ALPS In Brief — Episode 65: Cybersecurity Services for Solo and Small Law Firms

In this episode of ALPS In Brief, Mark and the founders of Sensei Enterprises discuss cybersecurity options and support for solo and small law firms. Somebody’s got to take care of you and that’s just what they do.

—

Transcript:

MARK BASSINGTHWAIGHTE:

Hello, I am Mark Bassingthwaighte, the risk manager here at ALPS, and welcome to ALPS In Brief, the podcast that comes to you from the historic Florence Building in beautiful downtown Missoula, Montana. I am back from a trip into the home office in Missoula, and back in the satellite office here in Florida, and have with me two folks that I’ve just had the joy and pleasure of getting to know over the years, and the privilege to work with a few times over the years at various ABA events, and it’s just been a lot of fun.

MARK:

Please help me in welcoming Sharon Nelson and John Simek. Sharon and John are President and Vice President of Sensei Enterprises, which is really the heart of the topic we’re going to talk about today. Before we jump into some of the questions and things I’d like us to visit about Sharon and John, may I have each of you take a couple of minutes and share whatever you’d like to share about yourselves? What would help our listeners get to know you a bit better?

SHARON NELSON:

I’ll start, and then I’ll turn it over to John. What we do at Sensei Enterprise is managed information technology, managed cybersecurity services, and digital forensics. We have three branches, and that means we’re running a fire station without a Dalmatian here, so there’s always emergencies. It gets very difficult to keep all the balls in the air. We are also married with six children and 10 grandchildren. We’re together all day and all night too.

MARK:

I love it.

JOHN SIMEK:

You didn’t tell [inaudible 00:01:53], you’re a lawyer though.

SHARON:

Oh well.

JOHN:

Do they care?

SHARON:

Maybe. John is the veteran technologist and I am the lawyer, and that’s why we decided to work together when we started the company some 25 years ago, more than that now, just a little bit. John was the talent and I was the lawyer/marketer who could sell ice cubes to Eskimos, so that worked out really well for us both.

JOHN:

I’m not a lawyer, as you can probably tell. I’m an engineer by degree, and been involved in technology informally even before the internet. I remember that presidential candidate that was trying to create [inaudible 00:02:40]. Whatever, but back in the days of the modems and all that stuff. But I have a lot of technical certifications, formal training as well. I guess a lot of people think that I should be wearing a pocket protector and have a propeller head. But yeah, as Sharon said, I do the technology stuff, testifying expert as well, because of the forensics and all that. I just got done with a deposition a couple weeks ago that was really entertaining, at least to me, but not for the other attorney.

SHARON:

That’s how it’s always supposed to turn out. I forgot to say Mark, that I was the President of the Virginia State Bar a few years ago. That was [inaudible 00:03:25].

JOHN:

That’s how we ended up in Montana one year.

SHARON:

Yeah, that’s how we ended up coming to see you folks out in Montana.

MARK:

Indeed. That’s right. That was a good time.

SHARON:

It was a wonderful time.

JOHN:

I did go fishing when we were out there.

MARK:

There we go. Boy, there’s no place better. You want to talk about some quiet country time on the river with a fly? A lot of fun. One of the things that I’ve never really visited with you guys about, I’m genuinely very interested. Sharon, you’ve talked, years ago, you’ve been a lawyer for quite some time. How did you make this jump? Was that always the plan to go into this Sensei Enterprise type business, the alternative practice, a non-traditional track if you will? How did this all come about?

SHARON:

Life is full of accidents. As I was a young [inaudible 00:04:22].

JOHN:

We’re experts at that.

SHARON:

Oh yeah. When my first child was born, her condition required me to stay home through several surgeries and several years. She’s fine, but I ended up working from home as a lawyer. And then, later on after I had been a lawyer and been seriously involved in the Bar Association, I had this very nice man who taught technology to anyone at colleges, and he was helping me computerize my law practice back in the ’80s. I was pretty wired up for a solo. But then, he got relocated because of his job, and I said, “What am I going to do without you?” And he said, “Well, I’ve got this friend down the street, and he’s really brilliant, but he’s a pain in the butt.” And he said, “But I’ll set up a lunch, and if you can stand him, then he could do a better job even than me.”

SHARON:

I met him for lunch, I could stand him, and so, we started out with him helping me with my law practice technology. Ultimately, he had always wanted his own company, and he just looked at me one day and said, “You know, I could be the talent of a company, and you’re a lawyer, and you can sell anybody anything, so why don’t we hook up and form a company?” And that’s how we got started.

