Capability. Meet Opportunity.

HPC CyberMatch™ Marketplace by High Performance Counsel – Cyber Careers Portal

(THE FUTURE. NOW)

PUT YOUR CYBER QUALIFICATIONS TO WORK IN OUR TALENT MARKETPLACE

Our mobile-friendly platform facilitates open and direct communication between clients and cyber-qualified professionals.

ACCESS WORLD-CLASS CYBERSECURITY EDUCATION - AND ADVANCE YOUR CAREER IN THE HPC CYBERMATCH™ MARKETPLACE

HPC CyberMatch™ solves the cyber talent conundrum.

With the introduction of our HPC CyberMatch™ Curriculum, HPC has committed to being the one-stop education partner that individuals and organizations need to gain cybersecurity competencies and certifications. On an individual level, cyber qualifications are a great way to add value for your employer or clients – they also make you more valuable. As such, we uniquely provide access to both NIST and NICE curriculum in our store – helping individuals and organizations get the education and training they need.

But why stop there? Introducing the HPC CyberMatch™ Marketplace

Organizations need cyber-qualified individuals – those who have invested in cyber qualifications to meet the needs of a digital economy. In creating HPC CyberMatch™ Marketplace, we’re also helping individuals and organizations meet one another around the cyber qualifications that both need. In so doing, we’re doing our part to address a growing economic need.

Start here.

GET CYBER-QUALIFIED

Browse available NICE, NIST courses.

START HERE.

CYBER-QUALIFIED? REGISTER HERE

Qualified cyber professionals may register for HPC CyberMatch™ Marketplace

CYBER EMPLOYER? REGISTER & LOG IN HERE

Employers and qualified agencies may register for HPC CyberMatch™ Marketplace

QUESTIONS? CONTACT US

Feel free to contact us here.

INTRODUCTION & FEATURES GUIDE 2019

An overview & introduction to our cybersecurity and cyber intelligence education solutions.

HPC/CybInt Cyber Center Overview 2019

Custom Programs, Online Training, Hands-On Labs, Practical Problem-Solving, Scenario Simulations, Cyber Certifications.

B2C Cyber Literacy Brochure - 2019

A unique combination of our two leading programs – the Cyber Security Protection Program and the Cyber Intelligence Discovery Program. These programs build a strong cyber foundation across all areas of study and allow students to enter a technologically savvy workforce with confidence and understanding.

The Cyber Intelligence Certification (CIC) Program provides an introduction to cyber intelligence essentials, online research methodology, deep-web due diligence, trends analysis, digital forensics, and much more.

At its core, the Cybint Intelligence Discovery certificate features more than 80 learning units, with videos, written lessons, exercises and tools, focusing on various aspects of cyber intelligence.. The program is designed to train students on the art of collecting intelligence from around the web, getting access to the most critical information you need, and analyzing it quickly and accurately. Upon completion of training, there is a certification exam to verify learning and identify areas that require more study.

The Cyber Security Protection (CSPC) Program provides an introduction to cyber security essentials, social engineering, malware, cybercrime, online privacy and much more.

At its core, the Cybint Security Protection Certificate program features more than 60 learning units, with videos, written lessons, exercises and tools focusing on various aspects of cyber security. The program also covers individual behaviors that may you at risk. Upon completion of training, there is a certification exam to verify learning and identify areas that require more study.

Register for the Cyber Security Protection Program and the Cyber Intelligence Discovery Program

B2C Cyber Security Brochure - 2019

The Cyber Security Protection (CSPC) Program provides an introduction to cyber security essentials, social engineering, malware, cybercrime, online privacy and much more.

At its core, the Cybint Security Protection Certificate program features more than 60 learning units, with videos, written lessons, exercises and tools focusing on various aspects of cyber security. The program also covers individual behaviors that may you at risk. Upon completion of training, there is a certification exam to verify learning and identify areas that require more study.

