EPISODE 106
Anatomy of a Hack: Pandora Papers

EP 106: Anatomy of a Hack: Pandora Papers

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

May 24, 2022

What are the Pandora Papers? Where did they come from? What’s the impact of the Pandora Papers on the legal industry? What are the practical cybersecurity lessons for everyone? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Kip Boyle: Hey, everybody. Thanks for being here. We really appreciate it. For the webinar, this is a continuing legal education session and it's called Anatomy of a Hack: The Pandora Papers. I almost said Panama papers, Jake, because man, we gave that one several times, didn't we?

Jake Bernstein: More than several. I'd say we did that one a lot.

Kip Boyle: We did, but, but there's some connections even still. So, I'm not going to say Panama papers unless I really mean it, but we're here to talk about the Pandora papers and particularly to not only understand the Pandora papers from a high level, but also, to understand the impact that the Pandora papers is having on the legal industry. And then what we want to do is we're going to then talk about some practical cybersecurity lessons for attorneys everywhere that will help you avoid being caught up in something like this. So, that's what we're going to do today.

Again, really glad you're here. And I want to introduce my co-host, Jake Bernstein, with the law firm of K&L Gates. Jake is my co-host for the Cyber Risk Management Podcast. I encourage you to check that out. We're available on everywhere that podcasts can be found. Jake, do you want to tell everybody about yourself?

Jake Bernstein: Sure. Thanks, Kip. So, I am a partner at K&L Gates. I have been practicing attorney for just over 15 years and I'm also a CISSP with (ISC)2. So, I come at cybersecurity from both a legal and I guess cybersecurity standpoint.

Kip Boyle: Yeah, great. And Jake and I have been collaborating now for five years, something like that, six years. It's been a while. It's been a while. I know our podcast is in its fifth year and we recently published episode 100. And for those of you who don't know, my name is Kip Boyle and I work as a virtual or sometimes people like say a fractional Chief Information Security Officer. And I've been working in the cybersecurity industry since long before it was ever called cybersecurity. And I've worked as a chief information security officer for an insurance company, an IT service provider.

And well, let's just say, I've been around the block and I've done a lot of cybersecurity management, but I've also done a lot of technical work as well. And these days, what I'm doing is as a vCSO, I am serving companies who don't have a security leader for whatever reason. Some of them are too small to be able to afford one. Some of them, it just doesn't make sense for them to have somebody on full time. And so, I can help guide them.

But anyway, so between me, who I take the operational cyber risk point of view and Jake who takes more of the legal and regulatory perspective together, we are here and we're going to help you understand what are the Pandora papers and what impact are they having already on the legal industry and what impact do we think there's going to be some continuing impact. Okay. So, listen, if you have any questions, we invite you to put them into the Q&A box and we will respond to them just as soon as we can. And if we're really good, we'll actually have some time left over for a little bit of Q&A. So, Jake, are you ready? I think we should get going.

Jake Bernstein: Let's do it. Yes.

Kip Boyle: Great. Okay. So, let's start with the obvious question. What are the Pandora papers? And well, guess what, they are a lot like the Panama papers, because they're about the same size. There were 11.9 million leaked documents as part of the Pandora papers. And if you put them all together and try to store them in the same place, you're going to need 2.9 terabytes of storage in order to be able to do that.

Jake Bernstein: That's an eDiscovery nightmare, Kip, but yes.

Kip Boyle: And it's funny you would say that because one of the things about the Panama papers, it was really interesting, is that the investigative journalists who analyzed the Panama papers have the same problem. All they had was some creaky, old computers and not a computer scientist in site. And here they are with all these millions of records and ultimately that's what they ended up doing is they got an eDiscovery solution and loaded all the records in there and actually went at it as a lawyer. Isn't that interesting?

Jake Bernstein: It is. It's also not surprising. There's only so many ways to tackle that much information and I'm glad to see that they figured it out. And the Panama papers were what? 2016. And so, when did the Pandora papers occur?

Kip Boyle: Well, that happened three years later. Now the leaks started in 2019, which is to say the ICIJ, which is the investigative journalist group that did the Panama papers, started receiving what would be called the Pandora papers in 2019, but it actually took them two years to aggregate all those files together, load them into the eDiscovery software, and then actually analyze them. So, that they could actually write stories and tell stories about this amazing pile of data. And the publication began in the fall of 2021. So, this is pretty fresh.

Jake Bernstein: Absolutely.

Kip Boyle: Okay. So, the consortium is actually called the International Consortium of Investigative Journalists, which I'll call ICIJ from this point forward. And when they finished doing their investigation, they came up with this range of money that was represented in the Pandora papers, somewhere between $5 trillion US up to $32 trillion US, depending on how you counted it. And really, I've never seen $1 trillion of anything. So, $5 trillion as the low watermark still strikes me as absurdly big number.