MARK:

Wow. That’s awesome. I love that. I love that. Oh my. Can you tell me a little bit about the types of services? You can a little highlight or overview, but can we dig in a little bit in terms of the types of services that you offer? I’m also interested, how would you describe your typical client? I know that you do a lot of work I think with businesses that are not just… You’re not limiting your services in other words to law firms. Is what you have to offer, would it be useful, beneficial to solo small firm lawyers around the country?

SHARON:

We actually are devoted to solo small firm lawyers, not that they are an exclusive client roster. We have a client that has over a thousand people.

JOHN:

Not a legal entity.

SHARON:

No, not a legal entity. But in any event, we do all sizes. But we have a special feeling in our hearts for the needs of the solo small, because most companies are not interested in them. They don’t really want them, because they can’t get much of a profit out of them.

JOHN:

They might have some minimum. Unless you’ve got 10 bodies or more, they’re not interested to even talk to you.

SHARON:

And so, somebody has got to take care of these people, so we really specialize in finding cost-effective things that they can use to do what they need to do. That’s been something that we’ve been celebrated for, is that we do take care of solo and smalls along with the bigger firms. It’s been a mix, Mark, and I really feel strongly about that because I was a solo myself, and I know how hard it was to get competent help and to get things that you could afford. And now that cybersecurity is so important, it’s really critical that the solo and small firms have people to guide them in a way that’s budget-friendly, because this stuff can be really expensive.

MARK:

Yeah, I’m well aware. What types of services can you help? If I’m just a solo stuck here in Florida, or Montana, or Iowa, what can you do for me?

JOHN:

Basically, we do an assessment, an initial assessment, come in there to see what you’ve got going, and is it appropriate? Should we forklift some things? Are you in the Cloud even? Because today, it’s so much more affordable and flexible to be in the Cloud.

SHARON:

And secure, more secure.

JOHN:

Maybe you should be considering that. We do have some clients that are remote, up in Massachusetts as well as down the coast, and we can do a lot of things remotely. Sometimes though, you do have to have boots on the ground, and some folks might have a local person if they need hands-on to something. But generally no, we can get equipment, we can figure it, we can ship it, do all that. But essentially, get you in a position where you’re a heck of a lot more secure with your technology.

SHARON:

And you’re getting good recommendations from us about what [inaudible 00:09:08].

JOHN:

Stability, backup.

SHARON:

Practice management systems, document management. We can help them work with the companies who have appropriate pricing for solo and small. That’s really our niche, is to be able to do that for those people. The solo and smalls are really neglected.

JOHN:

But it really is a unique thing though, because there’s not a template. You can’t go to the green drawer and pull out a system for a solo.

SHARON:

No. I mean, they all have different needs.

JOHN:

They’ve got different needs, different things that are important to them, different types of practice, their workflows are different. We really do try to, as Sharon said, customize and make sure that they do have a cost-effective solution. The other advantage I think we have is that we know a lot about the law, and a lot about what lawyers’ responsibilities are, and what their-

SHARON:

And what’s ethical. And what’s ethical has changed, Mark. In today’s world, you have to take reasonable measures to protect client data and confidential data. These days, we have gotten to the point where one reasonable measure is having two-factor authentication, because it’s almost always free. It comes with Office 365, which so many solo smalls use. You just have to turn it on. That’s where of course the problem comes.

JOHN:

That’s got to be really hard.

SHARON:

It’s the convenience factor, though. They want to get right in. They don’t want to have to get a text on their phone, or push a button on their phone.

JOHN:

Type a code.

SHARON:

Type a code, and whatever it is. There’s all kinds of two-factor authentication obviously, and you have to help them get past the I don’t want the extra step to, I have to have the extra step, because ethics demands this of me, because multifactor authentication stops almost 100% of credential-based account attacks. You don’t get us that much better than that.

JOHN:

Especially not when it’s free.

SHARON:

Yes, especially when it’s free to do. You just have to put up with one little annoying thing that you have to do.

JOHN:

You can trust devices too, so it’s not every time. You don’t have to do this 30 days, or whatever it is, whatever the period of time is. A lot of folks I don’t think realize that. They think when they hear this, they go, “No, I’m not going to do this every darn time I connect.” You don’t have to.

SHARON:

You said, tell a story. Here’s a story. We’ve been able to successfully convince most of our law firm clients that they must ethically do this. There were several who protested, and they dragged their feet, and they dragged their feet, and then one of them got hit by ransomware. That’s what happens when you don’t take some advice. First thing they said was, “Okay, we got hit. We were attacked. I guess you were right about that 2FA thing, so could you come back and fix that for us now?”

MARK:

Hard lesson learned, but boy is it a good lesson once they understand it. I’m hearing you can do lots of advising and guidance on terms of how to become secure, taking into consideration regulations we’re subject to, the ethical rules, et cetera. I just had somebody call me up yesterday about, they were talking about some other things, and a side question came out. It’s a solo setting up her own firm, and she’s interested, are there services and people out there that can help monitor the systems to give you a heads up? Her question was, how do I know if I’m breached? Can you help them answer that, or help them deal with that risk?

