Back to videos
Streamlining Law Firm Management with Expert Outsourcing
In this webinar, you will discover how visionary law firms are virtualizing fractional finance, security, and IT experts to improve their bottom line with great talent.
Prefer to read? (Transcription)
KINDSEY: I want to start off by thanking everyone for joining us this afternoon today for Fractional C-Suite for Your Law Firm. We’ve got Tom Kirkham, the founder and CEO of IronTech Security, and Ryan Kimler, and he is the founder and CEO of Financial Clarity. I’m going to introduce them both real quick.
Tom is the founder and CEO of IronTech Security, which is an MSSP, a managed security services provider. Tom brings more than three decades of software design, network administration, computer security, and cybersecurity knowledge to organizations around the country.
Ryan, again, is the founder of Financial Clarity, a bookkeeping, accounting, and financial services firm, bringing clients clarity and guidance, giving them a clear path to having a growing, more successful and profitable business. They provide business owners with a fractional CFO guide to help them understand what is working in their business and what is not.
Tom, if you are ready, you can go ahead and get the show started.
TOM: Let’s get going. Before we get started – and Kindsey, monitor this for me because I’m not the normal setup, but I have a question for everyone on the webinar. Have you or someone you personally know been a ransomware victim? If the answer is an affirmative, just put “yes” in the chat box, and at the end we’ll circle back around and see what we have. We know what we historically see, but I always check. Sometimes I’m very surprised.
To give you guys an anchor before Ryan jumps right in, this is what we’re talking about today. We’re talking about IT, security – that’s infosec – and we’re talking about finance or accounting and related functions in your company, virtualizing those. I know most law firms don’t have that CEO title, but we want to think in terms of roles and duties and responsibilities, things that it takes to run your law firm. So when you’re wearing one of these hats, especially in the red box, that’s what Ryan and I are going to talk about.
Having said that, I’m going to turn it over to Ryan.
RYAN: Sure. Today I’m going to be covering three pieces, a tie-in to profitability and accounting operations. For those of you that are on the call, I’m going to give you a system that we can build your accounting department up from the ground up so that everything is scalable and works as your law firm continues to grow. It’s definitely not the only system that’s out there, but this blueprint that I put together here is everything that should be going on in your accounting department.
I’ve also got things color coordinated here, and I’ve put in a system where working with an outside accountant, you can have a lot of this off of your plate, and that’s where you see everything highlighted in blue there. It’s tasks that the accountant you’re working with should be able to handle, and that could be even virtually or remotely. We’ll talk about that a little later on.
The green parts that you’re handling, I’ve got the system down to a science where you’re doing your monthly billings just like you always would for your client, and then at the end of the month, you have a 1-hour meeting with your accountant or CFO to go over your financials and what happened. That’s there in the lower right-hand corner. That’s the end result. It’s a 1-hour get together, and it really takes a lot of accounting time off of the law firms that we work with, off of their plate so they can do more rainmaking and bill more hours.
The items in red there are physical paper items, like if you’re still getting bills in the mail, you might have an assistant or a paralegal or something like that help you or help your remote accountant handle those things to work so that your accountant, like I said, doesn’t have to actually come to your office. But otherwise, everything else should be handled between an assistant and an accountant.
Let’s start with paying bills. As I mentioned, you might still be getting bills in the mail. I’ve got this color coded in red here. You can have an assistant or a paralegal open the mail. Bill.com is a system that we commonly use while working with law firms. It’s really great because you can upload those PDFs and then your outside accountant can process those bills, put them into your accounting software, and also pay the bills by ACH or by check.
There’s also an approval process as well. Some of the attorneys we work with still want to see the bills and want to approve them, and that’s great. Bill.com allows for that. And then some of them are like, “Eh, just pay them,” and we take care of that as well. So it helps you put bills on autopay. Like I put there, your assistant can open those bills, upload them to Bill.com, and then you don’t have to have an accountant in your office necessarily, and they can still help you with your accounts payable and getting all your bills paid.
The second piece here is receivables. You’re going to bill all of your clients in your CRM, and for that you can use any number of the software throughout there. We have attorneys that work with us that use Clio, PracticePanther, and MyCase. Those are three of the big ones. You’re putting your billings into your CRM; your assistant can process invoices and credit card payments. We really like using LawPay. It was built for attorneys, and they do a great job of keeping trust funds and invoice funds separate, which is really, really, really important.
And then obviously with LawPay and your CRM being in the cloud, that again opens up the possibility that you could have an accountant that’s working outside remotely that doesn’t have to be in your office and can record all of your deposits.
Here is a little piece that I just talked about a minute ago. We like Clio. I am a Clio certified advisor. You’re billing your hours and expenses. One of the important things that can come out of a practice management software like Clio is non-financial data – things like your realization rate and your utilization rate, and if you have attorneys that are working for you, keeping track of how many billable and non-billable hours those attorneys have. Clio, by the reports we can run out of there, along with other CRMs, can really help you develop non-financial datapoints.
