Cyber Security for Law Firms w/ Tom Kirkham 388

In today’s episode, Jim and Tyson chat with the CEO of Iron Tech Security, Tom Kirkham! They dive into the journey of cyber security defense systems and educate and encourage organizations to establish a security-first environment with cyber security training programs to prevent successful attacks. If you’ve been thinking about how secure your law firm is,  check out this week’s episode.

With over 40 years of experience, Tom is the creator of Iron Tech Security. A managed services provider offering IT services to law firms. It’s an all-in type of service providing a maximum relentless cyber security program.

3:03 structure

7:27 security team

9:55 Ransome wear attack

16:10 encrypted email service

19:49 recognize your threats

20:13 cost to protect your law firm

22:12 protect your privacy

24:20 be proactive

Jim’s Hack: Check out the Book, Soundtracks: The Surprising Solution to Overthinking by Jonathan Acuff. It’s all about the messages we repeat to ourselves over and over.

Tom’s Tip: If you want a deep dive into the topic of cyber security, check out these two books. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth and my book, The Cyber Pandemic Survival Guide, that you can pre-order now.

Tyson’s Tip: Check out Tile. It’s one of the easiest ways to find lost items. Never lose anything. Tile can locate items like your cell phone quickly.

Watch the podcast here.

Join the Guild: www.maxlawguild.com

MaxLawCon 2022 Tickets are Live: www.maxlawcon2022.com

Jim:                  Welcome back to The Maximum Lawyer Podcast. I'm Jim Hacking.

Tyson:             And I'm Tyson Mutrux. What's up, Jimmy?

Jim:                  Well, it's our first episode of the year, first time recording in 2022. I'm excited and happy to be here with you. How you doing? How was your break?

Tyson:             Yeah, it's our first episode. My break was great. I gave the entire firm the week off between Christmas and New Year's. It's something that I know Ryan McKeen’s been doing for a while, but we decided and did do it. We gave everyone a goal to end the year and we ended it really, really strong, so it was a great way to really, I guess, reward everybody. It was fantastic.

But what about you?

Jim:                  Yeah, we took the week off, too. And there was much wailing and gnashing of teeth with my law partner and wife. She was very worried about whether it was going to work out or not. And the team got a ton of stuff out the door in December. So, I think it seems like today, you know, the second day back, we're right back at it. So, I think we missed nothing.

Tyson:             I feel the exact same way. We wanted to settle 25 cases between like it was the second week of November and December 24th. So, I think we're about 30-- right around 30, give or take. I don't know the exact number because, once we hit 25, I really didn't care anymore. But we're right around-- I think we're at 29, what we ended up settling, but it was-- so, a great way to end the year. So, we were super excited about it. And so, all those checks will be rolling in this month which is even better. Fantastic.

Jim:                  Let me go ahead and introduce our guest today. His name is Tom Kirkham. He's the founder and the CEO of Iron Tech Security. They provide cybersecurity defense systems. And they educate and encourage organizations, like law firms, to establish a security first environment with cybersecurity training programs for all their workers to prevent successful attacks. Tom has been in the business for three decades.

Welcome to the show, my friend.

Tom:                Oh, nice to be here. Hope everybody had great holidays. Sounds like you guys took a whole week off.

Tyson:             Absolutely. Yeah, a lot of fun. A lot of fun.

So, Tom, tell us about-- I know you've been doing this for quite a bit but tell us about your journey and how you got into cybersecurity, and what you're doing these days?

Tom:                Well, I've been in technology, it's actually 40 years now, not to show my age too much but in all facets of it both as an investor, software designer, network administration, and--

So, about 20 years ago, I created our company which is a managed services provider and that we provide IT services to law firms. You know, it's an all‑in type of service. So, we've structured our company in such a way that any law firm that uses us, we're on the same team. In other words, we're not billing by the hour. It's a one lump sum, call us as much as you need, you know, when office is acting up, you know, Outlook is acting up, you can't get your Word to run, your servers need to be managed and maintained. Basically, we make more money, the fewer problems a law firm has.