Jake Bernstein: I mean, that's a lot of money.

Kip Boyle: That's a ton of money. It's a ton of money. Yeah, up to 32 trillion. Wow. Listen, from looking at the impact of cybercrime on the world, that's like a $10 trillion per year impact. And I know from doing the comparatives that if you aggregated $10 trillion of crime into a national economy, it would be the third largest national economy on planet earth behind the US and China. And now, we're talking about an amount of money that is approaching the first or the second largest economy in aggregate. So, yeah, hopefully, that perspective helped, but like the Panama papers, the Pandora papers documents the activities of thousands of offshore shell companies used by the most powerful people around the world. I want to just spend a little bit of time unpacking just how enormous this data is and how it compares.

So, if you take a look at the slide here, this is the most expansive expose of the financial secrecy that we've ever seen. And just to be clear, 2.94 terabytes of Pandora papers, 2.6 terabytes of Panama papers, and then it goes down from there. There's the Paradise papers. There was in 2013 some so-called offshore leaks and then it goes down from there. And WikiLeaks, if you remember, they had some cables, right, some diplomatic cables that they released. And on this graphic, it's just like a small little dot.

Jake Bernstein: Yeah.

Kip Boyle: inaudible gigs.

Jake Bernstein: Just a random bit of history. The reason that all of these tend to say papers, papers, papers is the Pentagon papers from much further back pre-internet really.

Kip Boyle: Yeah, that's right. I remember reading a book that was written about the Panama papers and the journalists deliberately were trying to figure out, "How are we going to brand this thing?" And you're right, Jake. They went to the Pentagon papers and did a riff on that. So, what are in these papers, these records? Well, there's documents and images and emails and spreadsheets. And they came from about 14 companies and the nations involved, including Panama, Switzerland, the UAE. So, it's quite a bit. So, I just wanted to take a moment and talk about that. Now, what I want to show you is just the mix of files.

So, in this diagram here, there's a little block diagram and every little block in the diagram represents 5,000 files. And I'm not going to parse this out, let you take a look at it, how many are documents versus images and so forth. But this is a lot, and boy, I know those journalists just had a field day analyzing these things. And the ICIJ eventually will put these on their website or maybe a subset of them. So, that junior, amateur journalists can take a crack at it. So, yup. What's interesting about the ICIJ is they take a long time, right? They take their time going through these records. This is not the first time they've done it and they're very good at secrecy. Nobody really outside the ICIJ knew that they had this collection of papers, which would ultimately be called the Pandora papers.

So, yeah, just fascinating. So, let's just unpack the contents of the papers just a little bit, because I mean, this is a very sensational thing, 35 world leaders, including current and former presidents, prime ministers, heads of state. I mean, this is very much like the Panama papers, right, so far anyway. More than 100 billionaires are covered in the leak, be they celebrities or business leaders, people like Elton John, Ringo Starr, Shakira, right? These are very well-known personalities. They were all named, them and more. I just grabbed a small selection of the really highly visible ones.

So, anyway, so that's what was in there. And today, the goal isn't to really examine whether these activities are legal or ethical or anything like that. So, what I want to do now is I want to transition to something that's going to be a lot more relevant for the audience, which is where did these records come from? And it's pretty well-documented where they came from. And on the screen right now, I've got a screen capture from the ICIJ's website showing where all of these documents came from. What's interesting is that I continued to search and search and search to try to find out, "Okay, if this is where the records came from, how did those records get out of these firms?"

And I think that's really the focus of what we want to talk about because these are data breaches, ladies and gentlemen. These are massive data breaches from law firms and other types of companies, right? Not everybody on this list is a law firm, but I'm going to pick on one of the biggest sources of the leaks, which is this Panamanian law firm. Here comes Panama again, another Panamanian law firm, Mossack Fonseca, which was the law firm that was the source of the Panama papers. It was also based in Panama. So, anyway. So, I don't know if I'm going to sail this right. Jake, can you pronounce those names? Is it Alemán, Cordero, Galindo and Lee?

Jake Bernstein: That sounds right to me.

Kip Boyle: I think I did okay, but I'm going to shorten that. That firm also goes by Alcogal.

Jake Bernstein: Okay, there we go.

Kip Boyle: Alcogal.

Jake Bernstein: That makes sense.

Kip Boyle: So anyway. Well, I picked them out because they were mentioned more than any other offshore provider in the leaked documents. And we're talking about 14,000 shell companies and trusts set up all over the world by this one law firm. And the other thing that I think is fascinating is if you look at the number of records, so over two million and the time period.

