EPISODE 98
 
Minimum Viable Risk Assessment and Data Backups

EP 98: Minimum Viable Risk Assessment and Data Backups

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

February 1, 2022

Today’s episode is a replay of the free online continuing legal education session that Jake and I delivered back on December 15, 2021. You’ll learn how to conduct meaningful cyber risk assessments and create ransomware-proof data backups.

Join us for our next CLE at noon Pacific time on Wednesday, March 30th where we’ll explore the impact of the Pandora Papers on the legal industry and the practical, cybersecurity lessons for attorneys and their clients.

https://www.eventbrite.com/e/anatomy-of-a-hack-pandora-papers-tickets-255528421387

Tags:

Episode Transcript

Kip: Hi, this is Kip and I'm interrupting the start of the show with a brief announcement for the attorneys in our audience. Once every quarter throughout the year, Jake and I offer a free online continuing legal education session. Our next CLE will be at noon Pacific Time on Wednesday, March 30th. And this time we're going to explore the impact act of the Pandora Papers on the legal industry and the practical cybersecurity lessons for attorneys everywhere. So join us online for a one hour cutting edge CLE on March 30th, 2022 at noon Pacific Time so Jake and I can share what we've learned by analyzing the Pandora Papers, a massive collection of over 11 million confidential leaked documents about offshore wealth that were stolen from law firms, and then recently published. In addition to one CLE credit, you'll also receive actionable advice that you can use right away. So, sign up now on eventbrite.com by using the link in this episode shownotes. We hope to see you there. And now let's listen to the next episode of the Cyber Risk Management Podcast.

Speaker 2: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Kip: Hi, this is Kip, and I'm going to introduce today's episode, which is a replay of the free online continuing legal education session that Jake and I delivered back on December 15th, 2021. While the session you're about to hear is primarily designed for attorneys, we think listeners everywhere will learn useful practical things. For example, whether you are an attorney or you pay for the services of an outside attorney, you need to know the professional obligations of lawyers to practice reasonable cybersecurity. After all, law firms are treasure troves of sensitive information that certain other people would like to see. And in this session, you're about to hear, we also describe using simple business language, how to conduct meaningful cyber risk assessments, and create ransomware proof data backups. Okay, I hope you enjoy this episode of the Cyber Risk Management Podcast.

Hi, everybody. Welcome. This is a continuing legal education course that we're offering. We do these four times a year. We do them once a quarter, and this is our fourth quarter of 2021. I've started to write 2022 and say 2022. So, I just about tripped up right there today. We're going to focus on an ethics topic. So, for those of you who are looking for an ethics CLE, as you get here to the end of the year, you're in luck. We're going to talk about risk assessments and we're going to talk about data backups, and we're going to do that in the context of if you're an attorney, and you want to meet your professional obligations to your clients. And with me today is Jake Bernstein, podcast co-host. We host the Cyber Risk Management Podcast normally. Hey, Jake. Thanks for being here.

Jake: Hey, Kip. Thanks for having me.

Kip: And you are coming to us today from the downtown Seattle offices of K&L Gates, right?

Jake: I am. Yes. It's one of the rare times that I have been in the office since joining the firm, but we're going to make this work.

Kip: I think your audio sounds very good. I don't know what you're doing, but keep doing that.

Jake: Well, that would be AirPods Pro, which, which are quite useful for this.

Kip: Wow. Yeah, no, they sound great, and just glancing at your video right now. I can barely see that you have any gear on as compared to me. I've got these enormous cans on my head and your audio probably sounds just as good as mine. So, yeah, there you go, technology. All right, well, let's get this thing underway. So, Jake, you're going to go first. The way we've got this presentation set up is Jake's going to go first. He's going to talk about the attorney's perspective on risk assessment and data backups, and then about halfway, we're going to transition it over to me and I'm going to talk about the cybersecurity practitioner's perspective on those topics. So, take it away, Jake.

Jake: That's right. Kip. If you've come to some of our previous CLEs, the initial focus here will not surprise you. We've talked quite a bit about our PC 1.6(c), and by the way, that's the Washington version. Of course, it is also the model, the ABA model rule 1.6(c), if you happen to live in another jurisdiction, but this time we're going to really focus on process and digging in a little bit more to both an ABA formal opinion and the comments to these rules. So, let's go ahead.

Kip: Yep. You tell me when you want me to change the slide and I'll do it.

Jake: Got it. You guessed that time, but in the future, I'll say next slide, please.

Kip: Great.

Jake: Okay. So, just to set the stage real fast, RPC 1.1 is pretty straight forward. It's maintaining... It's the competence. One, it's our baseline. As this says, effective September 1st, 2016, which isn't that long ago in the scheme of things. This was amended to include the underlined and bold face section here, which is that competence now includes understanding the benefits and risks associated with relevant technology. So, basically, we can't just completely ignore the technology that we use as lawyers. We are responsible for it just the same as we are responsible for keeping up with the changes in the law. So, next slide please.

Now, 1.6(c) is new. And again, in the Washington state, this was effective September 1st, 2016. It's roughly 30 states in the country have adopted this or something very, very similar to it. And what this says is that the lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, unauthorized access to information relating to the representation of a client. Really, this is the cybersecurity ethical rule. You have to maintain the confidentiality and the integrity and the availability also it turns out of your client information. But this presentation is really going to focus on that reasonable efforts. And in order to do that, we're going to look at the FTC's reasonable cybersecurity standards. So, next slide please.

