Welcome to The Optimized Law Firm Podcast, where we chat with legal pros who can help you run a more profitable and enjoyable business.
This week we’re talking with Tom Kirkham of Irontech Security. Irontech has been a leader in the cybersecurity space for over 20 years, and Tom has a lot of experience with the cybersecurity issues that law firms, in particular, are facing in today’s world. Some of that deals with how to keep your firm’s information safe from outside intrusions, and some deals with how to abide by the regulations for the protection of legal data and information.
We’ll start out with the crazy story behind why Tom got into cybersecurity. Then, keep listening for the rest of the episode where you’ll learn what the biggest risks for law firms are and hear some security tips that will let you sleep peacefully at night, knowing your firm’s information is secure.
What’s in This Episode?
- Who is Tom Kirkham, and what is Irontech Security?
- What are the biggest security threats facing law firms?
- Is antivirus software enough, and if not, what does a baseline level of protection look like?
Episode 8
Patrick:
Welcome to the Optimized Law Firm podcast where we talk about making your law firm more profitable and more enjoyable. I’m your host, Patrick Carver, and I’m the owner of Constellation Marketing. We specialize in helping law firms increase their monthly revenue by 300% by winning more business online.
I am pleased to have a special guest on today’s podcast. It is Tom Kirkham with Irontech Security, and Irontech Security is one of the best cybersecurity companies in the industry for over 20 years. They’ve been providing IT and cybersecurity services to utilities, accounting firms, and most importantly for us, law firms.
They have experience with securing law firms from outside intrusions and also dealing with some of the professional rules that go into law firms. So, really happy to have you guys, ’cause I think this is an important issue. And with that, welcome Tom, and thanks for joining us.
Tom:
No, it’s my pleasure, Patrick, and happy to be here. Excellent.
Patrick:
How did you get into cybersecurity?
Tom:
That’s a really good question. Of course, I’ve been an IT professional for four decades. But in 2015, an FBI agent walked into my office and proceeded to tell me that I was on an ISIS kill list. Always a fun conversation. “Yeah, yeah, there’s a few thousand of us in the United States that your name, your address, where you work, your phone number, all your contact information is on an ISIL list to be killed.”
And the reason I got on that list is because of a data breach, we think it was an online retailer, but it was a data breach. It was totally random. People think that it’s because I’m in cybersecurity or whatever. But that wasn’t the case. Everybody on my particular list was totally random… All over the nation.
If you remember back in those days, there were politicians, military, law enforcement, like in New York City, there were some other lists in Washington, there were about four or five lists that came out that year. The one that I was on was a pure data breach, totally random, designed to tie up FBI agents, field agents to go tell people they’re on a kill-list and to create chaos and fear and uncertainty.
And because of that, it really intensified my interest in cybersecurity, that very serious things can happen, people lose their lives or their livelihood, or a great deal of money… And besides all of that, I’ve personally just been interested in crime… I’m a big fan of heist movies. The Oceans movies, The Italian Job, Thomas Crown Affair, both versions. And it’s just a fascinating field, and I love technology, I love the pace of change, and there is no faster pace of change than cybersecurity, so it’s a natural fit.
Patrick:
How would you cover or describe cybersecurity in general? Especially in the context of a law firm, what areas does that encompass within the scope of work that you and your firm work on?
Tom:
Well, there are many components to it for attorneys or a law firm, really. That’s very obvious, but just for the sake of stating a few right off the top of my head…
There’s perhaps no better company valuation than the firm’s integrity, and the fact that they secure their client data, their discussions have been private for hundreds of years. But now those discussions are logged and they’re stored in files, and a breach can expose that publicly and be held for ransom, published on Wikileaks.
And that reputation is what can, if that is destroyed, I can’t think of a quicker way to destroy a law firm. And not only that, but everyone knows the RPCs or rules of professional conduct. You are ethically bound to secure your client’s data, and it’s just a much tougher thing to do in these days of cybercriminals and nation-states.
And we do have to worry about nation-states. If you’re a patent attorney, you’ve gotta worry about China. China has stolen more intellectual property over the past couple of decades than anyone else in the world, some experts consider it the greatest transfer of wealth in human history.