Register for Cyber Security Protection (CSPC) Program

B2C Cyber Intelligence Brochure - 2019

The Cyber Intelligence Certification (CIC) Program provides an introduction to cyber intelligence essentials, online research methodology, deep-web due diligence, trends analysis, digital forensics, and much more.

At its core, the Cybint Intelligence Discovery certificate features more than 80 learning units, with videos, written lessons, exercises and tools, focusing on various aspects of cyber intelligence.

The program is designed to train students on the art of collecting intelligence from around the web, getting access to the most critical information you need, and analyzing it quickly and accurately. Upon completion of training, there is a certification exam to verify learning and identify areas that require more study.

Register for The Cyber Intelligence Certification (CIC) Program

B2B Simu-Lab Brochure (Legal) 2019

The Cyber Security Analyst Simu-Lab Suite is the product of extensive military and industry experience, which offers advanced practical training in a virtual machine environment. The CSA Simu-Lab Suite is comprised of 10 labs that bring a much-needed practical work experience component to students.

Each lab is based on an authentic real-life cyber incident that learners will practice solving using cyber tools through a simulated virtual machine. We want students to feel as if they are in a real Security Operations Center (SOC) and to work as Cyber Security Analysts (CSA).

Our goal is to provide learners with a solid foundation that will prepare them for on-the-job training and allow them to grow professionally.  This comprehensive offering allows participants to quickly gain the skills and experience to start working in the cyber industry – even without a computer science degree.

The Cyber Security Analyst Simu-Lab Suite offers students lessons around each lab scenario, reflection assignments, quizzes, and applied learning. Once a student completes the CSA Simu-Lab Suite, they will receive a CSA certification of completion.

Register for The Cyber Security Analyst Simu-Lab Suite

B2C CSA Simu-Lab Brochure - 2019

The Cyber Security Analyst Simu-Lab Suite is the product of extensive military and industry experience, which offers advanced practical training in a virtual machine environment. The CSA Simu-Lab Suite is comprised of 10 labs that bring a much-needed practical work experience component to students.

Each lab is based on an authentic real-life cyber incident that learners will practice solving using cyber tools through a simulated virtual machine. We want students to feel as if they are in a real Security Operations Center (SOC) and to work as Cyber Security Analysts (CSA).

Our goal is to provide learners with a solid foundation that will prepare them for on-the-job training and allow them to grow professionally.  This comprehensive offering allows participants to quickly gain the skills and experience to start working in the cyber industry – even without a computer science degree.

The Cyber Security Analyst Simu-Lab Suite offers students lessons around each lab scenario, reflection assignments, quizzes, and applied learning. Once a student completes the CSA Simu-Lab Suite, they will receive a CSA certification of completion.

Register for The Cyber Security Analyst Simu-Lab Suite

Cyber Security Analyst (CSA) Simu-Lab Guide 2019

Cyber Security Analyst (CSA) Simu-Lab Suite – Lab Scenario Guide

The Cyber Security Analyst Simu-Lab Suite is the product of extensive military and industry experience, which offers advanced practical training in a virtual machine environment. The CSA Simu-Lab Suite is comprised of 10 labs that bring a much-needed practical work experience component to students.

Each lab is based on an authentic real-life cyber incident that learners will practice solving using cyber tools through a simulated virtual machine. We want students to feel as if they are in a real Security Operations Center (SOC) and to work as Cyber Security Analysts (CSA).

Our goal is to provide learners with a solid foundation that will prepare them for on-the-job training and allow them to grow professionally.  This comprehensive offering allows participants to quickly gain the skills and experience to start working in the cyber industry – even without a computer science degree.

The Cyber Security Analyst Simu-Lab Suite offers students lessons around each lab scenario, reflection assignments, quizzes, and applied learning. Once a student completes the CSA Simu-Lab Suite, they will receive a CSA certification of completion.