Again, as an accounting firm, as a financial firm, we really help our clients do that so we can make sure that the staff that’s working for them is efficient and they’re operating properly as a profit center for you.
Then on the accounting software side, we really like using Xero. I am Xero and QuickBooks Online certified. I’ll tell you most of the firms we work with end up in Xero for a few reasons. One is it has all the same features as QBO at less than half the price, and the other one is that it was built in the cloud, so it really syncs up well with a lot of different other apps. For example, it syncs up well with Bill.com. It also syncs up well with a large number of online banking tools so that you can keep track of all of your banking information, deposits, expenses, as well as have a reconciliation and make sure everything matches up with the balance that’s in your bank.
Your accounting software also helps you keep track of any open invoices that you have, helps you produce an AR report or accounts receivable report of the clients that owe you money – and that’s really important as well, to keep a good handle on that. But the end result of your accounting software is it’s pulling in all of this data, it’s taking into account your deposits that are made, your bills, your payroll stuff, and the end result is it produces financial statements for you.
With our clients, we take those financial statements and we help them analyze and tell the story of what’s going on. With a software like Xero that operates in the cloud, we can do so remotely and we don’t have to be in your office to do it.
We also like to use Excel for a lot of the analysis. It also helps us with banks that don’t sync into Xero. You can do an import of all the activity. That’s really important. Making sure that your bank has a download of activity to Excel is a good backup. And then making sure your bank has check images and things like that so that we as the accounting side, if you go to the courthouse and let’s say you write a filing fee check for one of your clients, we can account for that properly. They’re just a few important features that are important to have with your bank. Like I said, having check images, making sure there’s a good export to Excel, and then just as a backup in case it doesn’t sync into your accounting software.
Payroll, we like to use Gusto. It syncs really well with Xero as well, and we’ve found that for solo and small law firms, they provide a lot of other services as well, like setting up retirement programs and insurance. If you just have a few employees and they’re all on salary, you can set your payroll up to the point where it’s on autopilot, or you can have your accounting firm do it. But Gusto takes care of all your tax filings and statements, 1099, so that is really helpful to business owners as well.
I know just a couple years ago, the IRS moved back the 1099 filing deadline. It used to be March 15th and now they’ve moved it back to January 31st. So if you’re paying contact attorneys at your firm, using a service like Gusto that’s going to file those 1099s for you is really helpful just to ensure that you don’t incur any late fees and things like that. So we’ve seen that Gusto works really well, and as my process map shows there, syncs well into the accounting software to make sure all of the wages and taxes are accounted for properly.
And then the financial work. This is really where our firm can come in and help. We’re handling producing financial statements, your income statement or profit & loss. Really shows your revenues and all of your expenses and gets down to a really key number, which is your net profit number for your firm.
We usually produce a balance sheet for our clients as well, which is really good to look at because if you’re using trust funds, you should have your trust bank account. You should also have an offsetting liability account called your trust liability account or trust fund liability. And those two accounts should always match, showing that your trust liability that you’re holding for your clients matches your bank account. You’re going to find both of those accounts on your balance sheet, and that’s a really quick check to make sure you’re in balance.
Another important account on your balance sheet that we always like to track for our clients, and always have them look at, is your filing fees. Like I mentioned earlier, if you’re at the courthouse and you cut a check for a filing fee for one of your cases, for one of your clients, the IRS says that’s actually treated as a short-term loan, basically, or a short-term asset, because you’re expecting to bill that to your client and get paid back for it. That’s also another good check to se if you’ve got an accountant that really knows what they’re doing in handling law firms: if they’re expensing those filing fees, that’s not following IRS guidelines, and if you were to get audited – which hopefully you won’t, but if you were, one of the first things the IRS is going to do is move those filing fees from your income statement over to your balance sheet.
And those filing fees, since they’re an expenditure and you’ve got money going out, are reducing your taxable income. Let’s say your net income was $10,000 and you’ve got $1,000 of filing fees on there that dropped you from $11,000 to $10,000. One of the first things the IRS is going to do is say, “No, these filing fees go on your balance sheet, and really you have a net income of $11,000 and not $10,000.” Then you’ll be responsible for taxes and fees on that money. So that’s a really important report to look at and make sure your filing fees are on your balance sheet. You should find them in the assets section.
Also, tracking that account and making sure you’re getting paid back for those filing fees that you’re paying for your clients is another thing we really like to track for the firms that we’re working with. We want to make sure that balance isn’t continuously growing, meaning they’re paying more fees and they’re not collecting well on it. That is cash that’s going out of your firm, so that’s cash that you don’t have to spend on expenses elsewhere.