If you’re a personal injury attorney, you’ve gotta worry about medical records, getting fined from HIPAA. The HIPAA regulations are enforced by the Office of Civil Rights, which is not something easy to defend yourself. They fine first and then talk about what went wrong and why you’re liable. The Office of Civil Rights has a lot of power.
And so with the advanced tools that the criminals are using, such as the NSA’s own offensive cyber weapons, those were leaked…NSA was breached, the tools are available for free on the dark web. The dark web is the web that people don’t see. If you know how to get on it, then you’re in… Anything you can imagine is on the dark web, and so these criminals and nation-states swap tools, techniques, and sell data to each other for various purposes. And since these offensive nation-state cyber weapons are freely available, the game changed four years ago.
No longer is antivirus “reasonable efforts” to secure your law firm. If I get put on the stand as an info specialist against an attorney that only had antivirus, only followed with their IT, people say they’re gonna lose the case.
We do not consider antivirus only, or even protection without an InfoSec team, we don’t consider that “reasonable efforts,” and we’re seeing it industry after industry after industry. Very quickly changing and requiring certain high-tech defensive tools, requiring a security team being engaged not after the fact but before the fact to defend the law firm, so you don’t have to have… You won’t suffer a ransomware attack or your data is somehow breached.
Patrick:
Speaking of ransomware, I feel like that’s gotten a lot of headlines, and for good reason. It seems like a lot of, whether it’s local government offices getting compromised, it seems to be extremely common.
What are some of the really specific threats that are synonymous with law firms or their acts that are happening to law firms, that are unique to law firms? Or is it a lot of ransomware? What’s kind of happening out there commonly with firms?
Tom:
Well, ransomware is the biggest scourge on Earth right now, and it’s a shame. It doesn’t matter about law firms, it’s indiscriminate, it’s done at scale. We hear JVS, colonial pipelines, these big attacks, 45 million ransom, 12 million ransom here about the city of Atlanta that I think were… I think they only wanted $50000, this has been what four or five years ago, they were only demanding $50000 in… What did Atlanta spend, something like $5 million or 10 million getting over it? They refused to pay the $50000.
So the ransomware, what’s really sad about it is if we all implemented the right stuff, we would all be immunized from ransomware. It can be stopped. But the awareness just simply isn’t there, and that’s what I spend every day doing, is talking about… “You can prevent this from happening to you.”
Then after that, you get into, What type of law do you specialize in? I mentioned patent attorneys, intellectual property, then you’re at risk of being a targeted victim. So the vast majority of ransomware attacks are the $5 and 10000, $20000 ransom demands that they cast a very, very large net. They may send out 100000 fishing emails, maybe all of the members of the New York State Bar.
I think that’s probably about 100000 [members], and they just send it out to them. They carefully craft the emai. Like, this bill from West Law or something like that. “You haven’t paid it, and we’re gonna turn the service off.” Well, if you need the research, the bookkeeper gets that… “Oh, that’s critical to our firm, that it doesn’t go down. I better open up this Excel spreadsheet and see what invoices they say we haven’t paid.” And that fires off a ransomware attack.
The attackers do not know, nor do they care. If you’re a one-man law firm, if you’re in the middle of rural upstate New York or in podunk Mississippi, panhandle of Florida, Utah, they don’t care. They don’t know and they don’t care. It’s all automated using bots, and they are just raking the money in, and after about a week or so, they close up shop and go spend some time on a tropical island.
It’s a highly, highly lucrative business. They think in terms of conversion rates. They send out 100000 emails, if they get a 1%, a victim conversion rate in that, and the average ransom they collect is $10000… What is that? A 1000 times $10000. Good. One million dollars.
Patrick:
Right? It’s enough money to make it worth their while.
How common do you think this area… You have clients from all over, but do you have a sense of within the entire state of New York, just 100000 attorneys, how many of those people are getting hit or are getting carded for an attack?
Tom:
That’s an excellent question. And what I’m seeing in my informal polls during continuing education webinars, is I ask everybody that’s on the webinar: Have you or someone you personally know, been a victim of a ransomware attack?
Yesterday we did one that was over 20% of the people on the webinar. Even I’m shocked by that number. And it’s consistent, it’s always between 10 and 20% of law firms that are on that webinar have either that they themselves been a victim or someone they personally know has been a victim, so this is not something that you just hope it doesn’t happen to you. You’ve gotta do more, you’ve gotta be a leader and establish that security-first culture in your firm.