SHARON:

You have today an ethical obligation to monitor for a breach. That’s pretty much been established. Now that you know you have to monitor, that’s one reason why we are a managed service provider, because we have all sorts of alarms, and alerts, and we check things like backups to make sure everything is going the way it should.

JOHN:

There’s a lot of automation.

SHARON:

There’s a lot of automation. The thing is, when something goes wrong, we’ll get a notice, so the lawyer is protected by having the managed services and the alerts that will go to their provider. That way, they know right away, they can usually fix it right away, or if the power is out or something like that, they have to wait until power comes back obviously. But that’s why you want someone watching over all of this for you, because the average lawyer has no idea what any of these alerts mean. These things go off, and they’re clueless. You want that in the hands of a professional, and it’s not very expensive to get it. And so, this idea of endpoint detection and response, this is another thing that we would say is reasonably required in order for you to monitor for those breaches.

JOHN:

It’s not just monitoring, it’s also-

SHARON:

React.

JOHN:

Yeah, it reacts to it. Artificial intelligence is a part of what the tool uses, in conjunction with human beings in a security operation center. If you get a ransomware attack as an example, or there’s some rogue process that comes and starts and the system sees that, wait a minute, this is outside of baseline operation, and it can even automatically take the device off the wire, off the network. But they have, at least the solutions that we’re implementing for our clients, it has a rollback capability. If it’s got a problem, and you say, “Shoot, you know what? Let’s go back to 30 minutes ago,” and put your system back into a state before this happened, and we’ve got that ability.

SHARON:

It’s really kind of magic to lawyers. As much as we try to explain it, and John did in fairly simple terms, they really don’t get it. They just get that the magic works.

MARK:

Right. That’s okay. They don’t need to get it. If they have somebody like you behind the scenes taking care of it, they just need to make sure these kinds of things are in play or in place. May I also assume that if I have, I do stupid on my laptop, and I get hit with something that we talk about ransomware as a classic example, are you also offering services to help me address and deal with these kinds of breaches?

SHARON:

Absolutely. That’s what you do.

JOHN:

I do want to point out though Mark, all the technology and things that we do do, you cannot fix a human being.

MARK:

Right. Oh boy.

SHARON:

Who clicks on a phishing email or a phishing text?

JOHN:

Sharon talked about a story. We had a story from… What’s today? Thursday. I think it was either Friday, or it was no longer than a week ago. We’ve got all these things in place, the software, [inaudible 00:16:33], whatever, and yet we’ve got a lawyer that gets this message, and then he actually initiates a phone call-

SHARON:

To the bad guys.

JOHN:

To the bad guys, and then is carrying on this conversation, and under his own ID, he’s opening up his machine to this caller, and I’m going, “I can’t stop that.”

SHARON:

They finally asked him to enter some bank information-

JOHN:

And he got suspicious.

SHARON:

Then he finally got suspicious and severed the connection.

JOHN:

He called us and we said, “Whoa, hold on.”

SHARON:

But that kind of thing happens a whole lot. People do stupid stuff, and of course now everybody is on their phone a lot, and so the phishing via text has become a big deal. They call that smishing. People will fall for that. They’ll get something that says, “You just made a purchase for $500, and if you didn’t make this purchase, you’ve got to do this, or call there.”

JOHN:

Click here or whatever.

SHARON:

Whatever. Don’t click. Don’t call. People are not thinking.

MARK:

I’m hearing we have full service, which I’m not surprised, but I just want to underscore all of this. John, you raised a very, very good point. I’m often writing and lecturing about some similar things. Regardless of what IT does, we still have to deal with the reality of the human factor. You can’t patch that. You can’t. We have to do some training here. Is that something you guys do as well? Are there any training resources available for solo small firms?

SHARON:

The best training resource I know of is somebody who is not in your own company, in your own law firm. It’s somebody from the outside who carries a bigger bat and has a reputation. That’s why we started out long ago doing cybersecurity awareness training for law firm employees, and we do it remotely, which of course people have gotten used to that now. We have a PowerPoint, and we talk through the PowerPoint. We only charge $500 for an hour. Trust me, they can’t absorb more than one hour, because this stuff is complicated, and they have to pay attention. An hour is about right. You might want to do it more than once a year. You might want to do it twice a year. At $500, most law firms can afford that, even the solos and the small firms, because it’s a whole firm price. We’re there for an hour, and we answer questions as we go along, but we can show them the phishing emails and all the stuff. We talk about social engineering, and all the stupid stuff they do, like sharing and reusing passwords.