Now, what really changed, from a cybersecurity perspective, is when the FBI visited me, in May 2015, to advise me that I'm on an ISIS kill list. And getting over the initial shock - name, address, phone number, and I'm pretty well known in the community, and I'm named to be killed. And long story short, it was because of a hack of a database, presumably, in Chicago. And so, I created a new division for a company called Iron Tech Security. And that is strictly to concentrate on providing maximum relentless cybersecurity to law firms of all sizes and we do other vertical markets as well.

Jim:                  Well, that's sort of scary. And why don't you tell us some other like scary things that happen to law firms that don't have good security - good, you know, protection?

Tom:                Well, the biggest threat to law firms, as well as to all of us, all around the world, is the scourge known as ransomware. And the last few years, ransomware attacks also have an extortionware component, so it's not good enough that you restore from backup and not pay the ransom because what they're going to do, if you don't pay the ransom, is they're going to take the data and either sell it on the dark web, publish it, you know, send it to WikiLeaks - whatever they can do to make the most money off of it.

So, what we're seeing is IT professionals - let's say a law firm already has an outsourced IT or they have an on‑staff IT, is the vast majority of people don't realize that InfoSec or-- that's what we call it inside the business, cybersecurity is a whole different discipline. If I had to make a comparison, it would be like hiring a divorce attorney to do intellectual property law, okay, or a neurosurgeon to do heart surgery. It's an entirely different discipline. It takes an entirely different mindset. Response time to security anomalies become super, super important in order to stop those threats.

And IT can't keep up with the pace of change in the cybersecurity world. You know, you think about it as being well, it changes every day. Well, take that and then combine it with the cops and robbers, you know, the bad guys and the good guys, combine it with geopolitical dynamics like with Russia, China, Iran, North Korea, and you quickly understand that it's a whole different deal. So, what we are in the middle of doing is educating people on those distinctions because it's super, super critical.

And it's not just us saying this, even the White House, this past year, about seven months ago, issued a letter saying you've got to do these five things. And one of those is to have a skilled security team already in place. And Iron Tech Security division is what's known in the business as a managed security services provider. It's not enough to have IT go in and put your antivirus on to secure your network, tweak your firewalls, put in a good spam filter. You've got to have a whole different class of products to protect yourself against ransomware and other attacks that you can't buy off the shelf. And it's usually beyond the skill set or the knowledge of IT.

You want IT to concentrate on their job, you know, keep your stuff up and running, make sure you're getting-- you know, you’ve got a 20‑person law firm, you bill an average of, I don't know, $800 An hour, you can imagine what just four hours of downtime, how that impacts the top line revenue, right? You want IT to focus on that. But you need a security team to be Johnny‑on‑the‑spot to proactively manage and protect that network, that client dataset, from breaches because it can put your law firm out of business.

Attorneys, the primary thing they trade on is reputation. And a single cyberattack can quickly destroy that even if you pay the ransom. That's what we do. That's what we do day in and day out - investigate anomalies, investigate events, keep tabs on geopolitical dynamics. Right now, we're concerned about Ukraine, a little bit less so on Afghanistan at the moment, but these are all threat vectors or threat actors that can attack law firms of any size.

Tyson:             So, I'm curious. I'm going to ask you a different question than what I was going to ask you, because I'm curious about what you just said. How do you track that? How do you know where these threats are coming from predominantly?

Tom:                Well, technically, you can track by IP address. And you can see that-- you know, the servers-- say, the ransomware requires a couple of different servers, one to distribute the email, you know, the phishing email, to get somebody to click on it, deliver the payload into the network which begins encrypting the file. So, those servers have an IP address and you can geolocate ‘em and you can see that that email server’s in Russia. Chances are the encryption server is also in Russia. They have a huge, huge criminal industry there. It's really Putin’s cyber mercenary force. And he allows them and protects them, inside of Russia, because their interests are aligned.