Jake Bernstein: Time period, yeah.

Kip Boyle: The time period is stunning. The first records from the trove go back to 1970. And if you think about that, well, okay, that means they must have digitized their records at some point, right? Somebody sat down. Some many peoples sat down and did a ton of scanning of paper documents, right? Is there any other way to do it?

Jake Bernstein: No. I mean, that's what happened. Again, this was eDiscovery before it became something to discover, right? That's their services that we'll go through and just digitize fast numbers. By the way, interestingly enough, Glenn D. Godfrey & Company, also a law firm.

Kip Boyle: Oh, good to know, LLP. Yup, and they're in Belize. Yeah. So, there's at least two law firms on this list. And really, that's really the idea here is, hey, Mr. Attorney, Ms. Attorney, you have a treasure chest in your firm of records that other people would like to see. And maybe you're not making shell companies and trusts, but there's no doubt you have confidential information that if nothing else, the other party in a lawsuit or in a transaction that you are facilitating would love to have access to that to prepare themselves for a defense or a negotiation or something like that.

And so, these are real data leaks and this isn't an ethics CLE. We're not going to roll out the RPCs this time. You can watch our last CLE if you want to do that. But really, this is just about, "Hey, your law firm is valuable. You're serving your customers and you certainly don't want to have a data breach." I thought it would be interesting to throw in the principals of the Mossack Fonseca law firm at the center of the Panama papers, Ramón Fonseca and Jürgen Mossack. I like putting their faces here, because I think it's important for people to remember these are real people, right? It's not a faceless organization.

Jake Bernstein: It is no longer an organization as we know.

Kip Boyle: That's true. Yeah, yeah. It's now bankrupt and out of business. It only took two years from the time that the ICIJ a published until that law firm was completely guttered.

Jake Bernstein: And there were raids by the Panamanian authorities and there are people in jails far as I understand.

Kip Boyle: Yeah, yeah. There are people in jails. There's people on the lam, lots of fines. And what's interesting, too, that I think is also important for attorneys to realize is that Mossack Fonseca was founded in 1977. And until 2016, when the Panama papers were published, this was a firm that was obscure to the world. Nobody really knew who these people were or their teams, the name of their law firm. But once the leak got out, well, gosh, everybody found out who they were. So, let's really focus on how did these records leak? And in the case of the Panama papers, we don't know for sure. In the case of the Pandora papers, we don't know for sure.

The ICIJ is protecting their sources, but I will tell you that in the case of the Panama papers, they did come out and talk a little bit about who provided those records to them and under what justification. So, for the Panama papers, the justification was, "Hey, I have access to these records. I'm going to give them over to you, investigative journalists, because I don't like how this wealth is being hidden from being taxed and so forth." So, it was an ethics thing, a whistleblower deal, but we don't yet know who leaked the Pandora papers. And what's fascinating is you saw the list, right? Jake, there's a huge list of firms that suffered a data breach over this.

Jake Bernstein: Yup, which is quite different than the Panama papers where there was one source.

Kip Boyle: Yup, just a single source. But this, we don't know, right? Was it malicious insiders, right? Was it a bunch of insiders who got motivated from the results of the Panama papers and thought, "Oh, man. We have to do our part"? And so, these were trusted insiders who went rogue. Was it outsiders? Were the systems and the protections on these firms breached in some way or perhaps wasn't very well protected anyway? Is it a political agenda? Did they make money? Was it about revenge? We really don't know. And to me, that's a little scary because as a cyber security professional, I like to think about how these things happen so that I can actually pull together a prioritized mitigation approach, right? But this is amorphous.

Jake Bernstein: It is and it's very difficult to plan a defense when you are uncertain of your attacker's motives, right? If it's all about money, that leads to certain conclusions and certain defense mechanisms. When it becomes a matter of principle, as it appears to have been with the Panama papers, it can be a lot harder. I mean, someone might be dissuaded from doing something if you're just a little bit harder to attack than your neighbor, if it's just about money. But it's not. That puts you in a whole different position.

Kip Boyle: It really does. And it makes the threat more insidious, because when somebody's motivated by money, there are limits to what they'll do to attack you. But when they have a political agenda or they're bent on revenge, people don't really account for money spent on those kinds of missions.

Jake Bernstein: No, I mean, rationality can go out the window.

Kip Boyle: Yeah, it absolutely does.

Jake Bernstein: That becomes very challenging.

