John Strand, the founder and owner of Black Hills Information Security (BHIS), seems to have an affinity for law firms. He understands what makes them tick. And that’s a big help, because law firms have not had an easy time getting a handle on cybersecurity. And it’s also likely that security professionals have had a difficult time getting a handle on them.
Since it launched in 2008, BHIS, based in Spearfish, South Dakota, has provided clients with security assessments, training and advice. Strand is very much a hands-on owner, working as a security analyst, hosting popular webinars, lecturing and teaching widely—and along the way helping to professionalize penetration testing. He’s also a straight talker, which he proved during a recent briefing for TAG Cyber, when he offered law firms a dose of reality before he added a helping of good advice.
His timing seemed propitious. Strand noted that the vulnerability of law firms has finally garnered media attention. The ransomware attack in May that struck New York’s Grubman Shire Meiselas & Sacks, the so-called firm to the stars, was high-profile well before it was revealed that the hackers were demanding $42 million. They threatened to sell documents that belonged to the firm’s glittering roster, that included Lady Gaga, Madonna, Bruce Springsteen and supposedly even President Trump. That should have given partners everywhere a jolt.
Strand called law firms an “all-you-can-eat buffet.” Not because of ransomware. Because hacking into one law firm can present an opportunity to steal intellectual property from hundreds of the firm’s clients. And the opportunity is particularly tempting because, he said, while some law firms have excellent security, many don’t. Once hackers get in, they often find clear sailing with few protections in place.
On top of that, Strand said, many firms are particularly vulnerable to business email compromise. Why? Because of their culture. Business email compromise involves emails that seem to be coming from top executives, but are actually coming from hackers. When law firm underlings receive emails ostensibly sent by top partners, the hierarchical culture of absolute authority dictates that they respond quickly and without question, Strand said. Including when the instructions are to wire funds.
This poses a real security problem. It’s exactly what hackers want. Strand said firms must embrace pushback. And train their partners that this is essential. No one should assume that instructions came from the person who purportedly sent them. Before they follow orders that include actions like wiring money, lower level employees need to demand proof of the individual’s identity and the veracity of the request. And their bosses must empower them to do this. It’s even more important now, he said, when everyone is working from home. Colleagues can’t walk down the hall to chat.
What the Law Firms Say
Strand shared some his insights from working with a dozen firms. These were firms that called him in to do penetration tests. And not for show or for marketing purposes. “They wanted to make sure they were as secure as they can be.”
Half of the firms were investing heavily in security, Strand continued. Of those, about half rely on outside help—managed security service providers (MSSPs). The rest are trying to handle this internally. Each group faced challenges. For law firms that rely on MSSPs, many worry about turning over their data to outside vendors. They’re concerned not just about their own data, but especially about protecting client data.
For the firms that rely on their IT teams, it can be hard to find top talent. And when they find a good chief information security officer (CISO), the new hire is often poached by competitors in 12-18 months. In fact, Strand said, some firms give them different job titles, like director of security, to avoid advertising them to the world. But even the firms that have tech talent rarely empower them. Fewer than 10 percent, Strand said, have a seat at the table with firm partners.
What’s different about the 10 percent? Almost every firm Strand has worked with that has given its CISO real authority has been compromised by a cyberattack.
Sometimes Strand seems to be the only one who can urge the partners to hire a CISO, and give him or her real power. He is sometimes the only one who pushes them to boost their cybersecurity budget. And he can do this, he said, for two reasons. His job is not on the line. (An internal advocate might not be so sure.) And after BHIS hacks into their firm, the partners react the way the ones at compromised firms do. They listen to him. Suddenly “everything we say has a lot of weight.”
Some firms try to bargain with him to go easy. Don’t target the partners, they plead. But BHIS pushes back. It insists on targeting everyone. Strand also finds ways to express empathy, he said. He compares his company to their firm. He knows how it feels to build a company and feel responsible for it, as the partners do. Then he asks a question: “What if your billing rates for all of your clients were stolen and made public? How much would that impact your business?” It gets their attention.
There’s one more cultural issue that usually comes up. Law firm partners are not used to feeling helpless. And they’re not comfortable asking questions that expose their ignorance. Executives and partners don’t like to ask questions of their IT staffs, Strand said, “because they don’t want to feel dumb.” But they can ask Strand those questions without embarrassment.
There are other ways to avoid awkward moments. BHIS has found that it’s more effective to train executives and partners using games. And Strand’s gang creates their own. Their big one is called Backdoors & Breaches: an incident response card game. It was briefly No. 1 on Amazon’s best-selling educational games, Strand said. And it all started with a law firm training. They gave the partners a scenario to work through. And the surprise was that it was all about how the security company hacked into the firm.
It works better than tabletop exercises, he said, which can be boring. Lawyers respond well to stories. The law is a world of scenarios. The only time it didn’t work as expected, Strand recalled, was when it got a little too realistic. It revolved around the sale of a house. They’d pulled the information from actual records, and then modified them to protect the identities of the individuals. But the exercise was interrupted when one of the participants said, “Hey, that’s my house!”
Strand was relieved that they didn’t get sued.