JOHN:

The latest attacks.

SHARON:

The latest attacks. We [inaudible 00:19:30] the latest information. Nonetheless, people forget. The stat that’s most interesting to me, Mark, is that over 80% of successful attacks involve a human in some way or another.

MARK:

Right. Good stuff. One of the reasons I really was excited about visiting with the two of you again, is to try to find or create awareness about resources that are out there, because there are so many places where there is, if you will, nothing locally. When you talk about this preventative educational piece, just as an example, at $500 a pop, I sit here and say, as a risk guy, two or three times a year? That’s chump change, and absolutely essential to do in my mind, when I compare the potential loss of time, worry, money, data, all kinds of things, if somebody just does something stupid and clicks on the wrong thing, and we get hit with ransomware, and it’s all gone, locked up.

JOHN:

I think the other requirements you’re going to have Mark too though, and what we’re seeing a lot of, is that the cyberinsurance carriers are now in their renewals and in their applications, they want to know, are you getting training for your employees?

SHARON:

That’s one of the questions, and they don’t want to hear no, or they might charge you more, or they might offer you less coverage. We’ve seen it all. Cyberinsurance is driving the solo and small firms crazy.

MARK:

Here’s one as a side comment following up on that, please folks, if you’re filling out these applications, don’t lie. If you say you’re doing something, and a policy is issued based on those representations, it’s just the same as malpractice insurance or anything else. If it turns out you aren’t having these trainings and you don’t do these other things that you say you are doing or have in place, that’s going to jeopardize coverage. Just a little side note there, be very careful and honest about answering this. I don’t want to keep you too much longer, and I really, really appreciate you taking some time today. Could we close maybe with some thoughts about what are the top two or three things that you think lawyers in this space need to be concerned about, focused on perhaps, and/or a tip or two to address these kinds of things? Just a quick wrap.

SHARON:

Are you talking about cybersecurity in particular, Mark?

MARK:

Yes.

JOHN:

I think Sharon has talked about the things that certainly are really high on my list, and that’s the multifactor authentication, the EDR systems, endpoint detection response.

SHARON:

And an incident response plan, which only 36% of attorneys have an incident response plan, and it is so critical, because if you fail to plan, you plan to fail. That’s an old chestnut of a line, but it’s really true. You have got to have a plan, and you probably need somebody to consult with you a little bit, because there’s no absolute template out there that fits everybody. You can start with one, but you really need to have somebody who knows what they’re doing help you out with developing a plan. It’s not all that hard, it’s just that people don’t do it. And then, if they do do it, then they leave it to molder, and of course nothing stays the same in this world, especially cybersecurity. In a year, if you haven’t looked at it and done anything with it, some portion of it is probably quite obsolete.

JOHN:

But I think the critical foundation for that whole thing, before you even get down to saying, how am I going to respond, what does my IRP look like, is inventorying your assets and your data. If you don’t know you have it, you can’t protect it.

MARK:

That is an excellent point. Yes. That’s absolutely an excellent point. I appreciate your time here. Before we wrap it up, I do want to give you a moment to share. If any of our listeners have a need and desire to reach out to you to discuss the kinds of things that you can help them out with, how can they get a hold of you guys?

SHARON:

Our phone number is 703-359-0700, and our website is senseient.com, or of course you could search Sensei Enterprises. We have all different kinds of folks in the office, and we’ll funnel you to the right people. Very happy to do that, and always happy to have a no-cost consult if people have some questions they’d like to ask. We do a lot of that at the beginning, and then it turns out that they do in fact have a need, which is harmonious for us both. But if it doesn’t work out, at least we’ve tried to help. And so, we would encourage that, Mark. I hope that’s helpful.

MARK:

Yes, it is very much so. To those of you listening, I hope you found something of value out of today’s podcast. My intent again today, I just am trying to find solutions. I get so many calls of, who do I turn to? This is a rough space at times, and lawyers just feel left out and unsure who to reach to. I assure you, these two and the business they have, these are good folk, and it’s a great business. I would not hesitate reaching out at any time. John, Sharon, thank you very much for joining me today. John, good fishing, and hope you guys take care of those grandkids and kids. Boy, that’s a busy, crazy life, but I’m sure it’s exciting. That’s just awesome. I’ll let you get back to it, guys. Thank you for listening. Bye-bye, all.

SHARON:

Thank you very much.

JOHN:

Bye-bye.

MARK:

Bye-bye.

 

ALPS In Brief Podcast Intro/Outro Music: Walk In The Park by Audionautix is licensed under a Creative Commons Attribution 4.0 license. https://creativecommons.org/licenses/by/4.0/

Artist: http://audionautix.com/