Kip Boyle: Yeah. But I will say that on the ICIJ website, if you go there and look around, they are actively soliciting leakers and whistle blowers, right? So that tells you, I think, something about maybe some of the motivation here. I would think that the ICIJ is probably going, "Oh, wow. All these confidential sources are insiders or maybe many, many, many of them are. And so, yeah, we should probably hang out an invitation for more." I don't know. I mean, that's how I interpret it. How would you interpret it, Jake?

Jake Bernstein: I think it's going to be interesting. I mean, do we even know if the Pandora papers are from the same group? I guess we wouldn't.

Kip Boyle: The same group of leakers?

Jake Bernstein: Yeah, the same group of leakers.

Kip Boyle: We don't know.

Jake Bernstein: Is it one leak or is this a dozen plus leaks that has been-

Kip Boyle: Yeah. So, we don't know.

Jake Bernstein: ... aggregated?

Kip Boyle: We know they're from multiple firms, right? And so, then the question is, did they have insiders in multiple firms or was it a single outsider who just methodically attacked each firm in turn? Was it a remote attack that was purely electronic, or was there somebody actually in an office building? I don't know.

Jake Bernstein: So, the dangerous question, what do we know about the Pandora papers?

Kip Boyle: Well, we know that the ICIJ has them. We know that they've spent two years analyzing them. We know a great deal about their contents. And we know where they came from. We just don't know how. How did they get out of these law firms and other financial firms? We showed you the list. How did they get out of there and get into the hands of the ICIJ? And nobody's talking about that. I can find no information about that.

Jake Bernstein: Interesting.

Kip Boyle: Yeah. And if anybody listening to the CLE knows or has a lead on how it happened or really a strong theory, I would love for you to come and tell us, because as I said, it's difficult to guard against a data breach when you have no idea how they're coming to get you. So, hold onto your records, people. All right. Let's take a look at the global impact of the Pandora papers really quick. And it really is global, more than 27,000 companies in the data, right? I got a little screen cap here that shows you a heat map. It's a map of the world with all the geopolitical boundaries on it, and you can see where it's affected.

And I'm looking at this map and there are, there's one, two, three, four, five... I mean, less than a dozen places have no color on them. So, it's really global in scope. And then just in terms of politicians, more than 300 politicians from 90 different countries and territories and there's a full breakdown of where these politicians come from correlated to the different firms that had their records stolen, which ones were serving. And you can see that Alcogal, our law firm in question, is at the top of the heap when it came to politicians with quite a number.

Jake Bernstein: And it's not even close.

Kip Boyle: Nope, it's not even close. So, Africa, Americas, Asia, Europe, Middle East. I mean, they really had the lock on the world. So, yeah. So, that's another reason why I thought it would be good to focus on them. Now, because law firms are the source of so many of these records, there's actually something going through the US House of Representatives right now.

It's actually a bill going through there that would extend your customer regulations from the financial services industry into the legal industry, which means that lawyers may soon be required to investigate foreign clients who are seeking to shelter their assets in the American financial system. So, attorneys, if you don't want to have to act as an agent of the US government and do these kinds of investigations, well, I don't know, call your representatives perhaps.

Jake Bernstein: We could probably have an entire CLE just off of this slide, but that of course is not to focus.

Kip Boyle: Right. No, it's not and maybe we will. Folks, if you want us to unpack this in a future CLE, we'd be happy to do it, but it's called the Establishing New Authorities for Business Laundering and Enabling Risks to Security Act.

Jake Bernstein: The ENABLERS Act. Got to hand it to the folks that come up with these acronyms for federal legislation.

Kip Boyle: Yeah, yup. And so, it would require lawyers to follow the same anti-money laundering responsibilities as a bank. And I've got the name of the representative sponsoring this legislation. It's bipartisan. So, yeah, you can call your favorite representative. All right. Let's go ahead and pivot now to... Now, that we've explored the big picture, right? What are the takeaways for attorneys? If you're listening to the CLE, watching the CLE, and you're thinking, "Okay, fine. This all makes sense, but what does this mean to me?", well, let's go and do that. Well, the first thing is that I think you need to accept the fact that these kinds of records disclosures, these kinds of data breaches is a new normal.

So, don't think of this so much as the ethics of offshore tax havens, because you probably don't dabble in that. My bet is that if you're watching this, you don't do that kind of work, but it is about the security of your client files and it is about what can happen when you lose control of them. And even though we don't know the motive of the Pandora papers data breachers, it really doesn't matter. What I think a good takeaway is that people do this for all kinds of different motives and law firms are active targets. No one's going to be able to prevent all break-in attempts.

And so, the idea that you're just going to build higher thicker digital walls. I mean, this is true for everybody on the internet, not just attorneys, but it certainly does apply. And so, you've really got to shift your mindset. You've got to become better cyber risk managers in addition to practicing law. I don't know. What do you think? I'm not an attorney, Jake. What do you think about what I just said?