You’ve gotta take it seriously that the numbers are against all of us, and the US government can’t do anything about it. The vast majority of these criminals, there are tens of thousands of them, they live in Russia, and because their interests are aligned with the Russian government, so in chaos and western democracies, they’re protected and coddled and sometimes given marching orders by Putin. Their interest are aligned. And it’s very, very lucrative.
I refer to them as Russia’s cyber mercenary force. And they’re quite skilled. The days of these phishing emails and phishing emails, it’s with a p-h-i-s-h-i-n-g, they are just shot-gunning, basically throwing a big net, like I said. The days of these emails being poor grammar, bad graphics, misspelled words, those are long gone. I get a chuckle when I see one like that these days. “Wow, look at this, it’s like one from five or 10 years ago.”
These are highly-polished emails, perfectly worded to psychologically manipulate or con the user into opening the payload. And it’s not just a ransomware payload. If you are among those ten or 20%, but have either had an attack or know someone, understand this for the past four or five years, ransomware attacks have multiple payloads. They install server backdoors, key loggers on all the workstations, other… Getting nerdy about it, boot sector loaders, and other malicious things, that once the ransomware attack is all done, the attacker then sells a list of all the servers that they’ve installed backdoors on for other criminal specialists or nation-states to exploit it a later time.
So if you’re one of those people that’s had a ransomware attack and your network has not been scanned by an info-sec specialist with high tech tools, these enterprise-grade tools, I promise you, you’ve got server backdoors, at least on there. Key loggers on there. And we’ve seen them be on there dormant for years, waiting to be exploited.
If you’re one of those that are thinking – and I’ve heard it professionals say this – “Well, you’ve already had a ransomware attack. You’re probably not going to have another one.”
That’s entirely untrue, it’s more likely you’re going to have another one because they know you’re vulnerable.
Patrick:
I was gonna say that, that it’s almost like a signal that you’re an easy target.
So let’s get into some of the financial costs, ’cause I think this feels like one of those things that it’s like insurance or it’s not sexy, but ultimately this can have a tremendous effect on your profitability as a firm.
You could be paying us a bunch of money to do your marketing, you could be getting big new cases in, but if you are a victim of a ransomware attack or… And maybe you can talk a little bit about the rose professional conduct side of things.
If you get involved with a lawsuit for exposing client information, what are some of the financial ramifications, whether it’s a ransomware attack or just a disruptive attack, that it affects your ability to conduct business or it takes all of your files away, things like that. What do the costs look like?
Tom:
Well, there’s a lot of intangible costs, right, so if you… Even if you elect to pay the $10000 or 50000 and incidentally like I said, this is done at scale, those initial ransom demands are calculated on the fly, usually based upon how many work stations the malware discovers on the network.
So you may know of a guy a single attorney firm, it was a $5000 ransom, but if you’re part of a firm that’s got 50 attorneys, it’s gonna be more like a million.
Then cybersecurity insurance, if they pay… And we’re seeing anywhere between 20% to 49% of claims are not getting paid… They have limited liability to what they’re going to cover, so the intangible cost of these breaches have to be carefully considered. It’s your analysis. It is a fact that if you don’t up your game, it’s just a matter of time before you’re breached and you may be even breached right now and not know it.
You’ve gotta… If you’re not in an area or a state that requires the reporting of it, you will be… There’s legislation at the federal level that is going to require notification of breaches within 36 hours of detection, so you can’t keep it quiet, nor should you… That’s not ethical.
So as soon as it gets out, you’re gonna lose clients, I promise you. I had an accountant that I used and they got acquired by another firm that I knew got hit with ransomware. Now the reason I know it is just because they bought the Bitcoin from me to pay the ransom.
And I immediately switched firms, because they still weren’t taking security seriously, so you’re gonna lose clients once it becomes public knowledge, but you may lose… There may be other collateral damage. So when Sony Pictures got hit from North Korea and all their internal emails got published, there were other people that didn’t even work for Sony pictures that lost their jobs over that information that was divulged.