Aged receivables is another report that’s really important to look at, make sure that none of your client balances are getting too old, make sure they’re staying current on their bills. We also build budgets for a lot of the firms we’re working with, and we use non-financial data, like I mentioned earlier, with realization rates and utilization rates and things like that, typically out of Clio, to make sure the attorneys that are working for you are billing the way they should.
That’s the performance analysis and forecasting that we do with our CFO service: building out a dashboard and tracking some of those key KPIs that we can easily look at and compare to some of the other firms that we’re working with and have worked with. If you’ve got a metric that’s off and isn’t really up to industry standards, we’re going to let you know that and let you know how you can adjust that.
And then all together, what we like to do is have about a 1-hour meeting with our clients on a monthly basis. We brief them on the information that they like to know and answer any questions they might have over those statements. Like I said earlier, at the beginning, if we can get your accounting time down to just you’re doing your billings, which is time you’re going to do anyway, and then just 1 hour and you’re getting a summary meeting of “This is what’s going on with my finances,” that can save attorneys several hours that they can put towards billing or even marketing to get more cases.
So reducing the time you’re spending in your accounting department can be really helpful and provide you more time to spend in other areas of your business.
Just to recap, put it all together, that’s what I did there at the end. Everything in blue that you see here on the screen, we take care of for our clients. We come in and we build an accounting department that will scale with you, as you grow your firm. Like I said, we really try to reduce the number of hours that an attorney has to spend in their accounting department as much as possible. Sometimes that does include bringing in a paralegal or something like that.
These are two important questions that I always ask firms that are looking to work with us and looking for help with their accounting department: What could you do with your time that you save every month? Some attorneys like to spend more time with their family, or maybe they’re not working in another area of their business. Or maybe it’s that you want to go to work in another area of your business. But the important question is, what could that time really earn you if you had the systems and processes in place where you’re spending an hour or two a month, and it’s a lot less than what you have been spending?
I get a lot of questions about “Ryan, that sounds really great, but I don’t even know how to go about finding a great accountant. What are some steps that I should do to have someone implement the system for me?” I’ve got three steps here on how to find your next great accountant.
The first one here is hire an advisor, somebody that’s got a degree in accounting. Ideally they’ve got a background in working with other law firms, so they’re a specialist in your niche, because there are quite a few things that go along with law firm accounting that regular accountants don’t necessarily know. And someone that’s going to take fiduciary responsibility over your finances and over your business. That’s really, really, really important, and having somebody that you trust to take over that responsibility.
Then ask about their experience in a few key areas – experience around financial reporting. Have they done that in the past? Ask them about their experience with trust accounting and client costs and key performance indicators. Really building and developing and finding the important key performance indicators that your firm should be looking at and not only knowing what they are, but picking the right ones that are important to look at right now and finding the bottleneck, if you will, in your business is really, really important. History with producing KPIs and building a dashboard or a scoreboard is a really important experience for your next accountant to have.
Then the last step that I’ve got is trust. Can you work with this person, this company? Is it someone that you see yourself working with, like to work with them? Do you always trust them to be objective and tell you the truth? Because the reality is that sometimes, some of the information that I have to tell my clients and say “Hey, this is what I found and this is what’s holding you back” is not always easy news to deliver. So it’s really important that you trust that person and you trust them to be objective and honest with you, and really know the finances and guide you. That’s their specialty, that’s their area of expertise, to know numbers and be the expert when it comes to accounting and finances.
Outsourced hiring – I talked about this a little bit throughout this presentation. Nowadays, with as much Zoom work as everyone is doing, especially after this pandemic, I really recommend outsourced hiring for your accounting operations. Typically it’s going to be less expensive than hiring an in-house employee. You don’t have to worry about healthcare benefits or retirement benefits or payroll taxes.
Also, there are a lot of highly qualified professionals out there like myself and our firm, and I know several others that are going to be a fraction of the cost of an in-house employee. But they’re also going to have the experience in your niche of working with law firms. They’re not just the generalist that’s going around town and they handle your accounting and they also handle the dentist office down the street, and then they handle the restaurant down the street from that. They’re going to be really highly qualified professionals that have worked in your niche of law firms, and I think that specialization is really important.
And with remote work, obviously there’s opportunities for a bigger candidate pool. You could hire anyone, no matter where they’re at across the whole entire U.S.
One other thing that I like to share with the clients I work with is using a profit-first system. How it works if you probably had parents or maybe grandparents that would bring their paycheck home and divide it up into envelopes. They would have an envelope for their mortgage, and they would have an envelope for utilities, and they would have an envelope for groceries, and if they had a car they’d have an envelope for their car payment. They would literally divide out their cash paycheck into those four or five envelopes. Then when they went to the grocery store, they would take their grocery envelope and that’s what they had to spend on groceries.
