Upload
hatuyen
View
215
Download
0
Embed Size (px)
Citation preview
OM21: Proving Cybersecurity Due Diligence for your Firm
Presented by
James Gast David Myers
The handouts and presentations attached
are copyright and trademark protected and
provided for individual use only.
James GastCEO, SpliceNet Legal Tech &Legal Marketing [email protected] | 513.252.0212
Proving Cybersecurity Due Diligence For Your
Firm
www.linkedin.com/in/jamesgast
Who The
Heck Is
Jim Gast?
I’m veteran of Law Firm Tech & CyberSecurity and the CEO of SpliceNet Legal Tech who specializes in developing highly effective and secure technology systems.
• Law Firm Tech & Cybersecurity Expert Assisting 150+ Law Firms over 25 Years
• 75 Law Firm Cybersecurity Audits in last 24 months
• National Speaker/Writer on Office 365 & Cybersecurity
What you get in the next 90 min:
• What cybersecurity is beyond the “tech”?
• A standardized process for your firm
• How to assess your cyber-threat readiness and
mitigate it using the same tools we’ve used for
the last 7 years
• Give you a simple national peer-based cybersecurity
collaboration platform
“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.”
Andrew Groveformer CEO of Intel
Cravath Swaine & Moore, Weil Gotshal & Manges,
&Mossack Fonseca aka
(“Panama Papers”)
The Evolution
Of Crime
Black Market Values
• Credit card details: $2 to $90
• iTunes account info: $8
• Credit card numbers (ripe): $190
• Card cloners: $200-$300
• Fake ATMs: $35,000
• Anyone can easily buy training, tools and services for committing fraud, hacking systems, buying stolen credit cards, setting up fake web sites, etc.
• Cyber-criminals even offer support contracts for their software
“We’re Just Simple Law Firm...Nobody Would Bother To Attack Us, Right?
• One in five law firms falls victim to cybercrime each year and that number is GROWING. (Source: National Cyber Security Alliance)
• Law Firms are low-hanging fruit because they don’t believe they are a target, and therefore have very loose or no security systems and protocols
$122,000 x 2Amount of money defrauded from Northern Kentucky Law
Firms Last Spring
Biz Model: Low Volume, High Margin
FDIC Does NOT Protect Your Firm From Bank Fraud
Caused By Hackers And Social Thieves And The
Bank Is NOT Responsible For Getting Your Money
Back!!!
Bank Fraud
400,000 NEW Malware
Threats Are Being Released Per Day
Source: AV-TEST
Biz Model: High Volume, Low Margin
Phishing!
“There's always somebody in an organization who will... open a malicious link or an email attachment.”
– Kevin Mitnik, 1990’s Former FBI’s Most-Wanted Computer Hacker turned Cybersecurity Consultant/Good Guy
Shadow IT21% of your users are using Dropbox without your knowledge!Source: SpliceNet Cybersecurity Quiz, February 2016
Social Hacking97% “say” they would not attempt to view files on a USB stick they found. Social experiments show much higher.Source: SpliceNet Cybersecurity Quiz, March 2016
Wireless Use80% of people use public wireless without concern even though they consider it unsafeSource: SpliceNet Cybersecurity Quiz, March 2017
What you
should not
email!
Generally PII is: first name or first initial and last name plus one or more of the following:
• Social security number, Driver’s license number, State-issued ID card number
• Account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.
As a rule the following should not be transmitted by UNPROTECTED email
• Medical records
• Financial records
• Credit card numbers
• Bank account numbers
• Retirement account numbers
• Investment account numbers
• Username or passwords or PINs
• SSNs
• Obviously, any firm data considered private/confidential
Often Skipped Password Concepts
Do not use personal passwords for work
and vice versa
Do not use the same passwords in many
places
Do not save passwords in browsers and apps
when prompted on any device or platform
Never email a password
Reset instead of record
Mobile devices that have firm email (or more) must have forced passwords
Ok we get it. We need to get busy but what do we need to do and
how do we prove our “Due Diligence”?
The 3 R’s
To maintain the requisite knowledge and
skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits
and risks associated with relevanttechnology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
ABA Model Rules of Conduct
Rule 1.1, Comment 8
3 Steps To Protecting Your Organization
1
Cybersecurity AssessmentEvery law firm is different. What’s lacking in your security practices right now? What policies do you have and how are they trained/reinforced? What 3rd-party cloud apps are you using? Are your systems truly backed up? Where are you exposed to risk? Whose job is it to make sure your network is protected, and how do you know if they’re doing their job?
2
Action PlanBased on what’s discovered, what do we need to do to ensure our systems, data and operations are secure from theft, compromise, corruption, etc.?
3
Ongoing Threat ManagementYou definitely can’t take a “set-it-and-forget-it” approach to security – your attackers aren’t!
Solid Cyber Strategies
Level 1 – End User Protection Technology
• Multiple Layers of Antivirus and Antimalware both active and scheduled.
• Software patch management for OS and TPAs
• Web filtering to prevent infected traffic from breaching the network gateway
• Advanced Spam filtering
• Mobile Device protection
• Least-Privileged Security Models
Solid Cyber Strategies
Level 2 – Next Generation Technologies
• Next-gen Converged Network Edge protection (Firewall)
• Behavioral Pattern Recognition software
• Data Loss Prevention (Email & Remote Access)
• BYOD Protection and Control
• Data Rights Management
• Network Device Control
• Penetration Testing
Solid Cyber Strategies
Level 3 – Policies, Education & Testing
• End User Training and Testing
• Technology Acceptable Use Policy
• Mobile Device Use & Loss Policy
• Corporate & Public Wireless Network Use Policy
• DR/BC Policy
• Vendor Standards, NDA, Confidentiality Agreements & Imposed Self Audits
• Employee background checks
• Data privacy policies
• Data Breach Policy & Action Plan
• Technology Change Controls
• End User Awareness & Testing
• Regular Plan Reviews & Testing
LINKEDIN GROUP FOR NATIONAL COLLABORATION & STANDARDIZATION
Law Firm Cybersecurity Due Diligencewww.linkedin.com/groups/8623243