Kip: Yeah, it really twists on that term reasonable to, doesn't it?

Jake: It does. Now, lawyers oftentimes love the term reasonable because it gives us a lot to argue about in litigation, but reasonable is a very fact intensive inquiry. It is built up over the course of time by judges, by practice. So, what it means is it's not easy to just quickly define it. So, advance the slide, please.

Kip: Sure.

Jake: So, in order to understand reasonableness in the cybersecurity standpoint for the rest of the economy, we're going to go back and way back to 1914 and just look at Federal Trade Commission Act. So, the FTC has the ability to regulate unfair methods of competition in or affecting commerce and unfair deceptive acts or practices in or affecting commerce. And the way that the FTC has chosen to regulate cybersecurity is through the unfair prong, which these days is codified in section 45(n) of the FTC Act. And next slide, please.

Because of this, and this remains true, the FTC is the defacto federal data security and privacy enforcement authority in the US. Now, coming up in just over a year when the California Privacy Rights Act takes effect, there will be a new California only privacy regulatory body that has not previously existed. But even after that point, the FTC will be the only national authority aside from some very specific privacy related enforcement agencies and actions like the Office of Civil Rights that enforces HIPAA. But otherwise, the FTC has had the most experience and has been doing this the longest. And next slide, please.

What they've done is they've really taken their 60 plus security settlements and lawsuits. Next slide, please. And come up with this concept of reasonable security measures, which must take into account entities of similar size and sophistication, and also look at the type amount and methods of data collected. So, what this really is just saying is that really large and sophisticated companies that have very sensitive data are going to be held to a different standard or a different set of facts, really. It's the same standard, but it's a different level of care than smaller companies that maybe are less sophisticated or just collect data that isn't particularly sensitive. Now, for law firms, it's really easy to see how this applies, right? There's boutiques, there's small firms, there's solo practitioners, and then there's giant firms, multinational law firms of thousands of lawyers.

Kip: And you've worked in both.

Jake: And I have worked in both and I've also worked at the government. It's only fair that the standard applied or that the level of standard, the kind of level of security that is required under the reasonableness standard is going to adjust. So, if you're a solo practitioner, this is not to say you have no responsibilities. That's not at all a case. It just means that you're not going to be held to as high of a standard as large law firms. Next slide, please.

Kip: You bet.

Jake: This is something that, it goes well beyond just the FTC security standard. It goes well beyond the ethical duties of lawyers. Really, it's just a truism for the entirety of everyone who deals with cybersecurity is that you can't just look at it as checkbox compliance work. This is, it must be practiced. It must be done on a regular basis, which really is continuous. Okay. So just to make it clear, the risk of failing to secure your law firm and your confidential client data is malpractice. And this is not hypothetical. One more slide, please.

Kip: Sure.

Jake: This case is several years old now, and any resolution has not been made public at this point, but this was Equitable v. Johnson & Bell was a class action against the law firm. And this one was a little bit different. This law firm made a pretty big deal out of how secure it was. And then it turned out they didn't do that.

Kip: So, they had it on their website and so forth that they were doing all these great things.

Jake: It's a little bit of a self inflicted wound, but-

Kip: I don't think it's that far off from the idea of practicing checkbox security.

Jake: No, perhaps not. I mean, I think certainly if you're going to say you do something, that better be backed up by practice. But even these days, whether you make a public statement about it or not, it's still a problem because now we have all these RPCs and these other rules. So, go ahead and advance the slide, please. Okay. So, where I want to take this particular discussion is really into how to be reasonable. What does that actually look like? And so-

Kip: For an attorney.

Jake: For an attorney because we want this to be practical, right? We can sit here and we can repeat what the RPCs and these formal opinions say ad nauseam, but that doesn't really help you understand what it looks like to be reasonable. So, let's go ahead and advance the slide, and take a quick look at this opinion from 2017. And just as a historical footnote, this is a follow up to ABA formal opinion 99413, which is the one that really allowed lawyers to use email communications.

Kip: That is so quaint.

Jake: It is. But if you think about it, when email first came out, it was not at all clear that it was safe. In fact, arguably it's less safe now than it was when it first came out, unless you're using a fully encrypted email system, and a lot of things have changed. If all parties are within Office 365 or Google Mail, then it's at least an encrypted connection that's being used to deliver those emails. So it's different than it was. But the bottom line is that there was at one point a concern about that. But this new opinion, this newer opinion really goes into detail about the reality of cybersecurity and cyber threats.

Kip: This is ABA formal opinion 477, and you're talking there was a revised-

Jake: Yeah. It's very minimal revisions, but of course, the ABA does not permit anybody to reprint their opinions, but it's really easy. You just Google ABA formal opinion 477 or 477(r) and you'll find it for free on the ABAs site. Okay. Next... Okay. So, here's where we get into it. So, first the ABA agrees with the FTC that reasonable efforts are not susceptible to hard and fast rules. Again, this is great if you want to litigate these questions. It's not so good if you just want to comply with them. And like any good legal test, it's factor based. And in this situation, what the ABA says is that they reject requirements for specific security measures like firewalls, passwords. And instead go with, again, something that the FTC has done a fact specific approach to business security obligations.