You know, you mentioned the operational disruption or destruction to the firm. What’s your average billing hour, even if you’re only down for eight hours, what’s that look like, what’s that impact on gross revenue? What if you’re down a week, what if you’re down a month? Insurance is not gonna make that whole or only partially whole…
You might lose a contract revenue, I mentioned earlier, devaluation of your trade name or your personal reputation or the firm’s reputation, you possibly could see increased cost of debt, we’re beginning to see banks raising interest rates on their customers that have suffered a breach because it’s a higher risk customer for the bank. You are absolutely going to see an insurance premium increase, a significant increase. We’re seeing that year over year, even for people that haven’t had breaches. And you’re potentially open up to civil claims and other fines and penalties that it’s gonna be difficult to defend yourself against…
Especially when you go back to the reasonable efforts, that’s part of our PC.
Patrick:
Yeah, let’s talk about that a little bit and what are we talking about in terms of the amount of investment and the type of activities that are needed today to protect law firms? What does that cost-benefit calculation look like for…
Let’s start, we work with a lot of solo and small law firms, what’s a good type of investment they can make in terms of protection?
Tom:
Right, so the White House issued… They sent out a letter, it’s only like two and a half pages or so, back in June, and they named five things to put in place, the chief among those is an EDR. That’s a technical control that you’re gonna replace your antivirus with. And it’s the only thing that’ll stop or ransomware attack. And you gotta have a good one.
Most importantly on that list was having a skilled security team, and this is part of standards of practices in the cybersecurity world, or as we refer to it as info-sec, and a skilled security team is not it.
These are two different disciplines, they have two different objectives, and they went out of their way to make sure they said, Get a skilled security team. You don’t use your plumber to do your wiring. You don’t use a heart surgeon to do brain surgery. It’s a huge, huge industry. So get a skilled security team engaged, they are designed to respond within seconds of detecting anomalies…
Patrick:
That’s good. So it’s people. I just wanted to start to jump in, I just wanted to make a quick point that it sounds like it makes a lot of sense to specifically find a company that specializes in security versus an IT company that has a security module or a piece of the business. I think that’s what you’re saying, right?
Tom:
Exactly, exactly. And I talk about that, and our webinar is pretty extensively, I contrast the two disciplines, it’d be like going to a divorce attorney for patent law, I’m not saying some of you are great at both, but you know, it’s just that rule of thumb, but I think that you look at something simple like if you outsource your IT, maybe you’re using what’s known in the business as a managed services provider, an MSP, which is great, that’s the best way to do your IT, ’cause I proactively manage your IT, so it doesn’t go down.
Instead of waiting to respond to fix something when it’s broken, so you can keep the billing going and everybody… Maximum productivity and efficiency. So what you wanna look for is the class of skilled security professionals, and that’s called an MSSP, a managed security services provider. Now, that MSP may give you a four-hour guarantee to respond to an issue, well, in the security world, four hours could be the difference between the law firm going out of business or not. We gotta be responding within minutes by info professionals.
And good MSSPs will literally have dozens or hundreds of infosec specialists monitoring and managing your network, you know they’re backing up the MSSP, former NSA personnel, US Cyber Command, military cyber experts, cyber warfare and cyber defense experts are monitoring our networks, our client’s networks, and responding, and then they let us know.
And we orchestrate multiple vendors to respond to an attack, but we’ve gotta do that within minutes, sometimes even seconds, we’ve stopped it breaches because we’ve immediately picked up the phone, called the computer, the user on the computer that we’ve detected an anomaly and say, unplug the computer immediately.
Just that has stopped some major major breaches.
Patrick: And how much more cost-efficient is it to do prevention and have a team like yourself doing that… I forget the word, that’s hardening is, I think, is the phrase on the front end versus just being able to be reactive and stop something?
Tom:
So you can generally use the rule of thumb that’s gonna cost you $20 a computer per month to have a skilled security team to have an EDR in place, you’re gonna spend a little bit more for… If you’ve got remote users, they’re remoting into the desktop, which I know most law firms have this, you need to secure that a little better, you need what’s known in the business is multi-factor authentication in addition to user name and password, we need that third piece that is time-sensitive.
We require it for our clients if they have anyone remoting in, but yeah, 20 a month is what you can pretty much assume it’s gonna start at, and then it just depends on the risk profile of the client, our job is to help the decision-makers understand their risk, now, there are certain things that we require or you can’t be a client.