The profit-first system is a system that Mike Michalowicz wrote a book about that really operates the same way, except it’s for businesses and you divide your bank accounts up into these five accounts, for example. You have an income account, where all of the payments you receive from your clients go into that income account. You have an owner’s pay account. You have an operating expenses account. And then, at a bank that’s not convenient to you, meaning no debit card, no checks – if you want to withdraw money, you literally have to go to the bank and show up in person – you’re going to put a profit account and you’re going to put a taxes account.
How the system works is every two weeks, on the 10th and the 25th, you allocate the money from the income account, where all your client payments come into, to a profit account, to an owner’s pay account, to a tax account, and to your operating expenses account. These allocation percentages are just an example, but as an example, you would put 5% of your revenue into the profit account, 50% to owner’s pay, 15% to taxes, and 30% to operating expenses. You could do that just by ACHing the money, or when you’re at the bank, as far as your income account and your owner’s pay and operating expense account, they’re all at one bank; you could probably just transfer between accounts.
On the next slide, I’ve got an example of some money here. If you had $10,000 in your income account, if it was the 10th and time to transfer the money, $500 would go to your profit account, $5,000 would go to your owner’s pay, $1,500 to taxes, $3,000 to operating expenses. And that $3,000 in operating expenses would be the money that you have to spend on expenses that you have, paying employees, all of your software, all of your things like that.
The purpose of the system is to set aside your profit first, so that’s the first account you transfer money to, and it goes to your inconvenient bank. That profit bank account is going to build up money over the course of the year. Then, obviously, your owner’s pay account is for you to ensure that you’re getting paid well; your tax account is ensuring that you have money set aside and you’re not getting a huge tax bill at the end of the year that you can’t afford or that is a stretch to afford. You’ve got money set aside for it. That tax account could also be used to pay quarterly tax estimates if you’re doing that as well. But again, it’s not coming out of your pocket. It’s coming from the business because you’ve set aside the money to do so.
So setting up a system like this is something that, again, we typically help our clients do. It can be very beneficial because it allocates money to places that you need it and saves it, especially your tax account – saves it for when you need to pay your taxes, and it’s coming from the business and not from your pocket. We really like the system, and I highly recommend asking your accountant about it. Ask if they have experience with it. Ask if they can set it up for you. It is a really good system.
With that, I think I’ve pretty well wrapped up. I hope that’s a good way for you guys to build your accounting department. We’ll have my contact information here at the end, and if you’re in need of our help, definitely reach out. I’m going to turn it over to Tom.
TOM: All right, thanks, Ryan. Yeah, the whole purpose of this virtualizing everything is you’re going to be able to get the kind of expertise that it’s going to be much more difficult to find, especially to put them on staff. It’ll be more affordable.
And just another thing that I’ve learned: don’t get cheap if you’re going to go down this road. You pay the extra money to get the best people. That applies with all of the stuff. These three – although there’s truly only two – these three virtualized C-suite executives.
So let’s jump into a little bit of cybersecurity. I always like to start with Rules of Professional Conduct, Ethics, and Client Confidentiality. These are out of New York RPC, but most states have the same thing. They’re all based on American Bar Association. These mention protecting your client data from unauthorized access to or inadvertent disclosure of. Whether you’re talking 1.1, 1.6, the comments, and so on, they all refer back to this phrase called “reasonable efforts.”
As an infosec specialist, I have a problem with what “reasonable efforts” are. The game has changed when it comes to cybersecurity. If your firm is relying on antivirus to protect your client data or protect your firm, your financials, whatever it may be, and you suffer a breach and you did not put in the 5 things that I’m going to talk about, I would testify that you did not use reasonable efforts. Like I said, the game has changed right now. And the game changed today when you woke up, literally today, with the invasion of Ukraine. Hopefully I’ll have time to wrap that up, wrap in the tie-in.
Don’t forget, if you’ve got any questions, throw them up in chat. We’ll circle back to them at the end.
Let’s take some myths and bust them. I’ve heard IT pros say this. Many people think they’re too small; why would anyone want to attack you? You’re in the middle of nowhere. You’re a very small firm. No one’s heard of you, especially in Russia or China or where have you.
Well, here’s the deal. These are done at scale. They’re done automated. They’re using bots. They really don’t know, nor do they care, who you are. It’s a numbers game. They’re sending out 100,000 emails, compromising 100,000 websites. They’re looking for 1%, so to speak, of victims. They send out 100,000 emails; 1% becomes a victim, that’s 1,000 people. If they pay an average ransom of $10,000 apiece, that’s $10 million. It’s a numbers game. Don’t know, don’t care. No such thing as being too small.
Almost everyone thinks you can’t afford good cybersecurity defense, but I’m here to say that you can get the same cybersecurity defense that Fortune 10 companies – Ford Motor Company, AT&T, ExxonMobil, Department of Defense – the same defensive tools that they have and the same specialists that they have are available to the smallest of firms. And just for an idea, it starts at around $20 a computer per month. Yes, it does cost more than antivirus, but antivirus is about useless.