But, having said that, there's all sorts of organizations, both private and public, that keep tabs, that go on the dark web. They learn their tactics, techniques, who they are, and they can identify. And then, we build profiles, right, understanding their tactics, techniques and procedures, so we can better defend against them. So, cybersecurity is a huge industry with as many specialties that's under the roof of a good‑sized hospital.

Jim:                  All right. So, walk me through a nightmare scenario for a small law firm owner. He/she laying in bed. They wake up in the morning. What happens? What does it look like? And then, what has to happen?

Tom:                So, the way a ransomware attack works, what the storyline-- that's an actual term inside of our industry, is they blast out tens of thousands or hundreds of thousands. Say, they could get all of the attorneys, say, in Missouri, a member of the Missouri Bar, or Texas Bar, or New York Bar, whatever it may be. And you can find that stuff on the web. And so, they'll send out emails to whatever context they have inside of those firms. They use psychological manipulation, social engineering.

It's really just a con job - a scam, you know, like the one‑to‑one con’s that you get on Bourbon Street in New Orleans. You know, I'll tell you where you got them shoes. Well, now, they're doing a one to many. They're doing one to 10,000 or one to 100,000. How many attorneys are there in Texas? You know, half a million, maybe. I don't know. But they blast out an email. And all they need, in those kinds of numbers, is a 0.1% conversion rate. And they think in these marketing terms. It's a volume game.

So, somebody gets an invoice. And let's say-- and I have to apologize because I'm not in the law business but, at one time, Westlaw was one of the big research deals that everybody subscribes to. So, if I were going to conduct a phishing email, I would use psychological tools such as, “Your Westlaw invoices remain unpaid. You know, your subscription is going to be cut off tomorrow if you don't pay these outstanding invoices,” and I attach a spreadsheet to it.

Now, maybe the bookkeeper, or the accountant, or whatever inside the law, firm, controller, whatever it may be, or you as the, you know, a smaller law firm, or your office manager, whoever's tasked with paying the bills, they get, “Oh my, we’ve got to pay these bills,” or “I thought I already paid ‘em.” They open the spreadsheet and it triggers the attack. Over 90% of successful breaches require an insider to let them into the network. It immediately begins encrypting all the files. And, after some time, depending on the volume of data, it'll pop up on the screen demanding a ransom. It could be 5000. It could be 10,000.

Everyone hears about the colonial pipelines, the JBS’s. These big ones, right, that hit the headlines on CNN. But the vast majority of ransomware attacks are 5000, 10,000 20,000 that you never hear of. When we do continuing education webinars in the law business, anywhere between 10% to 20% of the people, on those webinars, have either had a ransomware attack, or they personally know someone that's had a ransomware attack. That is the nightmare scenario because your data becomes unusable. Maybe your accounting files, all of your client data is now at risk, any other sensitive information. And that's the nightmare scenario.

And if you don't already have a security team in place to respond, possibly mitigate it, possibly restore from backup or learn who the attackers are, you're already behind the eight ball. You know, they're going to give you five days to pay the ransom, typically. That's pretty typical. And it's going to be done in and you're going to transmit it to, likely, a Russian criminal. That's the nightmare scenario.

Now, larger law firms have to worry-- especially if you're dealing with intellectual property. So, you're a patent attorney. Well, you've got to worry about China. You have to worry about nation states. The amount of intellectual property that China has stolen, over the past few years, some experts say it's the largest transfer of wealth in human history. And if you stay up to date on how China has gone from being a third world country to some of their cities are more advanced than any city in this country, much less Western Europe or anything like that, it's laid out right there in front of you. All of this intellectual property that's been stolen over the past couple of decades.

Another thing that complicates things is our own NSA (National Security Administration). Their tools have been hacked and they're available to download for free off the dark web and used by criminals and other nation states. These are advanced offensive cyberweapons available for free to enrich the attackers. The days of antivirus going to your IT are simply over with. You've got to go to specialists to protect your law firm. I can't say that enough.

