ALPS In Brief — Episode 30: Solo and Small Firms Should Make the Leap to Cybersecurity. It Matters.

Do you assume you don’t need to worry about being the target of a cyber attack because your business is too small? Often times, solo and small firms are seen as low-hanging fruit and are specifically targeted by hackers looking to gain valuable information. Solo attorney Suzan Herskowitz offers advice and insight into how she made the leap to becoming cyber secure to protect her firm and her clients’ information.

Transcript:

MARK:

Hello. This Mark Bassingthwaighte, the Risk Manager with ALPS and welcome to the latest episode of ALPs in Brief, the podcast that comes to you from the historic Florence Building in beautiful downtown Missoula, Montana. Today I’m very pleased to have as my guest Suzan Herskowitz, a practitioner from, is it Winchester, am I right Suzan?

SUZAN:

Winchester, Virginia.

MARK:

Winchester, Virginia. I’ve been through that area. I can say it’s certainly not a mega-city.

SUZAN:

No.

MARK:

Quite the opposite in fact. Susan, or Suzan pardon me, I am most interested, and we’ve had a discussion last fall about challenges that solo lawyers face in terms of trying to be cyber secure, just the challenges, and you have made some changes in recent times. So we’re going to have a conversation and talk about the challenges and what all happened in your practice.

But before we jump into that, may we take a moment or two and just, would you mind sharing a little bit about yourself?

SUZAN:

Sure. I have been practicing law since 1986 but I am a bit of a nomad and I’ve moved around so I’m licensed in four states: Texas, Florida, West Virginia, and then Virginia, in that order. This go around if you will, I have been practicing solo since the end of 2004.

MARK:

Okay. Can we start, maybe just sharing a little bit about the challenges you face in terms of technology as a solo practitioner.
Suzan: Well obviously, you know as a solo we don’t have the same financial ability that some larger law firms would have, just by its size.

MARK:

Right.

SUZAN:

I know that when I started going to the ALPS epic seminars and you scared me half to death I was working with a local company and over time I found that they couldn’t keep up with what ALPS wanted us to do and then what the bar wanted us to do as the cyber security threats seemed to become more and more real. Not only for large companies but for small little guys like me as well.

MARK:

Yes.

SUZAN:

So about a year ago I jumped ship to a slightly larger company to handle all of my IT work and obviously a bigger monthly bill for that as well. But it’s meant doing an upgrade on everything from my router so it had better encryption and was more secure, upgraded computer system so that I was using business computers, business laptops instead of just ones that I would buy at the big box store. All kinds of things to make sure that I had more security just in the hardware, let alone the software.

MARK:

Right. One of the things I think about, just in terms of responding to what you’re sharing here a little bit, for me it underscores there’s a difference between, and I got a couple points up here in my head, but there’s a difference between IT support and IT service provider that can bring to the table additional security practices, best practices into play and I think that’s a real challenge. Not only for solo practitioners but small businesses, even large businesses struggle with that one at times. So I like hearing, as a Risk Manager, that you’ve made this jump to a company now that really not only can provide the IT support but understands the needs of a lawyer in terms of appropriate security and taking the steps to put that into place.

May I ask sort of what drove you to make this change? I hear that some of it is sort of the scare factor but you know, I can scare people awfully well and I still find at times a lot of lawyers don’t yet make that change. Were there other factors in play? What drove the process for you?

SUZAN:

I tell people all the time, I’m very risk adverse in most things.

MARK:

Yes.

SUZAN:

So I go to your seminar year, after year, after year which I’m very grateful for, and I would talk to my IT person who kept saying this isn’t going to happen to you. You’re just a small fry out in Winchester, they’re not going to come after you. You would recommend things and he would say I wouldn’t need it and the next year the bar would require it.

MARK:

Okay.

SUZAN:

Remember I’m licensed in four States so I’m getting this information from multiple sources, not just the Virginia State bar, I’m getting it from other avenues as well, and they’re all saying the same thing. I try to keep up on things. I’ve never been afraid of technology. My stepmom used to work in the field years ago. Even being up on technology, I realized I was falling behind and it wasn’t enough for somebody to say, ‘we don’t have to worry about that,’ when I could plainly see when I went to your seminars as well as one that the bar put on itself one year, that I definitely needed to look at some of this to the extent I could based on the size of my business.

MARK:

Okay. I like that. One of the thoughts you shared that I really appreciate you bringing up, and I hear this repeatedly, but the fact that your IT support person says it, you don’t need to worry about this stuff because you’re too small, it just kind of blows my mind at times. I really want to take an opportunity here just to underscore to our listeners, size in terms of your business is irrelevant on the cyber crime space, for lack of a better word. In fact, I think smaller business, small firms, individuals in so many ways, and particularly lawyers because of the information, valuable information we have on our networks, we’re really viewed as the low hanging fruit and are specifically targeted. So this belief that you’re too small to be on anybody’s radar couldn’t be more wrong.