Which brings me to this one. I’ve heard IT pros say most of these, including this one. “Antivirus is good enough. That’s all there is. Just don’t click on file attachments from people you don’t know.” None of those three assertions are accurate or true. Antivirus is not good enough. In fact, in the case of the latest version of Norton, it’s worse than not any good. It’s actually negative good.
There is an entirely different class of products that will protect your firm from a ransomware and other types of attack, including those that Russia is using on Ukraine today. As far as not clicking on file attachments from people you don’t know, the days of misspelled words, poor grammar (like I’m using right now), bad graphics – those are over. I get a chuckle when I see one anymore. We pass it around the office, “Hey, take a look at this one. We haven’t seen one of these in 5 or 6 years.” These emails, these website compromises can fool even cybersecurity experts. So don’t think that you can rely on the fact that you don’t know who that is. I get emails frequently purportedly from people that I know, and they’re phishing emails. They have a payload that will infect the network.
For those of you that have cybersecurity insurance, great. But go one step further. You want to make that insurance, like all other insurance, the last thing you want to rely on to make you whole. Insurance is not going to pay for your reputational damage. It’s not going to pay for any client reputational or other loss. In many cases it’s not going to pay for civil liabilities. If you’re a personal injury attorney and medical records get breached, that’s the Office of Civil Rights. They don’t mess around. Some of you may be in other things. Loss of intellectual property of a client, the insurance is not going to pay for that damage to the client themselves. Or at least, you’re going to run out very quickly.
Get good cybersecurity defense. Make both of those priority. I understand why everyone does it; they don’t know what else to do, it’s part of your insurance renewal, agent says, “Oh, by the way, you probably ought to get this. Everybody buys it.” But you’re not taking care of the defense. It’s like buying office insurance, all the content in your office, but you never lock the door, or you don’t fix the wiring in your house and you’re just relying on homeowner’s insurance to buy you a new house when it burns down. Get both.
For those of you – and I know there was at least one that I saw earlier – if you’ve had a ransomware attack and your network has not been examined by a forensic infosec specialist, you’re not fine. Every ransomware attack for the past 4 or 5 years has multiple payloads, and most of those are nation-state offensive cyberweapons that are very, very hard to detect. Chances are you’ve got server backdoors, keyloggers, and other malware on your network just waiting to be exploited by another hacker. Nation-state criminal, terrorist, whatever it may be.
Once again, it’s totally indiscriminate. The Colonial Pipeline attack, they didn’t know they were attacking infrastructure. It was a target of attack, but they didn’t know what the customer did for business. They actually apologized. They just knew it was a big fish. They had a big payday coming. In the case of ransomware, you’re a patsy. You get on the easy list the next time, so you’ll get more and more ransomware attacks. We’ve never gone into a new client that’s had a ransomware attack and not found other backdoors, malware, and things like that.
And finally, “Cybersecurity is an IT issue.” I understand where you’re coming from. Most people believe that. But it’s actually two entirely different specialties, and you don’t want to confuse the two when it comes to getting solutions to protect your law firm.
Let’s take a look at some differences. Infotech versus infosec. IT objectives versus infosec or cybersecurity defensive objectives. In these industries, an MSP is a company that you would typically outsource into a virtual CIO (chief information officer). You will outsource that to a managed services provider. You pay them one monthly fee and they make sure things don’t break, keep you up and running, do your backups, put your patches on, things like that, manage the help desk. Any issues you have, just give them a call.
But what you have to understand is their objectives revolve around productivity, efficiency, minimizing help desk calls. It’s a bottom-line focused investment in your firm. It’s bottom-line focused. Always has been, probably always will be. That investment is to improve the bottom line, where you can do more cases, handle more clients, and everybody works more efficiently.
Infosec objectives are different. It’s about understanding the risk to the firm. It’s about monitoring and responding quickly. And I don’t mean 4 hours, like an MSP will. I mean within minutes or seconds. Infosec has to keep track of geopolitical factors and dynamics such as what is happening right now as we speak. And believe me, we are paying very, very close attention to it. Already beginning to see fallout in the United States.
But the point of infosec is to protect all of the stakeholders: the firm itself, the financials, the client data, the clients themselves, maybe your vendors. Some of you, it might be your city, county, state, or national organization that you represent. We’ve got to protect all of the stakeholders. Security is job one, and we do not sacrifice productivity and efficiency over security.
If you want to think of it from a high level, from a CEO level, IT is more of an operations role, whereas infosec is more of the strategic role.