And that’s a good thing, that’s what you wanna look for, because we’re not gonna protect anyone that doesn’t pay for an EDR, it’s too big of a liability, not only to us, but all of our other clients, because our clients are a threat vector to attack us and our other clients, so we’ve gotta be careful about that. But just a rough rule of starting at $20 a month, you’re gonna spend a little more for security awareness training, a little more to put a password manager. Quit reusing passwords please.
Patrick:
You’re not supposed to do that?
Tom:
Yeah, you’re not supposed to use your dog’s first name and your first born’s birth year either.
Patrick:
I’m gonna go change that as soon as we’re done.
Tom:
We get to get on to the employees. Don’t re-use passwords to email! Once they’ve got into your email account, they’ve got the keys to the kingdom.
Patrick:
Well, something that is all that I… That I use and just… I think it’s such a no-brainer is something like LastPass or 1password that allows you to… If you’re not, people who are not familiar with it, it’s a tool that plugs into your browser and your computer that allows you to store all of your passwords and encrypted location instead of in a document in your drive or on your computer or in a sheet of paper, that’s also susceptible for a different type of intrusion, but just I think little things like that and having…
It makes it really easy to be able to give yourself complex passwords that are 12 characters, which from what I understand, and clearly I’m no expert on this, even doing some of those minimal things can have a really big impact because when these attacks or campaigns are happening they’re looking for the low-hanging fruit. And so just doing 20 bucks a month, something creative like that can be… You can put you light years ahead of other people… Right.
Tom:
And you mentioned return on investments, well, how do you prove a return on investment with any insurance that you have? You really can’t… Until an event happens, right? Right. But even in cybersecurity, if you’ve got the best stuff already in there, you’re not going to have an attack or it’s gonna be way, way past 0-1% chance that you’re gonna have nothing. 100%. If the NSA can be breached, anyone can be breached. But you know, if you’re a five-person law firm, like you said, they’re gonna go somewhere else, and these automated attacks are going to fail. They’re just not gonna get through.
We’ve never had a client get breached successfully… We’ve had plenty of attacks, some of them were like, “This is gonna be the first one. I don’t know if we’ll make it over this one.”
I watched one for hours play out over the whole morning on Thursday morning at a surgeon’s office, and I really didn’t think we were gonna survive and defend properly against that attack. We actually had to have the surgeon cancel all the surgeries, he didn’t wanna do it, and you’ve got to either d that or you’re gonna get breached and go out of business, and have to fire us too. But it worked out.
It worked out really, really well for them in the matter that they didn’t get breached. But you need to think of it as just a cost of doing business, you gotta pay your electricity, you gotta pay your water bill, and so on and so forth.
What we’re also seeing, for those of you that already have cybersecurity insurance, it should be a no-brainer, because the premiums are going up. Provided you can even get a cybersecurity insurance renewal because we’re seeing them say, “You’ve gotta have this EDR, you’ve gotta have a security team, or your premiums are gonna be 10 times more than what you’re accustomed to.”
But we’re seeing the increase in premiums for those that aren’t putting enterprise, Fortune 10 level components, defensive components in their law firm, just the savings on cybersecurity insurance alone more than pays for it.
So like I said, for those of you that have cybersecurity insurance, keep that in mind, your premiums may not go up right now, or maybe they didn’t go up six months ago, but I promise you they will go up or be unattainable iIf you don’t put these things in place.
Like I’ve mentioned at the top of the podcast, this is changing rapidly, and virtually all industries are gonna have compliance requirements that are going to require some or all of the five things that the White House says you need.
There’s also the NIST cybersecurity framework that covers a lot of other things like security maturity. Does everyone…Do you walk the talk? Do you take security awareness training, do you make sure you use unique passwords? Because if you don’t set the tone at the top properly, you’re not creating that security first environment, and that is what info sec… That’s what your skilled security team is all about.
This job one is security. If we recommend a security policy or a technical control, it’s because we’re trying to protect the firm, it’s not because we’re trying to make more money or something like that. We educate the leaders in the business so they can make that risk analysis…
The last thing I wanna have happen, or the last thing you want to have happen, is you say you’re relying on IT and you get a ransomware attack and you’re using Norton antivirus or McAfee or Bit Defender or whatever IT says is the best… When you get a ransomware attack, and then you find out there’s a whole class of products you could have put on there for just a little bit more that would have prevented it. That’s the last thing you wanna have.