SUZAN:

What also happened, and this is what my final decision to make the leap was, was a title company that I know, not a large one, got hacked. They took forever to get their systems back because they didn’t have the right backups.

MARK:

Interesting.

SUZAN:

I don’t know what the whole scenario was as far as what they had to go through, if the FBI came, because I’ve heard that that can happen and other issues, but they’re a title company. They run hundreds of thousands of dollars through their accounts at all times, and that kind of woke me.

MARK:

Okay.

SUZAN:

That a local company, not a big one, not a big named one with multiple branches, got hacked. And the trouble they went through. And I literally, just within weeks, had made the leap.

MARK:

Would you say now, being on the other side of this with a bigger company a better service as you’ve been talking about here, do you feel like the journey has been worth it? Is the expense worth it?

SUZAN:

Definitely.

MARK:

Are you finding it to be tremendously more expensive?

SUZAN:

It is more expensive, but it has been worth my peace of mind. There’s this little popup that comes up periodically on the desktop, that basically is a wave, that says hey we’re monitoring. Once a week they call me and say can we pop in on your computers at about seven o’clock tonight to do a system update, and they update everything, programs. They’re always monitoring. I thought I had been hacked and they went nope. It’s just phishing, just delete it.

MARK:

Okay yeah.

SUZAN:

So I have that. And then of course they do the other end of things of I don’t know why we don’t have any wifi and the connectivity is down, can you guys fix this. They do that as well. But on the cyber security side I find that they have three redundant backups.

MARK:

Okay yeah.

SUZAN:

I just feel better that knowing that my systems have so many backups, that they’re always monitoring, that it isn’t like when I had been told with my old company, if anything happens we can get you back to within a week of where you were. And I’m thinking a week? You know how much money there is in a week?

MARK:

Right, right. Okay.

Have you done any planning on your own or in conjunction with the security support, IT support that you have here in terms of planning for the unexpected. I guess the question is, what happens if you are attacked? Do you see where I’m trying to go? Disaster recovery planning?

SUZAN:

I’m not really sure what I need to do on that to tell you the truth. I think that with my IT people, because they have a whole notebook for me.

MARK:

Okay.

SUZAN:

I’ve seen the notebook, I know it exists, that between me and them that I can get back up and running quickly. They’ve kind of promised that, so I’m kind of taking it on faith in that regard that they really will get me back up and running.

I will tell you that recently I did lose my internet, my email, long story, and they had me back up as soon as we figured out what the problem was. They had me moved to a different server, they had my email running, they had my web page back up. I basically lost my domain. It’s a long story. So I wasn’t getting email, nobody could see my website.

MARK:

Yeah this isn’t good.

SUZAN:

It was kind of a bit of a nightmare, and they got me back up like within a couple of hours they had me running.

MARK:

Very good. Very good.

SUZAN:

Yes I had to pay a few hundred dollars more than my regular fee because I went over my allotted time, but gosh I mean, what would I have done without it?

MARK:

May I ask, is this a local company that you’re working with?
Suzan: It happens to be local, but with people that have long years in I believe military IT.

MARK:

Ah. Okay, got it. One of the things that worries me also as a risk guy, you know I look at a lot of data, read a lot of articles, it’s overwhelming at times to just try and stay current with this stuff, as I know you can relate to, but you see a lot of businesses, to include law firms, if and when they get hit with some kind of major attack, many of them do not survive. The financial hit can be pretty severe. Have you thought about that? Is there a safety net that you’ve put into place?

SUZAN:

I actually have ALPS cyber defense insurance.

MARK:

Oh! Okay.

SUZAN:

I did talk to my commercial guy and he looked at your policy and said stay with it.

MARK:

Well okay.

SUZAN:

It’s as good or better than anything he’s seen. I’m not saying that because it’s you. He just told me that point blank. He said you stay with what you have.

MARK:

And I really appreciate your sharing that and we do pride ourselves in bringing a quality product to market. I can say that when we initially put this policy together in conjunction with Beasley, we designed it for the unique needs of lawyers and law firms, so I am proud of that. But I’m not trying to sell insurance.

SUZAN:

And I didn’t mean it that way. I literally asked my commercial insurance person, do you have as good or better policy and he said no.