Jake Bernstein: So, I think that a lot of law firms have been conditioned in the last 10, 15, even 20 years, particularly large law firms about what are called outside counsel guidelines, OCGs. And these are generally, I suppose you could call them voluntary sets of rules that relate to representation of a specific client. The fact is though, is that most of these OCGs are very similar. It would be untenable if there were 50 different OCG types and they all were substantially different, right? They're really not substantially different. And so, there's this sense of okay, well, we're doing this stuff.

We're doing it in order to comply with these OCGs, but like many compliance regimes out there, there can be an important difference, and given that you've got a Guy Fawkes mask here, between real security and theater or masks, window dressing, if you will. And I think that because these X papers are the new normal, it's no longer enough to be satisfied with wearing a mask or having some quality theater. I think there's a difference now and there will be an increasing difference between the firms that can do it for real and the ones that don't. And we didn't even talk about the law firm attacks in the US that were overshadowed by the Panama papers.

Kip Boyle: Oh, it's coming up. I actually have a side on that.

Jake Bernstein: Oh, good. Well, there you go.

Kip Boyle: Yeah. So, I think what you're saying is yes, Kip, I agree with what you said.

Jake Bernstein: Yes, Kip. I agree with what you said.

Kip Boyle: And then you said some other things that I thought were really helpful too, but really the Pandora papers, the Panama papers, all these breaches really, they're extreme examples, but they nicely illustrate the ethics of the attorney's responsibility to protect sensitive client data. Here's the slide I think you were thinking of.

Jake Bernstein: Yeah, that's the one. And I think, they're extreme examples, but my fear is that they're not or that they will not be seen as extreme in the coming years. We as lawyers, and again, this is not the ethics version of this talk, but it's out there. You can find it. But we have a critical responsibility to our clients to maintain confidentiality. And by definition, a data breach is a loss of confidentiality. And these are just some, right? These are just the ones that have been publicized enough that we are aware of them and these are big names.

Kip Boyle: Well, as somebody who's not in the legal industry, I don't recognize them and immediately go, "Oh, my gosh," right? But I do know just by reading some of the stories that I read that some of these firms are considered to be very prestigious. Is that the way you see it?

Jake Bernstein: Yes.

Kip Boyle: Okay. And look at the different things that were targeted, like Wall Street earnings, pre-release earnings, client records and things like that. By the way, do you know why they called it the Pandora papers? We know why they called it the Panama papers, right? But why the Pandora papers? Did I ever share that with you?

Jake Bernstein: I don't know.

Kip Boyle: Okay. Well, it's because the journalists saw this new clutch of records as a Pandora's box that they needed to open.

Jake Bernstein: Yeah.

Kip Boyle: So, yeah. Hooray, ICIJ. And I think another thing that I want to be clear about is these are not gigantic law firms that are being tipped over and having their records stolen, at least not all of them. There are many smaller law firms in here. Even very small ones are susceptible to this, right? I talk with business leaders all the time in many, many different industries. And what I find is a theme is that they don't understand that there are new economics in play here, right? So, if you think about a typical business leader might say to themselves, "Well, why should I go get 10 mid-sized clients when I can take that energy and I can get 1 giant client or 2 giant clients? And then my billings are going to be much bigger and I have that many fewer relationships to manage and so forth, right?"

So, there's this idea that people want to go after the big game, because that's the most economical. You're going to get the biggest return on your investment, but that's not the way cyberattacks work at all. They're well-organized. They've got sophisticated technology. They're scaling their operations. And I often say this and some of you may have heard me say it before, but every technology that Amazon uses to challenge Walmart is in the hands of the cyber criminals. And so, it's very low cost for them to target any and all law firms no matter what the size, no matter what the location. I don't know. What do you think of that, Jake?

Jake Bernstein: I think too, that there's a tension at play particularly on this slide, in that we often tell clients and customers understand that you're not being "targeted," because I think a lot of people have this sense of, "Well, who's going to come after me, right?" And the implication there is that they are being specifically sought after. They're being targeted by an individual. And we find it very important as cyber risk managers to dispel that myth by saying, "Unfortunately, you're not that special. What's happening is that there is a vast quantity of bots that are essentially automated phishing lines." That's probably one of the reasons that's why we call it phishing.

Kip Boyle: Phishing. Yeah, yeah, a drag net. Yeah.

Jake Bernstein: A drag net and these things can happen to anyone. So, that is true. But in this context, I actually think that we have to be careful and walk back a little bit of what we say. And I think you're about to give us one example of exactly why. So, maybe if you talk about Puckett & Faraj, which as you say, as for attorneys, you'll see why I'm thinking that we need to walk back that to some degree.