You know, if a client of ours were to suffer a ransomware attack that we immediately investigate, we gotta know what the threat vector was, who the threat actor was, What’s the damage, collateral damage, what’s the risk to the law firm or going… Ongoing risk and things like that. But that’s not in IT’s wheelhouse. They can’t keep up with that.
And so if I have one thing to stress, it’s… To separate those two things, you know, most of the time, a lot of times we have people that say, “Oh, I’m afraid I’m gonna offend my IT provider. They’re really good and I love them. It’s my brother-in-law,” or whatever it may be. But believe it or not, more times than not, they’re relieved that they’re not asked to provide the security because they themselves know that is not their specialty…
And if you’ve got one takeaway from this podcast that’s probably you just reframe your mind and then set the tone at the top and make a commitment to increase your firm’s security.
Patrick:
Well, I think it does sound a little bit daunting just in terms of how many attacks are happening out there, and I think this is a different type of cost of doing business issue then flood insurance or something like that, because the number of attacks that are happening and attempted attacks, I think, are so much higher, they’re so much more common.
Because on a daily basis, we log into our client’s website and we use tools to prevent DDOS attacks and intrusions on the websites. And without question, on a daily basis, we see attacks that have been defended against and we know…It’s like a stock ticker. We see it every single day.
So I think this idea that you can ignore it or that it’s not happening to you at some level, everybody just because of how ubiquitous these tools are, how easy it is, the barrier to entry is so low, that it’s gonna come sooner or later.
I think one of the things that I’m taking away from this as well is that by doing a minimal amount, $20 is nothing when compared to the… Just beyond the financial cost, I think just the frustration of not being able to use your computer and being out of the business for a week or two weeks while something gets fixed.
I think that that’s well worth it, in my view, and I think it’s something we need to do even more and take more seriously, ’cause we’re potentially victems as well.
Tom:
Yeah, so websites are frequently overlooked by law firms, and the last thing you wanna do is in fact somebody just visiting your website, and this is something you can do for free, have your website designer or builder or whatever you call them, they can turn on multi-factor authentication in WordPress by default. It’s built into core. It doesn’t cost anything.
Google Authenticator is free, it doesn’t cost anything. In WordPress, all you have to do is turn it on. Turn it on on Facebook, turn it on on Amazon. That’s free, it just takes a little effort, but it’s a changing of your mindset that you take it seriously. I can’t stress that enough. Hoping it doesn’t happen to you is not good enough. We all know we don’t walk down a dark alley in certain parts of Manhattan at 2 o’clock in the morning, it’s common sense, we don’t rely on the police to make that alley safe at 2am.
Like I said earlier, the US government can’t stop this, not yet, it’s gonna be bad if they do, because it’s gonna watch other cyber attacks, it’s something that… And this is a little bit off-topic, but you know we have to pay attention to the situation in Ukraine for our clients, because you know if we go in and assist Ukraine Russia, they’ve got a lot of… They’ve got tools at their disposal besides just submarines, missiles, tanks, infantry and all of that, and that’s cyber.
There’s no Geneva Convention around cyber warfare. So they did a test run on Ukraine, they stopped just short of killing people in Ukraine, and that was a test run and they can unleash that at any time. I think we can all pretty much agree that from a pure kinetic or military might perspective, there’s not a nation on the planet that wants to go up against the United States.
Now, I’m not talking about 10-year wars and 20 years wars like Vietnam and Afghanistan, it wasn’t a military might problem that those didn’t work out in the US’s favor, but what all of these foes that we have, especially Russia, with all of their criminals that they can unleash at a moment’s notice. Open season, right? So don’t think that it’s just going to be… Or the Russian government attacking our government computers, all he’s gotta do is put a message out on the message board, it says the United States is free rein, and then all of a sudden they’d launch hundreds of thousands of attacks for ransomware to make more money, they’ve…They’ve just been given the okay by the boss, let’s go after them and attack water utility to electrical companies, manufacturing companies, law firms, court systems, and on and on, you…
It’s the chaos, right? Imagine if something were to happen like that and there were 100 law firms or 1000 law firms hit all at the same time all across the country, that would make CNN headlines. And so these geopolitical dynamics enter into all of our defense, and I mean ours as all of us, we have to consider that this… Many of us think it will happen because we already saw it in Ukraine.