Tyson:             The Guild is an insanely productive community of lawyer‑entrepreneurs with a growth mindset who share their collective genius and hold each other accountable to take their careers and businesses to the next level. But in 2021, we are upping the game. In addition to exclusive access to the group, FaceTime with the two of us, discounted pricing for live events and front‑seat exposure to live recording and podcasts and video, we're mapping out, for members, the exact growth playbook with our new program, Maximum Lawyer in Minimum Time.

Jim:                  As a Guild member, you'll build relationships and experience content specifically designed to complement your plan for growth. For a limited time only, The Maximum Lawyer in Minimum Time program will be offered for free to all new Guild members. Join us by going to maxlawguild.com.

Tyson:             So, Tom, I have a cat door. I don't have a cat but I have a cat door. The previous owner put it. It goes into our basement. And I've done everything I can to wall it off. I should hire a professional to come in and block it some way. But I put bricks up against it. But I just know, at some point, a rodent’s going to get through there, right? So, we know about the obvious robbers that will break through the window and they'll steal all your stuff, but it's the rodents that will come through, and weasel through, and they'll do a lot of damage.

So, what are the things that we're overlooking? I think most of us know about the obvious email that comes through and, if you click on it, you might screw up and next thing you know, you're paying a ransom. I know an attorney that it happened to. What are the things we're overlooking? What are our cat doors in our firms that we need to be closing and hiring a professional to close?

Tom:                Oh, wow! That's a great question. I think your email servers and the content of your email is commonly overlooked in law firms. Most law firms should seriously consider using an encrypted email service. And here's the reason. I don't know how far in the weeds you want to get. I don't know how technical your audience is. Presumably, I would hope that they know a ton more about law than they do about technology.

But here's the deal with email, if it's not encrypted. The transport of the email is encrypted, right? The actual sending it over the internet. I mean, just check with IT and make sure that the transport is encrypted. If you're not, you find a new IT person.

But people overlook the data at rest component, okay? Where are those emails stored in the end in that it's going from me to you, let's say? Well, it's going to be in a spam filter. It's not received in the spam filter and then merely forwarded. It's actually kept there. It's going to be in the mail server. It's kept there.

So, people overlook that data being able to be accessed, that data at rest. And law firms typically want to keep their emails forever. So, that's another deal is archiving email which is yet another service you should seriously consider. It's not your email service provider’s duty to store your emails forever. It's a different service that you've got to do.

The weakest link, like I said earlier, is 90% of breaches require someone on the inside. And these are the volume breaches, right? These are the shotgun breaches. They don't know who you are. They don't care who you are. They don't care if you're in a little podunk town in the middle of Mississippi or Arkansas. You just simply got caught in the spray. You know, I'm not talking about targeted attacks. So, not putting cybersecurity awareness training in your firm, not treating it as a top‑down.

A very special component about cybersecurity that we can't do, as a firm, is bake it into the culture and treat it seriously. Passwords - reusing passwords is a huge, huge no, no. The firm should be using a password manager, requiring a minimum of 20 randomly generated passwords and never sharing those with anyone else. Never reusing passwords - that culture has to be established from the top down. That's a leadership issue - a management issue.

Those of you that may be listening, well, I get it. I do need to get better protection. We don't have-- I mean, all we're relying on is antivirus. Antivirus is pretty much useless anymore with these advanced weapons that are being used against us, literally, every single second of the day. I get that. So, I make a decision - a management decision to go out and find a good InfoSec company, a good security company to protect the firm. I get it. I'm going to invest in protection. Protect the firm's reputation. Protect the employees, the clients - all of those things.

Where it breaks down and where the cat door is, is so many attorneys and law firms, they don't mind spending the money on the technical protection. They don't mind spending the money on a skilled security team, but they think it's an impact on productivity or whatever it is to get security training. It's a hassle to use a password manager. So, they rely too much on just the technical components. Now, we can do a really good job with just the technical components but we've really got to have a buy‑in, top‑down, set the tone that we are all going to treat security seriously and recognize who our threats are and what our threats are. And it's different depending upon the firm's specialties.