Here's where we really are going to focus on. That requires a process to assess the risks, identify and implement appropriate security measures that respond to those risks, verify that those controls are effectively implemented, and then ensure that they're continually updated in response to new developments. There's another way to say this, which is just, this is how you practice security in the real world. It explains it very well, but that's what this is. This is really no more than doing security. On the other hand, it also isn't obvious or simple to a lot of people because unfortunately as clear as it is to state this, it's one thing to explain it, and it's another thing entirely to do it. How do you assess risks? How do you possibly know what security measures are appropriate, right? And then even if you can somehow figure that out, how do you verify them? Again, continually updating sound simple in theory, but it's actually not necessarily simple at all.

Kip: Right. And in fact, this really reminds me. Okay, so I'm a practicing Chief Information Security Officer. And so, you really are describing my work, and when I think about the law, right? So, sometimes I have to hire a lawyer to give me advice on a contract or something like that. And really, that's sort of the position that I'm in is where I can't keep track of all the things that are changing in the law. And so, I've got to go and consult an expert to find out what's the current state of affairs on this, that, or the other thing because I don't have time to become expert at it myself. And so, I go and I get an expert, I hire an attorney. I think that's what this is saying here is like, "Hey, if you're a solo practitioner and you have the time and the inclination, you can probably figure out what's going on. But if you don't, then you're probably going to have to consult an expert because they're the ones that are keeping their fingers on the pulse of what's considered reasonable. And how do you verify and how do you update." Would you agree?

Jake: I would agree. And in fact, the ABA, and the model rules, and even the RPCs in Washington also agree that lawyers can delegate these tasks and these requirements to other individuals.

Kip: Who don't need to be attorneys, right?

Jake: Who don't need to be attorneys. Yes.

Kip: Okay. That's great. Okay. You want the next slide?

Jake: Next slide, please.

Kip: You bet.

Jake: So, in addition to what we're going to spend the bulk of the rest of the hour talking about largely with Kip, I just wanted to bring up a couple other things that the formal opinion states, which is there's a component of coming to terms with these security issues with your clients. Ask them what's going to make them comfortable and what they might require. Big companies that deal with big law firms, they do this automatically. Those are called outside counsel guidelines or OCGs. They can be a pain to comply with sometimes, but they're kind of table stakes, right? Like you don't get to work with this client unless you can comply with their OCGs.

But if the company, if your client isn't big enough to even understand or know what kind of things to put in outside council guidelines, it really worthwhile to talk to them and figure that out. It's all about communications here. The rest of the ABAs guidance is really pretty... It's much more about understanding what you're getting into than it is necessarily knowing how to configure firewalls and SaaS software and web application firewalls. All the technical stuff can be done with experts, but what really can't be done by anyone else is to understand the nature of the threat and what you're doing with your client confidential information. So, you can't really delegate that. You can delegate the details and the execution, but you have to understand the broad picture.

Kip: Well, and that's not all that different from an attorney who would be working on a case and would have an associate or a paralegal. There's some things that would be delegated to them. This is conceptually the same, isn't it?

Jake: It is. Yep. So, go ahead and advance the slide.

Kip: All right.

Jake: And then, again, these are oldies, but goodies. Label client confidential information. There isn't affirmative responsibility to train both your lawyers and your non-lawyer assistance in the technology and information security. And then these days, it goes without saying that you've got have a vendor risk management program of some kind where you're conducting due diligence on any vendor that's providing a communication or any information technology that is going to touch upon client confidential information. That's all part of being reasonable. Arguably, that's part of the risk assessment. So, let's go ahead and advance the slides.

Kip: Sure. Yep. Here we go. So, Jake, why don't you delegate to me the part of the conversation?

Jake: Well, thank you. Thank you, Kip. I will do so. So, allow me to ask you first of all what is a risk assessment, really? And why is it so important?

Kip: Exactly what we're going to talk about next? And so, this part of the conversation, I'll go ahead and drive, and Jake, please feel free to add some additional perspective because we want to make sure that our attorney friends can understand what I'm about to say because I've tried to make it so that this part of the presentation is going to start getting into some of the details, but it's not all ones and zeros, right? So, if I stray into a bad territory, Jake, you need to yank my chain, and get me out of there. But you know what? Risk is all about ins certainty. And so, when you want to talk about risk assessments, what you're trying to say is I want a little more certainty about my uncertainties, right? How can I get some more clarity on this, and let's talk about scope.

Well, so we're talking about uncertainty about your data, your servers, cloud services, probably most law firms that have been formed recently are probably cloud-first law firms as opposed to law firms who have been around for a long time that might have legacy local area networks and so forth. So cloud services are becoming a big deal. And a lot of people think that cloud services show up secure by default. They don't, and we've got a whole other presentation on that. But again, you're trying to understand the scope of your sensitive data, the data that belongs to your client, and certainly your data, right? Because guess what? You've got payroll data. You might have health records on your staff. So, there's a lot of... Banking information, right? There's a lot data and you want to figure out, how is that data at risk? And then what can you do to protect it?

Risk assessment, risk management is all about tackling this idea that you have all this uncertainty, but you want to lessen that uncertainty. There's some real serious cyber risks that can actually go into the stage of risk, which I would call existential. In other words, if you don't get these risks figured out, then your law firm could go out of business. We've seen law firms go out of business due to cyber risks. Probably the greatest example that I could probably put out there. The big, big, big example is from the Panama Papers where that law firm located in the country of Panama, Mossack Fonseca was providing assistance for people who wanted to use offshore legal entities for their financial transactions, and ultimately they went out of business.

