULC) has worked

with companies to try to craft a model act that would vest first

of all lawyers with at least the authority to manage or distribute

digital assets or copy of delete those assets as appropriate

Lawyers need to advise clients always to have their own safe

and secure location or a fiduciary who knows what his or her

digital passwords are, or the access code to the Client’s

password manager.

6/15/2016

29

HOW DO I PREPARE FOR A CYBER-ATTACK

IN MY OFFICE?

Prepare for an Incident

Every office is probably going to be subject at some point to

some minor incident or attack or loss of a password. So, what

do Lawyers need to do?

1. Create policies and plans for prevention and response

2. Plans must address the minimum physical, technical, and

administrative safeguards

3. Include a plan to respond to an actual or threatened breach

6/15/2016

30

What is a Breach?

The Department of Justice defines a breach as:

“[The] loss of control, compromise, unauthorized

disclosure, unauthorized acquisition or access or any similar

term where a person(s) other than the authorized users

have access or potential access to information, whether that

is physical information or electronic information.“

6/15/2016

31

Handling an Incident

Although YOUR state may have different specific requirements,

generally, a Custodian of confidential information should notify

the individuals as follows:

1. Provide a general description of the incident, including:- Information that can mitigate harm to the individual

- Customer service contact information

- Steps to obtain and review credit reports

- Steps to file fraud alerts

2. Remind individuals to remain vigilant and report suspicious

activity

3. Provide FTC contact information for identity theft protection

6/15/2016

32

FINAL THOUGHTS

1. Take inventory of all digital assets

2. Start using a password manager immediately!

3. Enable automatic updates on all your systems

4. Enable whole drive encryption

5. Train staff on security practices

Wrap-Up

6/15/2016

33