Jim:                  So, I would imagine that you're right that the biggest thing that people complain about or the biggest hurdle to doing this is, they're like, “Man, I don't have to memorize a 20‑character password.” And they just don't understand the technology that's even there. But I think the other one is the cost. So, what does it look like to invest in protecting your firm? And I know that we could do the cost‑benefit, like what it's going to cost if you get held up? But what does it just generally cost for--? You know, walk me through that.

Tom:                Well, it's really easy. Our stuff starts out at $20 an endpoint per month. And that is you're going to dramatically improve your defense posture. At that price, we have never-- even the clients that get the bare minimum. And you’ve got to think-- we've got to identify what your risks are, and where all the data is, and how big the law firm is, your areas of practice - things like that. But even at just the $20 a month, you've got a skilled security team. We're going to put in a class of product called an EDR (endpoint detect and response) that's going to replace your antivirus. And that, right there, with just those two things, we've never had a client have a successful breach. No successful ransomware attacks with just those two things.

Now, you can add more and more layers. We treat it as an onion-- or it's like an onion. At the core of the onion is the assets you're trying to protect - the data, your clients, your employees, yourselves, the firm's reputation, and on, and on, and on. Then, we add layers, and layers, and layers because we're going to presume that one of those layers is going to be pierced, like the human component, the 90%. So, that should give you a good idea. That's a good place to start.

Tyson:             All right. So, I'm going to ask a couple of questions. I know we're running up on the time but what are the things we need to be looking at in the future because text messaging seems like it's going to be a problem going forward, messaging could be a problem going forward, any social media channel. So, what are some things we should be looking out for in the future?

Tom:                As far as--

Tyson:             As any, any--

Tom:                --threat vectors?

Tyson:             Yeah, any potential-- I like that. Any potential threat vectors?

Tom:                Yeah. Well, of course, Facebook is a real-- you know, don't publish your vacation, tell people you're going to be out of town. This is perhaps a cat door. You've got to protect your privacy. Everyone has data that has to be kept private even if it's nothing more than your bank account credentials.

We had a commercial real estate company that came to us after losing about $400,000 on compromised bank account credentials. So, you’ve got to worry about that. If you're doing remote access, multi‑factor authentication should be a must. It should be. In fact, we require it for all of our attorneys.

And, believe me, March 2020, when COVID first hit, we had hundreds of attorneys that, all of a sudden, one day, needed to work remotely. We would not like those remote connections up without establishing multi‑factor authentication.

We can turn on remote access in minutes, right? And many of you probably, listening to this podcast, now, experienced exactly what I'm saying. The problem is to add MFA to it, it changes it from minutes to hours because we've got to reach out, install applications on their cell phone, and things like that. But we refuse to light ‘em up because we saw 1,000% increase in like overnight on attacks on that technology.

I guess, what I'm saying is SMS can be intercepted. You know, some of you may be using multi‑factor where you get a text message and then you type in that six digit. That's better than not using it. It's much better than not using multi‑factor authentication. But even better is an actual generated random number with a time bomb on it. You know, with Google Authenticator, or using a tool called Duo, a product called Duo, for remote desktop access.

Be aware that, if you're on Facebook and social media, that you're being monitored. If you're dealing with intellectual property, especially if you've got a significant‑sized firm dealing with significant‑sized clients that have intellectual property, you're on China's radar. Don't think you're not. Even if you're not handling the intellectual property itself, you're a threat vector into that Fortune 100 company.

It's really about treating it seriously and stop hoping that it won't happen to you - actually being proactive and to put the things in place that you need to protect your firm.

Tyson:             Very good stuff, Tom.

All right. So, I do need to wrap things up. Before I do, though, will you tell people, if they want to reach out to you and they need your services, how can they get in touch with you?

