Cybersecurity Fundamentals for Legal Professionals
26
Shawn E. Tuma Cybersecurity & Data Privacy Attorney Scheef & Stone, LLP [email protected] Cybersecurity Fundamentals for Legal Professionals: A Lawyer’s Duty to Protect Client Confidences @shawnetuma
-
Upload
shawn-tuma -
Category
Law
-
view
110 -
download
2
Transcript of Cybersecurity Fundamentals for Legal Professionals
Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, LLP
Cybersecurity Fundamentals for Legal Professionals: A Lawyer’s
Duty to Protect Client Confidences
@shawnetuma
The Problem
• Cybersecurity and privacy are issues that most attorneys would prefer to ignore but are uniquely obligated to address.
• Cybersecurity and privacy impact all lawyers and law firms alike.
• Clients demanding adequate security (firms are their third-party risk).
• Law firms are an increasingly popular target.
• Value and sensitivity of data.
• Data for multiple clients.
The Ethics
“A lawyer should preserve the confidences and secrets of a client.”
• Ethics Opinion 384 (Sept. 1975)
• Canon No. 4, Code of Professional Responsibility
• Disciplinary Rule (DR) 4-101 (A) and (B)
To protect law firm, you must:
• Protect your data for
• Confidentiality
• Integrity
• Availability
• Against threats from
• Insiders
• Outsiders
• Third-party partners
The Question
Are most cybersecurity and privacy incidents:
• Sophisticated James Bond-like attacks?
or
• Simple things, like people doing dumb things?
Usually the real-world threats are not so sophisticated
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Breaches
90% in 2014
91% in 2015
91% in 2016 (90% from email)
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
Common Cybersecurity Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
www.solidcounsel.com
Cyber Risk Assessment
Strategic Planning
Deploy Defense Assets
Develop, Implement & Train on
P&P
Tabletop Testing
Reassess & Refine
Cyber Risk Management Program
Cyber Risk Management Program
www.solidcounsel.com
“You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole
• Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Cybersecurity Task Force, Intelligent Transportation Society of America
• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer & Technology Section, State Bar of Texas
• Privacy and Data Security Committee of the State Bar of Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science & Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee & Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
• Board of Advisors Office of CISO, Optiv Security
Shawn TumaCybersecurity PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com