Businesses of all shapes, sizes, locations, when they gave the okay to attack at will in Ukraine, they didn’t know if their bread was gonna be delivered, they didn’t know if their dentist office was gonna be open, it was purely indiscriminate attacks. They didn’t know if radiation was gonna be leaked out of Chernobyl, it affected everything. Were planes were gonna fly, trains were gonna run, buses were gonna run? It’s a serious threat. So we keep track of Afghanistan and their cyber capabilities.
We already know a lot about North Korea. They attack Sony Pictures just over our comedy, a movie. Destroyed 80% of their computers, and don’t mean he erased them or held him for ransom, I mean physically destroyed them from North Korea using some of the NSA’s tools to do that very thing. And so we’ve got other… There’s other things, and there’s criminals in other parts of the world, but in Russia, they’re pretty much untouchable.
Whenever one of them gets captured vacationing in Greece on the beach or something like that, as soon as they get deported back to Russia, they’re released. Because their interests are aligned. So the cybersecurity world is a huge, huge business, political, and warfare industry
Patrick:
For sure, and I think law firms of all sizes, specifically a lot of the ones we work with solo and small firms would be well advised to at least have a conversation with someone like yourself, with Irontech, and talk about this stuff and just get an idea of what hardening looks like, what sort of things that they could be doing.
I like that you guys have that experience with law firms as well, so you know about rules, professional conduct, you know some of the threats and types of threats that are unique to them, and also it’s great that… Now, I think you can do your work from anywhere, it doesn’t matter if they’re near you in Arkansas or anywhere in the US.
So how should folks find you if they’re interested in learning more about security or getting some of those baseline measures in place… How should they contact you?
Tom:
Well, just go to Irontechsecurity.com, and you can set an appointment up and spend five or 10 minutes talking with an info-sec specialist to kinda see… We can kinda look at your firm and see what you need, we know the majority of you are gonna need the five things, and it’s about 20 a month per user.
But the larger firms, if you’ve got partners and other people that make decisions and you cover lots of different areas of practice, we might wanna do a NIST-compliant security and risk assessment, which is a little more involved, or… Sometimes we do both, we just say, “Okay, let’s get the EDRs on there, get the team backing you up, and then we’ll see where you are, right?”
We’ll assess all the vulnerabilities, address those and help you understand the risk, you can’t put… Everything in our arsenal is defensive. And we never do it, we don’t even do it with ourselves because of various reasons, but you wanna… It’s like any other risk that you take a business risk, you analyze it, and you try to determine what’s the real risk of this.
If you don’t do intellectual property, the chances of China attacking you today is minuscule, and we wouldn’t recommend advanced defensive technologies. Now, if the situation over Taiwan escalates, that risk is gonna go up, so the risk changes over time as well.
But irontechsecurity.com, be happy to talk to you, answer any questions, five or 10 minutes, you’re gonna get a good idea of what the scope is… And we deal with… We’ve got plenty of single person, one horse shops, no assistant or anything, working out of their home, all the way to international law firms in various disciplines. So a lot of the principles are very similar.
If you’re a single lawyer and maybe you have a receptionist or an office manager helping out or whatever, paralegal that functions in those roles… $20 a month, $500 a year. Nothing, exactly. And like I said, especially those that have cybersecurity insurance, it is a no-brainer, that insurance is the last thing you wanna rely on, just like all other forms of insurance, is there to make you kind of whole…
They’re not gonna buy your reputation back, you can’t… You can’t put a price on your reputation, you might be able to survive with their payments if they honor the claim or don’t find a loophole in it, but the collateral damage is what you’re really risking, and not to mention the premium increases and everything like that, so…
Patrick:
Excellent, well, I wanna thank you for your time. This is a really interesting conversation, and I think gives people a lot of really actionable, specific things that they can do to take charge of this and deal with it.
As we both discussed, I think we both feel like these attacks are gonna come more and more… And so it’s just a matter of time before it affects your business, so I might as well get protected now, so thanks so much for joining us and we’ll have you back soon.
Tom:
Yeah, I have a book coming out, so maybe we can talk after the book launch. Absolutely.
Patrick:
Looking forward to reading that. Alright, alright, thanks, Tom. My pleasure.
Tom:
Thank you.