What I like to do is go back to the organization chart. This is the old way of thinking about it. It’s not unusual for a CEO or managing partner or the owner or whatever that head honcho title is to go to their IT people, whether it’s on staff or outsourced, and say, “Hey, I’m really worried about security. Let’s get some better stuff in here.” It’s treated as a bolt-on. It’s like something that needs to be added to IT. “We need to enhance our IT. We need to secure our IT.”
Well, all the Fortune 500 companies, as of 2021, have made infosec part of the C-suite. It’s a chief information security officer, or a virtual chief information security officer. And they have a direct line of communication to the owner or the decision-maker, the leader of the organization. So they understand what risk there is to the firm if finance said, “We don’t have the budget for it,” or the CIO says, “That’s too many help desk calls we’ll have to field.”
The security officer’s job is to make sure the CEO is making an informed decision, weighing productivity, how much money is available, what risk the firm is under. Do you handle patent law? I promise you China would be very interested in your files. The amount of intellectual property that China has stolen over the past two or three decades is the greatest transfer of wealth in human history.
This is the current way of doing it. What I’m going to do, and what I am doing today, is to ask you to think about it in an entirely different way. Treat IT as the bolt-on to security. Because without security, IT doesn’t work. All that other IT stuff just goes out the door. Imagine if you were to have a breach in your firm. Do you really care if the receptionist’s Outlook is working at that moment? Without security, the rest of IT becomes useless.
So what we’re seeing, and what thought leaders in this industry – probably the first time you’ve heard this from anyone, but what the thought leaders in this industry are doing now, the visionary leaders in all industries – law, finance, manufacturing, any industry you can think of – they’re flipping it around. They’re making security job one. For decades, the world has traded security for productivity and efficiency, and now what we’re seeing – the bulk of cyber war weapons, 90% of that money is spent on offensive, not defensive. The defensive stuff is relying on us, the private industries and the departments themselves of different city, state, county governments, federal agencies, and on and on and on.
We’ve got to upend that game and we’ve got to radically change the way we’re thinking about it. And IT needs to be a bolt-on to security, make security job one, and then we’ll worry about marketing, getting our accounting done, taking care of our clients, storing the data, practicing law. It’s a different world now.
Before we go on, I want to talk briefly about issues with cybersecurity insurance. Like I mentioned earlier, it will not restore your firm’s reputation, may not protect you from civil liabilities, may not protect you from Office of Civil Rights or other government agency fines. It’s the last thing you want to rely on to make you whole. And what we’re seeing is reports of 20% to 49% of cybersecurity insurance claims being denied because the insurance industry can’t keep up with it.
The world changed from yesterday to today. There’s no way any of the insurance industry is accustomed to that, that fast. One of those offensive cyberweapons that Russia is using right now could easily get outside the geographical boundaries of Ukraine and affect any of us on this webinar. They’re not used to that. Even human viruses don’t spread that fast.
Other insurance underwriters are either going out of business if they’re cybersecurity only; if they do others, they’re quitting the cybersecurity insurance altogether. Others are requiring the 5 things that we’re going to talk about here in a minute. Others are doing risk analysis. You’ll get a 30-page application, and then they will assign your premium over how many of the 5 things you’ve got in place, along with other security considerations you should be doing.
This whole insurance situation that we’re in is changing as we speak. Literally every day, I get “Oh, that insurance company’s doing this now.” It’s changing very, very rapidly. You need to put that insurance thing in a box and have it, but that’s not going to make you whole. You’ll be lucky if it even pays off. Just because you checked the wrong box on an application.
Let’s talk briefly about NIST. A lot of the things that Ryan and I are talking about are standards. Accounting standards. I’m going to talk a little bit about security standards. The National Institute of Standards and Technologies – that’s part of the U.S. Department of Commerce – developed a cybersecurity framework. It’s composed of 5 things.
Number one is identify, and it means the captain’s got to know the condition of his ship. Identifying and acknowledging your firm’s weaknesses, your vulnerabilities. If you’re reusing passwords, you’re not doing security awareness training, things like that. You don’t have better protection than antivirus. Once you identify those things, now you’ve got to fix them. That means protecting. You have to have a detection system in place. That means both automated and human skilled security professionals – which includes response, both automated and information security professionals responding to security anomalies – things that just don’t smell right.
Finally, worst case scenario is you’ve got to have a recovery. That’s worst case scenario. That’s where we start getting into business continuity or disaster recovery. There’s a lot of different reasons and a lot of different techniques and methods and technologies to use when it comes to recovery. Most of our clients use multiple systems in the same firm. So those are things you need to be aware of.
The NIST cybersecurity framework is something that is an independent third party verification of what you need to put in place in your law firm to secure it, to make it viable, to make it not have a breach. It’s not me saying it; it’s not an infosec specialist, although I think that’s who you should listen to, not IT – nothing against IT. But you have to keep in mind, that’s not IT’s specialty. You want them to work on IT. You want them to make sure things don’t go down. You want security people in charge of your security.