MARK:

Yeah. Well, that’s awesome. It’s great to hear. One of the things I like again about you bringing this up too though, is so many people just mistakenly believe, or perhaps mistakenly assume, that oh if I ever have a problem with my computer, we get hit or something, my general commercial business package, Vista’s covered under all these policies we’re going to have in place. And I do think it’s important to point out, no that’s not true. It is possible to insure for cyber breaches of various types whether it’s ransomware or just getting hacked and your website goes down, there are all kinds of exposures that can come up here. But you do need to go out and buy what we call in the industry, just a cyber liability policy. So for those of you out there listening, if you’re not aware these policies exist, now you are and please if you don’t have the coverage in place, I strongly encourage you to shop the market and see what you can find here because cyber breaches can be very, very costly.

Do you feel like you’ve reached the, I don’t know, I guess the end of the journey? Do you still feel that there’s more to do?

SUZAN:

Oh yeah! I talked to my IT guy, I’m always sending him emails every so often. I’ll read an article and say do we have this? Do I need this? Should we talk about this? Sometimes he says yes and other times he say you’re covered.

MARK:

Yeah. What resources do you have out there? What keeps you current? The same kind of thing, the CLE’s, communications in the bar?

SUZAN:

CLE’s, various bar things, I do like to read you know various online materials that may or may not be law related. What’s new in tech.

MARK:

Is there anything you would do differently?

SUZAN:

I probably wouldn’t have been so nonchalant about it all the years ago that I was. Maybe I was lucky. I’m much more proactive about it now than I was then. I’m more aware of it now. I notice when I get an email that looks weird. I don’t click on almost anything, even if I get something that appears to be from my bank I go to the bank website and then log in from there and see if I really do have a secure message.

MARK:

Right there is a tip everybody should pay close attention to. That’s exactly how you should be doing it.
Suzan, one thing I have not discussed with you in the past, do you have employees or is it just you?

SUZAN:

I do, and I’m lucky that my employee, who’s very young, is going through his bachelors degree in cyber security.

MARK:

I love it. Okay.

SUZAN:

So he’s really up on all of that stuff and sometimes I ask him for advice. Like what did you learn in school? Is there anything I need to know? So I’m not dealing with someone who’s cavalier about things there either.

MARK:

The reason I ask, and I just love your story here of how this has all played out for you, that’s precious, but so many people don’t realize too that in spite of all the precautions, the IT service provider you’re working with is taking care of in terms of VPN’s and just patches and updates and doing all the wonderful things they’re doing, we also have to realize that as users we are sort of the weak link, and I do want to underscore to the degree that again those of you listening have employees also with access to the tech tools of your law firm, we do need to provide some education. Suzan you understand how to recognize a phishing attack. We also need to train our employees how to recognize a phishing attack and to delete things, and to pick up the phone and call the bank directly. It’s a two-way street. We have to work in partnership with the security companies that we’re working with.
Any closing comments? Any final thoughts?

SUZAN:

Just that I recognize that it is an expense and you have to make maybe some adjustments somewhere else, whatever works for you whether it means buying cheaper paper, or finding a different vendor for laser jet ink to make up the difference in the money. I don’t know what you have to do to do it, but I do think it was worthwhile for me to know that I am maybe not bulletproof, but I’m certainly a lot safer than I was.

MARK:

Well I really appreciate your taking the time to visit with me today. The message, the takeaway for me, and why I wanted you to share a bit of your story here, is that as a risk guy who travels the country and works with law firms of all shapes and sizes, I hear over and over and over again that the solo, small firm crowd sometimes they feel overwhelmed and I like your story in the sense that it took you a little bit to get there, but you realized this is really not something that’s optional. You’re a success story in that you went out, you jumped ship, you realized the IT you initially had in place was just IT and not really taking care of the security piece in the way you felt it should be, you jumped ship, we spent a little more money but we get there. You feel that the journey was very well worth it, so good stuff.

SUZAN:

And if I might say one final thing is that yes while it costs more money, it was worth outsourcing it and not having to be the one to worry about whether I was updated, and whether I had the backup done, or having somebody call and say, hey you might have been hacked can you look at that? No I don’t want to look at that, I want you to look at that.

MARK:

Right. You need to practice law!
Suzan: I have to practice law.

MARK:

That’s right. Very good, okay. Once again Suzan, thank you very much. To those of you listening, I hope you found something of value in today’s podcast and please don’t hesitate to reach out to me any time. My email address is mbass@alpsnet.com and if you have topics of interest or folks you would like us to interview, I’m all ears. So thanks for listening folks. Have a good one. Bye-bye.

—

SUZAN HERSKOWITZ was raised in The Bronx, New York. She is a graduate of the University of Texas at Arlington and Texas Tech University School of Law. Ms. Herskowitz has been practicing law since 1986 and is licensed in Virginia, West Virginia, Florida and Texas.

 

ALPS In Brief Podcast Intro/Outro Music: Walk In The Park by Audionautix is licensed under a Creative Commons Attribution 4.0 license. https://creativecommons.org/licenses/by/4.0/

Artist: http://audionautix.com/