Kip Boyle: Okay. Well, let's look at that case. This is a very interesting case. It happened about 10 years ago. Nearly three gigabytes of private email messages that were internal to the law firm, Puckett & Faraj, were stolen and released to the public by anonymous. So, we know in this case that it was anonymous, because even though that is an anonymous group, they claimed responsibility for it. And why did they do it? Well, their motivation was outrage. It was a political agenda, because Puckett & Faraj took a very controversial case. They were defending US Marines that had been charged in a 2005 massacre that had happened, I think, in the Middle East.

Jake Bernstein: Iraq, Afghanistan. Yup.

Kip Boyle: Yup, yup, yup. And so, that's why they were attacked and the firm was dissolved in less than a week from the time that it was attacked. And on the screen, I went out and did the research. And I was wondering where, pulled up a Google Map. Where are these folks located at? And that's when I came across the permanently closed banner on their Google Map entry. And that I continued to do some research.

And I actually found an excerpt of an email that was released as part of the data breach where the office manager, whose name was Marcy, actually sent a message to her mother and said, "Hey, there's a group that's hacked our law firm. It's stolen all of our data. We're trying to get control over this." And then she says, "This may completely destroy the law firm," which was prophetic because it did. And so, I mean, it's awful. It's awful.

Jake Bernstein: It is awful, but this is also why I say we have, to some degree, walk back the automated non-targeting component of cyberattacks, because you can be engaged in behavior and activities and whether it's you or your clients that can bring attention. And what makes that particularly difficult from a cyber risk management perspective is that it's relatively, I don't want to say, simple or easy or even straightforward, but it's relatively at least common to defend against non-targeted, broad-based trolls, trolling attacks, phishing attacks, things like that.

Kip Boyle: Opportunistic.

Jake Bernstein: Opportunistic. We expect that, right? When it actually becomes a targeted attack, it's a completely different ballgame.

Kip Boyle: It's a lot harder.

Jake Bernstein: I mean, it's so much harder. And so, in terms of risk management, what law firms should be doing is not just taking all of the precautions that they have to take, because they agree to do it in OCGs, but they should also be thinking about... We call it threat modeling, right? Yeah. What are we engaged in right now that might make us a target for either criminal, hackers, or activists hackers? Hacktivist is a thing. And I think that it creates a very different threat environment for law firms.

Kip Boyle: It's harder, it's much harder.

Jake Bernstein: It's much harder.

Kip Boyle: It's much harder. There's no doubt about it and you may not even be able to really stop them. But that doesn't mean you should not try. You still have to practice reasonable cybersecurity and do your best.

Jake Bernstein: I'd say it goes the other direction. You have to try even harder. There's not an option of anything other than trying harder.

Kip Boyle: Yeah. Well, so let's start talking about some of the practicalities here. We told you we would. And so, now, let's go ahead and do that. So, if you're wondering, "Oh, my gosh. Where do I start? Okay, this is all very interesting, but what does it mean to me and what do I do?", well, I would say your top concern is phishing because that's how most attacks start these days. And why is that? Well, quite frankly, it's much easier to compromise the emotions of a person sitting at a computer that has using an account that is privileged to access records that as an outsider, you could not access, right?

So, if I can phish somebody, then I can possibly steal their accounts to get access to systems and data, maybe drop malware on the machine silently so that I can remote control your system, or I can get into your email and I can hijack monetary payments, monetary transfers, maybe pilfer out of your trust account. I mean, there's all kinds of awful things I can do, but really phishing is a huge source. There's other sources, but this one's particularly insidious. And no matter how good your firewall is or maybe you're using a cloud first approach to doing your systems, phishing is just pervasive. It exploits your people and your processes, not really your technology. So, yeah. So, this is a big deal.

And what I challenge my customers to do is to make clicking on a phishing link irrelevant. I really think that should be your goal. A lot of people would say that your goal is to reduce the rate at which people are clicking on a phish link or that your goal is to get zero people to click on zero links or something like that. But that's not tenable. We've been pursuing this goal as an industry for years, and I have yet to encounter anybody who's actually been able to achieve a zero fishing clicked environment.

Jake Bernstein: And the statistics have shown that the best you can do is about a 3% click rate and that is still far too many to rely on training as a primary defense of any kind. And the issue here too, is, again, going back to the discussion we just had and this is again why threat modeling is so important. You may fend off those opportunistic, relatively random attacks through phishing training and exercises, but the ones that it really hurt, for example, certainly the targeted one, that's going to be a lot harder to fend off, because those are going to be far more sophisticated.