But even small law firms that were arguably doing good things for people. There was a law firm that had offices in Virginia and San Diego. They were defending members of the military who were being accused of very serious crimes. And somebody decided that that was not a good idea, that there were six Marines that were being accused of participating in a massacre in the Middle East. And there were a bunch of people on the internet who decided that those Marines didn't deserve legal defense by this attorney, and they proceeded to steal the entire mail store and a bunch of other files, and that law firm went out of business, too.

I mean, so those are some of the cyber risks. You could lose a client because maybe your website is offline when they show up to find your email address or get your phone number. You wouldn't even know that you missed your opportunity to get a new client, but that stuff happens. Law firms have to collect monies owed to them just like any business needs to, and if your invoices are lost, or if that data is corrupted then you're going to have a hard time collecting money's owed. That's existential if enough of that happens. Personal information from your clients can end up on the dark web or other places. I mean, Jake, it wasn't that long ago that we heard about those... I think they're called white shoe law firms in the Northeastern United States that had personal... Not personal information as individuals, but earnings reports, and there was a big insider trading scandal.

Jake: Yeah. Insider trading scandal. Yep. And that was an interesting one because those law firms did not know they'd been attacked. They only found out when the FBI showed up and said, "Hey, it looks like you've got some intruders." And that makes sense. Right now at the end of 2021, people are so used to thinking about ransomware and ransomware by definition is not subtle. In fact, it's in your face right when they want it to be.

Kip: But it is subtle up to that point. It can be in there for weeks.

Jake: They can, but one thing just to remember is that not all cyber attacks want you-

Kip: To announce themselves

Jake: A lot don't, and so that's a very common concern and issue.

Kip: Yeah, yeah. Thank you for... Ransomware was the other thing I was going to mention and Jake and I have worked on a lot of ransomware situations and it's just truly awful. And another existential risk for a firm that doesn't have enough size or heft to muscle through that. You can lose your firm. We would want that to happen to you. So, there's a common risk management process. And whether you're looking at a NIST publication to find how does the National Institute of Standards and Technology recommend that you do a cyber risk assessment, or whether you're looking at an ISO standard? So, it's the International Standards Organization based out of Europe. Wherever you go to learn about how to do risk assessment and risk management, it's all pretty much the same. They use different words. They organize themselves a little differently, but really what it comes down to is four steps.

The first step is you have to identify your assets and your threats and your vulnerabilities. Then you conduct an assessment of your risks given that inventory. Once you know what your risks are, you prioritize them because you have unlimited risks coming at you, but you only have a limited budget. So you've got to prioritize because you're never going to be able to manage all the risks that are facing you. And then once you've prioritized them, then you have to treat those risks, which is to say you've got to decide what you're going to do about them. So, typical four step common process. I would think, or I would say that risk assessment, the second step is probably one of the most controversial aspects of risk management, and we'll talk about that in a minute, but first I want to talk about risk treatment. So, there's actually four things crosstalk-

Jake: Before you do that, one thing I wanted to make clear on this is that the law, nothing requires that you take zero risk. You've just said that there is an unlimited amount of risk, which is true. You cannot get to zero. Just like it's been mathematically proven that you cannot write 100% bug free computer code, at least not yet.

Kip: Not yet.

Jake: Then you can never get risk to zero and there's an acetonic curve. How's that for a lawyer? Where at some point you're not really making much progress to reduce risk no matter how much you spend or do.

Kip: In economics, we call that diminishing value.

Jake: Diminishing returns, exactly. So, really I just want to preface this section by reminding people that ethics and the law are not requiring perfection. It's not possible.

Kip: And really, what I tell my non-lawyer clients is you are in business because you're taking a risk in order to earn profit. Risk taking is inherent in the business function. So you're never going to get to zero risks. And I think a lot of cyber security people struggle with that because they think it should be zero risk and they get a little twitchy sometimes when there's residual risk. But let's talk about how you can treat risk. There's really four things you can do, and there's a helpful little acronym, ACAT. If you can think of ACAT and let me just walk through it real quick.

So, you've got a risk on your hands. You're like, "What am I going to do with this?" Well, first thing you might do is you could say, "Boy that activity is so risky. I'm just going to stop doing it altogether." So you might say using file transfer protocol because it's all clear text and all my credentials and all my data is going over the internet in the clear. I'm just going to stop using FTP and I'm going to go do something else. I'm going to use a more secure form of file transfer. So, that's an example of avoiding risk.

You could use special procedures to control your risk. And that's what a lot of people talk a lot about is how you going to control the risk. What controls are you going to install? But controlling is only one of your choices. We'll talk more about controls in a moment, too. But another choice is you could accept the risk. Now, this is something you have to be careful of because I see a lot of people hand wave and say, "I don't know what this thing is so I'm just going to accept it." And I think that's a little reckless. Typically, I would recommend that you accept a risk when the cost of reducing it exceeds the cost of the asset. This is the proverbial building $1,000 fence to protect $100 horse. I like to keep the examples as concrete as possible, but that's when you would want to accept the risk, and not just because you don't understand it. And then the final thing you can do is you can transfer the risk.

So, ACAT, A-C-A-T. T stands for transfer. Some people also think of it as sharing the risk because you can never fully transfer a risk to somebody else, but you can get them to share in it. You can outsource. A good example is why should you take credit cards when you can outsource that to a professional credit card processor? And they're going to probably do a much better job of protecting credit card data than you are. So, you've outsourced you, and you can also buy insurance. The insurance story on cyber risk has gone crazy lately. The policies used to be very affordable and they used to provide wonderful benefits, but the insurance companies have really taken it on the chin lately. I think you still need a cyber risk policy, but it's so much harder to get a good one these days than it used to be. Right, Jake?