More often than not, if you outsource your IT – maybe you’ve used a firm for 20 years, they’re wonderful. Great. More often than not, when we go into those scenarios, IT companies are relieved they don’t have to worry about it because they know it’s a different specialty.
In addition to NIST, we also have, from Anne Neuberger – you may have seen her on the news the last couple of days; she’s been there a few times – the White House Deputy National Security Office, on the White House letterhead, and took the president’s executive orders and distilled them down to 5 best practices for all companies. And she wrote this letter to corporate executives and business leaders.
“What We Urge You To Do To Protect Against The Threat Of Ransomware,” and the 5 things are: deploy an EDR. We’re going to talk about these individually, but this is what you’re going to replace your antivirus with, and if you do not have an EDR, you’re vulnerable to a ransomware attack. Your firm’s a ticking time bomb. Antivirus will not detect most ransomware attacks, most modern day ones.
Another thing of the five is multi-factor authentication; storage encryption; continuously incorporate new threat intelligence into defenses; and then wrap it all up with a skilled security team. This is the 5 things that the White House says all businesses have to have to protect themselves against ransomware. And I’m here to tell you that it’ll protect you against a lot more than just that. It’s just ransomware is the worst thing that all of us have to be worried about right now. It’s the thing that’s most likely to happen to your firm.
If you’re a patent attorney, we do need to worry about China. If you do personal injury law, we need to worry about personal health information and things like that, because that’s identify theft. That’s a different threat actor that would like to get into your firm. So let’s talk about each one of these.
This is the most important one. If you only take one thing away today, know that you’ve got to have an EDR. It’s a class of product that does not use virus signatures. It uses a neural net or artificial intelligence or machine learning to protect your network.
Let’s suppose a brand-new offensive technical threat is discovered today – which could happen. Very plausible. While I’m talking. Let’s suppose the first instance outside of Ukraine is, I don’t know, Estonia. Any computer in Estonia that detects that new technical threat has a neural net that it’s talking to. And once it detects and identifies that threat, it learns. It learns the storyline, how it attacks, its tactics, techniques, and procedures of attack. Every other agent protected by that EDR all over the globe is now aware of it, knows how to defend it, and knows how to identify it. Within seconds.
Antivirus relies on virus signatures, and they have to be updated by the vendor, and they have to be downloaded, and they can’t keep up. The pace is too rapid. It’s a whole different way. Any of you have Teslas with autopilot? It works the same way. Every time a Tesla goes down the road with autopilot engaged, the neural net behind autopilot updates the very next Tesla that goes down that freeway, makes that car drive better and safer down that freeway. EDR class products work the same way.
They go by many names. This is one of the reasons why you need a skilled security specialist on your team. There are technical differences, but a lot of times these are marketing differences. But you kind of have to know, and it’s not something you can buy off the shelf. The off-the-shelf products like McAfee and Norton and Symantec and Bitdefender or whatever someone told you is the best to go buy – they’re starting to claim they have EDR class stuff. None of it is best of breed. None of it is anything I would consider reasonable efforts, much less any good.
Basically, an EDR is going to hunt for malicious activity and block it. It’s going to hunt for it. It’s not going to passively examine applications running on a computer. It’s actually going to look for it. EDR. That’s what you’ve got to have. It’s got to be best of breed. Two that come to mind: CrowdStrike and Sentinel One. You may have seen these advertised. They’re the two biggest and the two best out there. It’s got to be best of breed, though. It should not say Symantec, Bitdefender, Norton. You cannot buy it off of Amazon. You cannot buy it at Best Buy. It’s available through security and IT professionals.
The second one is multi-factor authentication. You should actually turn this on everywhere that you can. You can turn it on on Amazon. You can turn it on on Facebook. Hopefully you’ve turned it on on your bank account or investment accounts. But it’s a third piece of information. Its’ that 6- or 8-digit number that you have to get off your phone or whatever in addition to username and password. What’s that number? It’s only good for – this one’s good for three more seconds that’s on the screen, the 9251 4977. That’s to a bank account of mine. It’s time sensitive. It’s only good for 30 or 60 seconds. It’s not in the possession of the hacker, whereas the username and password, if you’re like 90% of the people, they might have your username and password because you reuse it in multiple places.
But Anne, or the White House, is saying you need to turn it on everywhere that offers it because passwords alone are routinely compromised. If you’ve got a username and password that gets compromised on an account that you’ve turned on and you’re using MFA or 2FA, two-factor authentication, it’s not the end of the world. Chances are it’s still not compromised, even though they have your username and password. They don’t have this in their possession.