Kip Boyle: That's right and they're going to be more patient. They're going to strive to be silent until they strike. So, what we have here as we wind up the prepared material is a list of the top mitigations that we think you should be considering. These are mitigations that have come up over and over and over again when we're working with our clients. And we also think that these are high value mitigations, which is to say a dollar spent on any one of these mitigations is going to be one of the best dollars that you can spend in terms of value provided. Let me just walk through this list very quickly and to say a couple things about each item.

And then what I'd like to do is I'd like to open it up for Q&A. Well, okay. First of all, data backup is so important and there's actually a strategy that you should use. It's called the 3-2-1 data backup strategy, big surprise. Well, guess what? The last CLE that we did in December of 2021, which is on YouTube and you can watch it, we talked all about 3-2-1 backup data strategies and how it works. And you definitely want to document retention policy, because I don't know about you, Jake, but the idea that I would have records going back to 1970, that I didn't purge those records, you shouldn't do that, right?

Jake Bernstein: Well, and even if you don't purge them, you should think about ways... Is there a reason that every record that you've ever had needs to be accessible via the network? Because if you can at least reduce the overall potential impact of a successful breach, even that is helpful. So, whether it's a document retention or a document archive policy, it's important.

Kip Boyle: Yeah. By the way, somebody made a chat here. Ian says, "Phishing links these days have become more advanced. It looks more and more legit. We just have to be extra cautious in our clicking habits." I'm not going to say that you're wrong because I think the phishing links are more advanced. They're more difficult to detect, but I go back to something I just said a moment ago, which is the idea that you're going to get zero people clicking on zero links, I don't think is reasonable. And so, you need to do things to make clicking on a link irrelevant. I really believe that's the better way to think about this, but Jake, you've heard me say this many times, about the idea of making clicking on a link irrelevant, but what's your take on it?

Jake Bernstein: It's defense in depth, right? It's the layered approach that has served military strategists well for thousands of years. You can't rely on any one single mitigation that in this case, phishing links. You're going to get phished. You know that. People are going to click, you know that too. So, what else do you do? And we're not saying, don't do trainings, don't do exercises.

Kip Boyle: Correct, we're not saying that.

Jake Bernstein: We're not saying that. I mean, it's best to minimize the threats that you're exposed to, but it certainly is not enough. And I don't think anyone anymore would ever argue that or even discuss that. So, these other ones, I think, are really important. Use non-administrative accounts for daily work. There's no reason to have full administrative access to a computer that's being used for day-to-day operations. Some of these like the next one, ATP for Office 365, that's a very specific one. On the other hand, MFA everywhere, MFA everywhere.

Kip Boyle: It's just table stakes these days.

Jake Bernstein: It should be considered table stakes, I think, for every organization, which really interesting, Kip, as you and I have seen the evolution of cybersecurity insurance, right? It used to be not even two years ago that you could get cyber insurance at a good price with a lot of coverage for very little effort or cost. Now, good luck trying to get any insurance without MFA everywhere.

Kip Boyle: That's right.

Jake Bernstein: You basically can't.

Kip Boyle: Yeah, it's extremely difficult. Even if you offer to pay our higher premium, a lot of carriers won't do it.

Jake Bernstein: They'll just say no.

Kip Boyle: They'll just say no, or they'll quote you something that's outrageous. And I've seen that. We had $1 billion company come to us recently and said, "We've had cyber insurance for 10 years, but this latest renewal we were given was ridiculous. And so, we're not going to buy and we're going to self-insure for cyber," which made me sweat a little bit, because what they were asking us to do was help them do that. And so, I was like, "Wow, you're going to self-insure for cyber." And then I said, "Well, show me the quote." And they did and it wasn't outrageous. It was ridiculous. It was not economical for them to pay the premium, take the significantly reduced coverages, significantly higher retention. It just didn't make sense to do it.

So, it was clear that those insurance companies did not want to cover them even with MFA and so they wrote this crazy quote, but anyway. Sorry, got on a rant there. So, you were talking about MFA, Jake, and then just a couple more bullets here. You want to stay on supported software. You don't want to lag behind in your operating system versions or your applications. You don't want to lag behind there, because while phishing is a huge attack vector, you can also get attacked because you don't have all of your security patches installed. And even if I phish you, if I can then find systems that don't have all their security patches, it just makes my life as an attacker just so much easier if you don't do that.

And then procedurally, don't move money on the strength of a single terse email that rolls into an inbox at 5:00 PM on a Friday with pleas and begs from what looks like to be some powerful person in your firm saying you got to move this money right away. There really needs to be a two-person rule established for transactions that come in over email versus ones that come in by phone call or something like that. I'm sure you've seen plenty of attacks where people tried to get you to move money. Well, it's almost always an email. Sometimes it's a text message, right? And so, you want two-person rules in those situations just to give people a chance to get out of their adrenaline rush, because they think that the firm senior partner just asked them to do a quick favor.