Jake: Yeah. It's really interesting. It's a good example of a situation where it used to be per se, unreasonable to not have cyber insurance because it was so easy and relatively inexpensive to get. These days that's not necessarily true. It's either it can be difficult to get. It can be very expensive. So, now it really does go into the more typical analysis, cost benefit analysis.

Kip: Yeah. We've been seeing our... We've got some joint clients, Jake and I, and we've seen some of them on their renewals having to double their premiums and get half of the benefits. So, things are really changing. Insurance is usually a slow changing industry, but this particular segment is evolving very quickly. Okay, so there's ACAT. Now, I want to roll back to a topic that I said we'd talk about moment, which is risk assessed. There's a lot of controversy and a lot of heated conversations about what kind of risk assessments you should do. And one thing people don't generally understand is that nobody, none of the regulatory bodies as far as I know, and anybody who knows different, please speak up.
As far as I know, nobody tells you exactly what kind of risk assessment you have to do because there's so many techniques. There's at least, I was looking at an ISO standard recently and there's 31 different techniques that they recognized as being valid forms of risk assessment. So, you get to choose what you want, what makes sense to you, and I'm just going to share three possibilities with you now. I'm not going to unpack them, but I just want to make sure you know what the three popular ones are. There's a whole category called quantitative risk assessment, and that's typically you're going to see something like a Monte Carlo simulation. You're going to use a lot of data. You're going to do statistics, and you're going to try to assess your risk in those terms.

In the slide here, I've got a picture of a distribution function where we had a particular risk and we used Monte Carlo simulation and we simulated what the impact might be if we controlled the risk. And then we simulated what the impact might be if we did not control the risk. In other words, if we just accepted it. So, this can be very helpful. The problem with quantitative approaches that I've seen is that it's kind of a garbage in, garbage out situation. So, if you don't have great data to feed into these algorithms, you're not going to get great results and getting great data to feed into them is a very expensive and time intensive process. So, if you're working at a larger firm that values data driven decision making, then quantitative risk assessments may make good sense and may be tenable for you, but they're not for everybody.

Another whole type of risk assessment is qualitative, and people say this all the time in these heat maps. Green, yellow, red. Sometimes there's orange thrown in there and dark green and light green. And so, a qualitative approach is where you are going to make a bunch of estimations, and you're not going to use a whole bunch of statistics and Monte Carlo simulations and that sort of thing. Now, there's not a lot of precision here, but it better than nothing. So for people who, if you work at a smaller firm, or if you work at a firm where intuition-based decision making is valued and making fast decisions and then adjusting as you go. If you're in a culture like that, then qualitative approaches are probably going to make the most sense. People will probably look at you like you lost your mind if you tried out a Monte Carlo simulation in a firm that doesn't believe in that kind of decision making, so be careful.

Now, the third type of risk assessment is called the gap analysis. Now, the gap analysis is very, very familiar to most people, particularly in mainstream business, they do gap analysis all the time to try to figure out how to get from where they are, to where they want to go. So the gap analysis is a very, very common tool that you'll see business people using all the time. I think it's really, it's easy for them to understand. When I'm doing work with clients, I'm often doing gap analysis because again, it's familiar to them.

Again, I cannot tell you what a bad idea it is to try out a Monte Carlo simulation to people who don't know much about that. They're just going to look at you weird, and trust me, it's probably not going to go well. But a gap analysis is really great. You can move fast. You can learn a lot. And then, that feeds directly into this idea of you got to find your gaps. Well, your gaps become your risks and then you can prioritize them, and then you can treat them or close them. So, this is familiar, it's quick, and it's less expensive than a full quantitative risk assessment. You have to do a few things to make this gap analysis work really well. But so, Jake, those are three different categories of risk assessment. Did you want to say anything about those before going on?

Jake: I think it's worthwhile just to remember that a lot of people will throw around gap analysis as equivalent to risk assessment as if it's the only kind. And I think that it's worthwhile to remember that it might be a common methodology, but it is not the only kind nor do you only have to use one. I think a lot of entities, particularly in this field because one of the other problems, which you hinted at with the quantitative risk analysis is that sometimes you just can't... Sometimes there just is no data, period. And when that's the case, you really can't use it no matter how much money you have to spend or how much time you have to do the Monte Carlo simulations. So, I think it's often wise to use a couple of different risk analyses and risk assessment methodologies, and gap analysis plus qualitative is really not bad.

Kip: No, it's not bad at all, and it's imminently practical, which is one of the reasons why I like to use it. It's familiar, it's practical, and that's what we're doing here. I don't have time to unpack this completely, but in the slide that I'm showing right now you can see different risk areas. You can see some scoring information that shows you where you are now compared to where you want to be, and then there's a gap that's produced. But really quickly though, I want to just touch on a couple things. If you're going to use a scoring system in order to do gap analysis, and I think you should, then you want to make sure that the scoring system is simple. You don't want to overcomplicate things, and I think that's where a lot of people, people go wrong with risk assessment, particularly, and risk management more generally is they just overcomplicate it.