Tom:                Oh, they can reach me at my email, [email protected]. Our website, irontechsecurity.com. There's a hundred different ways to reach us, yeah. And if you just want to talk things out.

You know, many times, especially for the smaller firms, we already know what you need. We don't have to go through a significant assessment. The larger firms, we prefer to do the assessment. But we can literally roll out, within hours or days, to dramatically improve the security in your law firm and let you sleep better at night and you have the knowledge that you made a great decision, so.

Tyson:             Very good.

All right. As we continue to wrap things up, I want to remind everyone to join us in the big Facebook group where we have over 5100 members and growing. Also, make sure you get your tickets to MaxLawCon2022. Go to maxlawcon2022.com. And if you want a higher‑level conversation about your firm, go to maxlawguild.com and join us there in The Guild.

Jimmy, what's your hack of the week?

Jim:                  All right. Well, first of all, thanks for coming on the show. That was really insightful. I really got a lot out of it. And I think, when I have my wife and law partner listen to this, she's going to freak out and we'll be a calling.

My hack of the week is a great book that our friend Joey Vitale sent me called Soundtracks by Jon Acuff. I really enjoyed it. I read it over the holiday. And it's all about the tapes that we play to ourselves, the messages that we repeat to ourselves over and over. And it has probably six or seven good chapters on how to sort of change those tapes and come up with new messaging for ourselves. And I've really enjoyed the book a lot.

Tyson:             Very, very good. I've not started mine yet, Jimmy, but I plan to start my book that Joey sent me as well. So, very good. I know you’ve spoken very highly of it, so very good.

Tom. All right. We always ask our guests to give us a tip or a hack of the week. It could be a website. It could be a book. It could be a podcast. It could be an app. Whatever it might be. So, do you have a tip or a hack for us?

Tom:                I certainly do. Do you mind if I share my screen?

Tyson:             Go ahead.

Tom:                And the reason I wanted you to see the cover of these books, This is How They Tell Me the World Ends. It's by Nicole Perlroth. If you want to deep dive into these things, and if some of these things I've said earlier today seem incredulous, you have doubts, this book will remove all of those doubts and you're going to hear even more bad things. This is the best cybersecurity book out there that's ever been written that describes the sheer scale of the threat. Nicole Perlroth, she researched this for 10 years. It's incredible.

And, finally, I'm going to plug my own book that's coming out, hopefully in February. And it's The Cyber Pandemic Survival Guide. Both of those are highly recommended, of course.

Jim:                  Awesome.

Tyson:             Absolutely. Absolutely. Very, very good. Thanks for sharing those.

And, finally, my tip of the week. I don't know how secure these are but I'm sure that they're okay. Tile. I got a Tile in my stocking, I think, or got it from someone for Christmas. And I had always seen Tile and like commercials for Tile. And I was like, “Yeah, I don't know if I'll ever get those.” Actually, yeah, they’re cool. I've got one in my briefcase. And then, I put one on our pool key, so we don't lose our pool key.

But what's really cool about it is you could actually find your cell phone with it. So, let's say you're going around the house-- I usually use my Apple watch. But let's say you don't have your Apple Watch on, you can double tap the Tile and it’ll help you find your cell phone. So, it's actually a pretty cool tool. So, I highly recommend it. And there's-- you can actually see-- the app is really easy to use and everything. So, my opinion of Tile has completely changed. I think it's a pretty cool resource so check it out.

Tom, thank you so much for coming on. Like Jim said, I learned a lot. I think this is going to be a really, really good podcast for people to listen to. So, thank you so much for coming on and hope that people reach out to you.

Tom:                Yeah. Well, it was absolutely my pleasure. That's my job is educating people. The vast majority of people do not understand the seriousness of the threats.

Tyson:             Well, I think we have a better idea now. So, thank you so much, Tom. Appreciate it.

Jim:                  Thanks, Tom.

Tom:                My pleasure.

Tyson:             See you, buddy.