Jake Bernstein: My favorite example is when the senior partner suddenly wants a whole lot of gift cards. It's a good point or a good red flag there. Why do they want that?

Kip Boyle: Yeah, especially if they're iTunes.

Jake Bernstein: Yup.

Kip Boyle: Okay. Well anyway, so those are the top mitigations that we think move the needle. So, there you go. Hopefully, you have some of those in place already. Well, let's go ahead and switch to an open question and answer session. So, if you have any questions or just comments, we'd love to hear from you. And so, just go ahead and open up the chat and let us know what's on your mind. We're happy to have a conversation with you right now.

Jake Bernstein: Yeah. And while people are thinking about that, I think I would just like to add here that from a set of legal requirement, the requirements that we're seeing come down from all manner of regulatory bodies in different countries and states are all converging on this idea of reasonable cyber security. And I think what that looks like is it's never going to be a specific list of mitigations, because those lists of mitigation are going to change, right? They're going to change over time. The key though is to be aware of the risk, do that threat modeling. I think that's just so very valuable. And then do risk assessments on a regular basis to force yourself into doing these things.

Kip Boyle: Do you want to explain why the mitigations have to change over time?

Jake Bernstein: Well, Kip, that is because the bad guy strategies change over time constantly, right? They're always innovating. They use their ill-gotten gains to engage in heavy duty research and development. And if we don't keep up, then we will be quickly caught.

Kip Boyle: Yeah, it's an arms race. Every time we release a new product or a new strategy, they buy it or they implement it, right? So, these crime groups have their own laboratories, these computer laboratories where they have purchased really every commercial solution available. They take them apart. They test them, whether it's a black box test or whether they've stolen the source code or whatever it is. And they're constantly trying to figure out how to overcome our defenses. And so, that's why.

And I really encourage my customers to think of cyber criminals more as a competitor, as in somebody just came into town, set up shop. They're going to sell the same thing you sell, except they're going to sell it for 30% less and it's 25% better. How do you compete with that? Because when you lower your price and improve your product quality, this competitor is going to do the same thing again, right? So, it's back and forth, back and forth, back and forth. And that's really, I think, a more accurate way to think about cyber attackers these days. So, questions, comments, anybody? We still have a few minutes here and we'd be happy to be in a conversation with you.

One of the things that I talked about when we opened up the session today is that Jake and I are the co-hosts of the Cyber Risk Management Podcast. So, what I'm going to do for those of you who might be interested to check that out is I've just put the URL to our podcast. We have a website and I encourage you to go there and check it out. And I think we're on the... Gosh, what episode did we just publish? ... 102 or something like that. Yeah, we've been doing this for a while. And right now, I've got somebody on my team who is transcribing every episode and putting that transcript online.

And so, we've got almost our entire back catalog online right now. I think, the majority of them at this point have transcripts that you can access. And I would say in a couple of weeks, all of them will have been transcribed and will be available out there for reference. So, we'd love to have you as a member of our audience going forward to our podcast. And if you want to listen to it and you have suggestions for topics that you'd like us to tackle, we'd love to hear from you. Please tell us what content you're interested in knowing more about and we'd love to be an audience-driven show as much as possible.

Jake Bernstein: All right. Well, I'm not seeing any additional questions or comments. So, I think we can go ahead and wrap this up.

Kip Boyle: Yeah, I think we should. So, thanks everybody for being here. We really appreciate it, give you a few minutes back in your day. We're going to do another CLE. It's going to happen just before everybody breaks for summer. It's going to be actually in the June timeframe. So, hopefully, you'll mark your calendars. We'd love to have you come back. If you enjoyed the session today, maybe you'll share with another attorney that you got something out of this and that they should check out the next one. We'll also send you the replay link.

And so, if you want to watch it again or share it with somebody that you think would get something out of it, then please go ahead and do that as well. Okay, everyone. Oh, Ian says, "Can you cover cyber insurance for small businesses in your podcast sometime?" Yes, thank you. We have definitely talked about cyber insurance in our podcast. We have several episodes on the topic, but I don't think we've covered specifically for small orgs. Jake?

Jake Bernstein: I'm not sure. I can't remember. We have to go back and check.

Kip Boyle: Yeah, we'll definitely go back and check. So, thanks for that suggestion. Okay, everybody, that's a wrap. Really appreciate it. Hope the rest of your week goes really well. Bye.

Jake Bernstein: Bye-bye.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.