Really, the key to success is simple, simple, simple. And so, like we use a zero to 10 scale where zero to four is some range of inadequate amounts of security. Five to eight is a green zone. The minimum security at optimal. And then don't forget, sometimes you can have too much security. That would be like a nine or a 10. And if you have too much security, you absolutely want to capture that because too much security is bad. You're spending more money than you need to. You have a false sense that you're protected and you're not. People are working around your controls, and it's a really bad deal. Morale is sinking. So, I don't recommend excessive security. You should try to find that and back it off as much as you can.

Jake: Just real quick on that last slide, I wanted to point out that this is a sliding scale here and do you have to use zero to 10? You might be thinking, "Well, can't you just compress that to zero to five?" Sure. I mean, you could, but there is a risk of getting too simple. I think one of the things I see a lot with a gap analysis is a system that tries to be binary, and yes or no. In general, this is more of an opinion than a statement of fact or even legal advice. But in my opinion, a binary yes or no, true or false system is probably not giving you enough information to work with when trying to do a gap analysis. Do you agree, Kip?

Kip: Absolutely. Because I think that gets you back to checkbox security am I checking the box or am I not checking the box? And the reality on the ground at the desk level is never that simplistic. It's always shades of gray and a checkbox, and a yes or no approach is really trying to say, "Hey, the world's black and white, you either are, or you're not." I don't see that. In my work I've rarely if ever have I seen it to be the case and in most cases it just isn't. So, don't overcomplicate it, which is my point and Jake, you're right, don't simplify it to the point where it's not useful.

Jake: Yep. Totally agree.

Kip: Okay. So, just a real quick example of how you can use scoring systems. So let's say you've got a question, how well does your organization regularly test cyber incident detection processes, and procedures. That's actually out of the NIST cybersecurity framework. Well, when you're trying to find out how well do we do that? You can use a scoring system, and I've got an example of a score key right here on the screen. And the way we do this is we just say, "Well, would you please just read the statements and then tell me the number that corresponds to the statement?" So, for example, if you've never heard of what I just talked about, if you don't even know that was the thing, well, you'd be a zero because you don't even know what this is. You couldn't possibly be doing it.

And then it can go up from there. You might score yourself a six in the green zone. It's like, "Oh yeah, we do that all the time. We're really good at it." Or if there's so much testing going on, you can't get your job done. Well, then you're probably in a nine or a 10 like you're overdoing it. Anyway, just wanted to give you an example of how this might work. Okay, so how do you get started? If you've never done risk management and risk assessment before, and the way that we're talking about it here, how do you get started? Well, I got some ideas. We want to keep this practical.

If you're new to this, or if you work small office and you don't have a lot of resources, I suggest you go get the essential eight, which is published by the Australian Cybersecurity Center. It used to be published by a different Australian entity. But this is from our friends down under, and I would do a gap analysis against the essential eight because that's a really good eight practices. It helps you practice good cyber hygiene, and it's going to keep you out of trouble in terms of malware and that sort of thing. So, that's where I would start. Now, if you work in a larger office, I certainly would recommend that you do the gap analysis against essential eight, but you probably also have enough resources that you could do a gap analysis against the NIST cybersecurity framework. Now, the essential eight is going to really put a highly technical lens on cyber, right? But the NIST cybersecurity framework is going to help you treat it as a business risk, which is really, I think a level of sophistication that a larger office really needs to be at. I think that's reasonable.

Jake: I would actually go one step far other and say that the essential eight are, I would almost call that a... To me that's a limited form of cyber risk assessment. It's very much a cyber hygiene focused risk assessment because it's so technical. It's an amazing place to start, do not get me wrong. I do think though that one of the great things about the NIST cybersecurity framework is that because it can scale. Well, you can go really deep. You can stay a little bit more shallow. Even just taking five minutes to think about the five functions of the cybersecurity framework, identify protect, detect, respond, and recover can really help you out when you have nothing. The difference between the cybersecurity framework and something like the ISO 27001 standard is scalability. ISO is, is fine. It's a bit older. We can argue about it. Kip and I generally argue about it with other people because he and I are very much aligned on being huge fans of NIST cybersecurity framework, but be that as it may-

Kip: We're biased.

Jake: We are biased. We totally admit that, but regardless, even if you are just starting out, don't discount the cybersecurity framework. Just save it until you have a little bit more experience because it is still valuable.

Kip: Yeah. Okay. I agree. Thank you. And now, if you still are just saying to yourself, gosh, risk assessment has to be quantitative, great. But you probably want to hire a specialist because there are specialized tools. You have to understand the deep magic of advanced statistics in order to really wield those results, to get good results, and an expert's going to see risks quite frankly you're just not going to be able to see. Anyway, that's how I would get started. Now, I want to transition as we wrap up our time together today about data backups because we said we were going to talk about that. And this is a very particular risk, so you've got all this data and you need to make sure that it's being kept safe. I would say this is almost the number one risk that law firms have, and we could argue what whether it's truly number one or not, but it's got to be top five. Wouldn't you say Jake?

Jake: I think so. Absolutely.

Kip: Yeah. All right. And that's true for all businesses, by the way, not just for law firms. I mean, I learned that apple growers actually need to have good data backups.

Jake: I mean, backups are... They protect... They may not be the most convenient control in the world, but they protect against so many threats. They're just so critical.

Kip: Yeah. They really are. And people overcomplicate them and some people just don't really do the job. So I want to walk through a very, very common scenario that I see all the time that if you could get your arms around this, I think it's really, really going to help you. This is a low hanging fruit for you.

Jake: Kip, those all look like cloud services. Aren't those just backups?