Use disk encryption. This means turn on and encrypt your own data files. It doesn’t matter if it’s a server or a workstation, but definitely laptops and other portable devices. This particular layer is about decreasing the attack surface of your firm, decreasing the attack vectors. For example, if you don’t encrypt the drives on your server, and when it gets old and you replace it, what happens to those drives? People usually send out their old computers for recycling. Nobody wants them anymore. They’re not that expensive anymore.
Well, if you don’t physically destroy those disks, and the disk has raw data on it that’s not encrypted, the data is harvested. There’s a whole subset of criminals that do nothing but obtain used hard drives and mine them for data.
Anne sums it up, or the White House sums it up: “So if the data is stolen, it is unusable.” How many stories have you seen about laptops being stolen and all of a sudden that caused a breach? That’s the purpose of doing disk encryption, and other strong encryption, like fingerprint, face ID. Those are all multi-factor authentication.
Continuous defense improvements. That means staying up to date with the latest threat intelligence, which seems to be my full-time job for the last 72 hours, roughly, because we knew it wasn’t going to start until after the Olympics.
You’ve got to adjust your defense as needed. Those of you that subscribe to our threat advisories will get one shortly after this is over.
This is another difference between IT and infosec running your security. A risk-based assessment of software updates has to be done. You don’t delay software updates or patches or whatever because Microsoft typically breaks things. You’ve got to look at the update and see what security issue it’s addressing and make a judgment call on how important and how quick it needs to be deployed. It’s rare – very, very rare – but sometimes they’re so critical that we stop production in a law firm to put it on in the middle of the day. That’s how important those software updates are.
If you want to know more about staying up to date on defensive stuff, there’s some reading material there on the bottom. And of course, our threat advisory, you can sign up for it at threats.irontechsecurity.com.
A skilled security team, I can’t stress this enough. It’s all about monitoring and investigating and responding 24 hours a day, 7 days a week. They’re going to stay up on those geopolitical dynamics, threat technologies, threat actors. They’re going to study those software updates to see how important it is that we get it on there today, or can we wait till the weekend or 4 o’clock in the morning or monthly maintenance windows? Got to look at each and every one.
But most importantly, we’ve got to orchestrate. We’ve got to orchestrate with the hundreds of other security professionals that literally back us up every single day. These people that used to work for the Department of Defense, NSA, U.S. Cybercommand – these are the ones protecting our clients, and they’re going to protect you. And it doesn’t have to be us; it can be any MSSP. We’re all backed up by the best of the best. Actually, the government has a hard time keeping them because the private sector is more lucrative.
But they’re going to stay on top of that. And the time to find a skilled security team is not when you’ve had an attack. It’s too late. We are reluctant to even talk to people – if we’re protecting you, you’re probably not going to get a breach anyway; it’s just going to be an unsuccessful attack. But if we didn’t protect you – and believe me, we get these calls all the time – we’ve got to consider those calls and that company a threat to us and our clients. We have to go out of our way and commit resources to mitigate a disaster that could’ve been prevented in the first place.
Bottom line is this stuff is no longer do-it-yourself, arguably if it ever was. But that’s why the White House is saying you’ve got to have a skilled security team in place. And believe me, it’s affordable.
Oh, I’m running out of time. Real briefly, company-owned equipment for remote access. If you want to know why, give us a call or contact us. Get a password manager and use it. 1Password, Keeper. Those are two good ones. We are a Keeper partner. Don’t forget your website. Get with your web people, make sure it’s secure. And law firms always need to consider implementing encrypted email.
Having said that, this is our contact information for both IronTech and Financial Clarity. There’s Ryan’s email, our email, our phone number. The go.oncehub.com/rightfit for Financial Clarity, that’s a scheduling link, and I think Kindsey has put those in the chat. And same thing with meeting.irontechsecurity.com. Both of these, you schedule a few minutes to talk with either of us, and we’ll be happy to answer any questions and get you on the right path with whatever you think you’re having difficulty with.
Just don’t forget about the 5 things. That’s super, super important from a security standpoint. Ryan, did you have anything else to add to that?
RYAN: I don’t think so. I think we did a good job of covering everything. I’d highly recommend for all the attorneys that are still watching, go find an accountant advisor, handling your accounting and finances, and go find a tech advisor. Play in the field where you’re an expert. That’s Tom’s and my philosophy. Play in the areas where you’re an expert.
TOM: That’s actually what we do as a company and Ryan does as a company. It’s a lot cheaper to hire the experts when you’re doing virtually.
RYAN: Absolutely. Couldn’t agree more.
TOM: Just a quick follow-up, we had one “yes” answer in the chat, which is a little lower than usual. We usually run 10-20% of the people. When we first started doing these, I was surprised it was that high. It was either someone on the webinar or they personally knew someone that had a ransomware attack. I’ve seen them as high as 30%. This one we had one, so that’s roughly a little less than 10%. But it’s still substantial.
Anyway, thank you for joining us, and feel free to reach out.
RYAN: Yes. Thank you, everyone.