Kip: Well, you might think that they are. So, whether you're doing OneDrive or Google Drive or Dropbox or Box or whatever, you're probably using some kind of a cloud service and you're probably synchronizing your data or storing your data up there. So, I've seen this over and over again where you've got people and I do this, too, where I've got a laptop computer and I'm synchronizing my local files with a cloud file service because why? Because if I lose my device, I want to know that I've got another version or sometimes I leave my laptop in one room and then I go to another room and I want to work on those files on a different computer, and I just want them to be there. So I'm synchronizing my files.

Now, that's pretty good as far as making sure that you don't lose data, but believe it or not, you're not covered. So, if you think that these file synchronizations are data backups, they're not. File synchronization and data backup overlap like a Venn diagram, but they're not the same. So there's a lot of convenience. But the problem is, is that if you get struck by ransomware, for example. Well, all these services are going to do is they're going to synchronize the encrypted files up to the cloud, and then they're going to synchronize them down to whatever other computers you've got them set to synchronize to.

Jake: I do want to point out one thing just because it's a little bit less clear than it used to be only because some of these cloud services are starting to provide versioning and multiple, which are a form of backup. The difference though between a true backup and cloud-based versioning is that to my knowledge, at least there is no way to easily restore a given version from a cloud, right?

Kip: It's really awful.

Jake: It's not designed for that, and it should not be relied upon as a backup, backup. It's great as a backup for if you screw something up and hit save and you're like, "Damn, I can't believe I did that," or whatever, but that's because you're talking about one or two files. Then there's no problem, then it's a great convenience.

Kip: Yeah, I would say if you've got a pain point, a single pain point like that like, "Oh, I deleted a paragraph. I need to get that paragraph back," I think is what you're saying, Jake. And I agree with you completely. It's a great help. But if you've lost all your files due to a ransomware attack and you think you're just going to do some restore some previous, you can do it. You will spend a ton of time, and a lot of headache. You will pull out a lot of hair trying to make it work. It's clunky, it's slow, and you'll hate it. Just trust me, you'll hate it. And you'll wish that you'd followed the advice I'm about to give you.

Jake: Yep.

Kip: Okay. Because the common risk is ransomware, and here's a screenshot of an actual ransomware note that we collected during an actual ransomware response that Jake and I worked on. And my God, the last thing anybody wants to see is one of these ransom notes shown, flashed on the screen of your computer when you walk up to it randomly one time. Now, if ransomware happens and you don't have your data back up, you're talking about matters in progress are going to be seriously delayed. Four to six weeks at the least, probably. And then Jake would a ransomware attack that causes that kind of delay, does that violate rules to professional conduct or how would you interpret that?

Jake: So, we actually have a separate CLE on that topic, but the short answer is yes. It turns out that failing to prepare for ransomware attack and then being unable to provide client services actually is a violation of ethical duties.

Kip: Okay. We don't want you to do that. So, here's how you want to control this risk. You're going to want to use something that we cybersecurity people call the 3-2-1 strategy. If you use a 3-2-1 data backup strategy then you are going to be protected against this. You will be reasonably protected against this. I'm not going to say that you'll always be protected against it because unfortunately the ransomware attackers are constantly innovating the way that they attack us. And so, it's Tom and Jerry it's cat and mouse, it's back and forth. But a 3-2-1 strategy is actually very, very good. Very, very reasonable. And it's going to give you ransomware resistant data backups.

3-2-1 really means you're going to have three copies of your data, your team's data. Unless you're a solo practitioner, you're probably not working alone. So, you're going to have three copies of your team's data. Now, two of those copies are going to be the ones you have now. You're going to have one local drive and you're going to have a copy in your cloud file synchronization. Those are your two copies. You got to get a third though. And the third one is going to be an offline copy. A copy that if your devices get infested with ransomware cannot be disturbed by that ransomware. It's disconnected, it's offline. And there's a couple ways you can do this. So, if you are a small office, if you're a solo practitioner, there are many choices of backup services. Now, it's cloud backup, but it's fine because it's not cloud synchronization. All right. So I just wanted distinguish-

Jake: That is an important distinguishing. I mean, there can be cloud... Cloud does not mean problem. It's just cloud sync versus cloud backup.

Kip: That's right. And so, I'm talking about adding cloud backup to your cloud synchronization. So, it's a separate service, very inexpensive for what you get. Now, if you're a solo practitioner or a small firm, I recommend a product called One Backup, and it's made by a company called SpiderOak software. Now, the reason why I recommend this one in particular, although they have many competitors and you might choose another one is because they are the only provider that I know of for solo and small firms where you control the encryption key, and I think that's very, very important.

If you back up to a cloud backup service where it's encrypted, which you want, but that you don't control the encryption key. Well, that means that the provider might disclose your files to anybody. Particularly, if the government presents a warrant, then they have the key. They're going to be obligated to decrypt the data and to hand it over. And I have no idea if that's a problem from an RPC standpoint. I'm just telling you, I would not want to use a service like that. Do you have a perspective on that, Jake?

Jake: I mean, there is a reasonableness component here in a lot of situations. I think, though, that the underlying concept for any encryption, if you don't control the keys, it's only kind of encrypted.

Kip: That's right. It's only kind of protected.

Jake: It's only kind of protected.

Kip: Right. So, there's a recommendation. Now, if you're a medium or a large office, there are so many different choices. There's no single obvious choice that I can give you. I tried to come up with one, but I really couldn't. There's so many different use cases. You're going to have to go out there and you're going to have to do the research, but I will tell you that my customers tell me that Rubric and Veeam are really the best in class. Can you afford them? I have no idea. Some of their services are very, very expensive and you need to be a very large organization to take full advantage of them, but I would just hold them out as ideal or best in class for benchmarking purposes.

So, it's Rubric and Veeam, but I think the key is if you're a medium or a large firm, you want to go to whoever your vendor is, and you want to ask them, "Are my backups ransomware proof?" And if they say yes, then you need to say, "Please explain to me how that is true." Don't just stop at yes. Yes is checkbox security. You need to understand. You need to say, "Show me how." Listen, if they can't explain it to you in a way that you can understand, it's not because there's something wrong with your brain. It means they are the problem. They are not very good at explaining things. And it could also possibly mean that they're lying to you. So, be careful.

Jake: Or it's not... Lying is such a harsh word.

Kip: Well, it's happened.

Jake: It does. But I think more and almost a greater risk is that they don't understand either. And so, that is a situation where they think they're telling the truth. They may think that your backups are ransomware proof, but if they don't understand, then their answer may... I mean, it's-

Kip: They may have been lying to themselves. And now they're unknowingly lying to you. Who knows? The point is-

Jake: Or someone lied to them, who knows?

Kip: Somebody could have lied to them. They could have technical people that didn't quite do their job, but said that they did their job. Anyway, the point is, I want you to stay out of trouble. So, I want you to ask, are my backups ransomware proof, please explain to me how their ransomware proof so that, that way you're not just flying in the dark on this one. Okay? So there you go. So, what did we cover today? We covered your ethical responsibilities with respect to risk management. When Jake walked you through the RPCs, the ABA formal opinions, we talked about FTC, we talked about reasonableness, and then I went ahead and I talked with you about risk assessment and risk management.

We talked about ACAT, the four different standard risk treatment options. We talked about quantitative risk assessment, qualitative risk assessment, gap analysis. And then finally we gave you a case study on data backups, which are fundamentally something you have to do well. It's a top five or maybe a top... Maybe it could be the top most item on your list of things that you to do. So, that's what we covered today, and we've got some folks here that may want to ask a question. So, let's flip it over into question and answer session. Melinda, are you ready?

Melinda: Yes. Thank you. So, if you guys have any questions, either something you picked up from the presentation, or just any questions in general, feel free to put them in the chat room and we'll be happy to answer them.

Kip: So, Jake, while we give people a moment to decide if they want to be brave, and ask us a question, what questions do you think that law practitioners would have?

Jake: So, here's one thing that I'm going to actually provide a tip or a question that law practitioners should ask. In any law firm, there's bound to be, if you're a small law firm, you might not have an IT department, but you probably have an IT guy or an outsource person. Ultimately, it is your responsibility not theirs to safeguard confidential client information. Ask them questions. Get yourself comfortable. The reality is that IT... What's the function of IT, Kip? It's a rhetorical question. In my opinion, the function of IT is to keep things functioning-

Kip: Available.

Jake: Available, make it work, right?

Kip: Mm-hmm (affirmative).

Jake: That is just one piece of the so-called CIA triad. And to put it in less jargony terms, IT is not security. It is the most common mistake ever to-

Kip: Conflate them.

Jake: ... conflate. Thank you. That was the word I was struggling to find. Conflate IT and security when in reality they are different and they have different mindsets.

Kip: They have to work together, though.

Jake: They do have to work together. There's no shame in asking your IT guy, "Hey, are we fully protected?" And then honestly, be on the lookout for a response. If they can't explain to you, then it doesn't mean they're a bad it person. It just means that they don't know security.

Kip: Right. And you know what, and you shouldn't even really blame them because here's what I've noticed over the course of my career. I've been doing this for a few years, ladies and gentlemen. The thing that IT people get beat up the most about is what we just talk about availability. When a system is not available, that's when they feel the heat from the folks that are depending on them. And because of that, that's really what they pay attention to is how do I keep the stuff from going down? But as a result, they don't pay attention to other things like data integrity aspects, data confidentiality aspects. They don't even necessarily know if somebody's broken into the network and is silently sneaking around preparing the network to be exploited. This is happening constantly because IT people are never explicitly told, not only do you need to keep the services up, but you need to keep the data confidential. You need to keep the data... Make sure the data has high integrity and for God's sake, whatever you do, tell us if somebody's broken in.

Jake: Yep. So, we have a question here. What are your thoughts on ISO certification 27001 and 27701. If you're an international company, it could be seen as a quasi requirement for certain businesses. I mean, I know for a example, for a lot of large law firms, including my own, we basically must have some type of ISO certification because we're so international. There's nothing at all wrong with the ISO certifications as a general matter. However, they require an expertise to implement, and really make useful-

Kip: Operate.

Jake: ... and operate. They're expensive. I guess, that's my thought. They can work, but they're expensive.

Kip: Yeah. I think of an ISO certification or any certification for a firm is being similar to a certification for an individual. I earned a Certified Information Security Professional certification, CISP. Jake, you've got one, too. Just because I have one doesn't automatically mean I'm great at what I do. It just means that I passed this test, I've got this credential, and I keep it active, or I don't. It's sort of table stakes. It sort of gives you the right to be in the room, but it doesn't guarantee that you're the best at it.

Speaker 2: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.
(silence)

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.