Register for The Cyber Security Analyst Simu-Lab Suite

National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework

Did you know? The NIST Cybersecurity Framewdork is a set of guidance on what organizations should be doing in terms of controls to manage their cyber risk and security. 

Framework for Improving Critical Infrastructure Cybersecurity

Did you know? The NICE Cybersecurity Workforce Framework outlines the work roles (including knowledge, skills abilities and credentials) required to support a NIST Cybersecurity Framework program.

Cybint Cyber Literacy Curriculum - 2019

Cybint is pleased to introduce our Cyber security and intelligence seminars. It’s a comprehensive approach to cyber training for the non-technical professional whose job interacts with potential cyber threats and discovery opportunities. The training was specifically designed for legal and financial professionals. It’s a concept that can transform your students from reactive to proactive, and influences the way they are trained to handle litigation, negotiation, due-diligence, IP and more. It combines both discovery and protection aspects and ensures the professional is much more valuable to their company. The program is customizable, but we recommend executing it as outlined in this document.

We regularly watch some of the treasure hunting shows on either NatGeo or the Discovery Channel.  Of course there is always some hope each week by the explorers and searchers that they find the one “big thing” that validates their dig or expedition.  Sometimes there is something; many times just bits and pieces but not much.  We sometimes feel cybersecurity is like this — meaning, will we ever find the one big thing that really helps (1) establish “reasonable” conduct, (2) improves our cybersecurity posture, and (3) help better insulate ourselves from the regulators and the plaintiffs’ bar?  Maybe we have but don’t know it yet, but I  would suggest that maybe it’s time to consider the vulnerability assessment as the gold standard.

What is a vulnerability assessment?

Simply put, it’s like a health check for your computer network; it analyzes risks and vulnerabilities in your network, hardware, applications, websites, clouds and other IT assets.  They give the IT teams and executives and others (like the board) with information to both assess cyber risk, prioritize risk, and better manage each, either totally or partially.  It allows management to make the decision whether or not to buy cybersecurity insurance to even better control for the identified risks.  Similar to an EKG test for your heart, a vulnerability assessment gives actionable information for the IT teams and assessors to better protect your company or organization’s IT infrastructure.   The assessments are pretty comprehensive.  Sometimes they are done by scanning software. Sometimes by people assessors.  Sometimes they are further examined through the work of penetration testers.  Many times it’s a team effort to get a great amount of data from a vulnerability assessment.

What is a vulnerability?

Many things could be considered vulnerabilities.  Some of them are bigger in nature (and potentially more problematic) and some of them are lesser in nature, meaning they won’t automatically kill you outright but could cause you grief.  Here are some:

An unpatched problem or flaw in your operating system or one of the programs you run regularly (sometimes called a “CVE”);
A configuration error in a server, leaving accessibility to the Internet, maybe without a password or encryption;
A weak password, or hard-coded passwords on IoT devices that cannot be changed;
Lack of employee training; and
Excessive about of privileges or rights given to your employees, or the “wrong employees” which could allow unauthorized access or even theft of critical information.

Obviously a large network could generate quite a few vulnerabilities, and it would be nice, but difficult to “fix everything.”  That is why the IT teams then rank the vulnerabilities from critical to high, to medium to low.  Critical ones get fixed first or at least get the most attention to paid to them.  What would be a critical vulnerability?  Hard to tell, but certainly a new zero-day vulnerability found in the wild and reported by US CERT or others to the public might be considered “critical.”  Unfortunately with software flaws more abundantly found today than in other periods, “Patch Tuesday” could easily turn into “Patch Wednesday, Thursday and Friday” as well.  As we note, unless your network is relatively small, or flat, or even mostly in the cloud, it probably would be be hard to fix every vulnerability in week one.  But the more vulnerabilities you can fix in the shortest amount of time, theoretically at least, you are much better off than another company might be who takes a month to patch a CVE.

Regular Assessments are “Reasonable” in Today’s Environment

It would be great if cybersecurity could play on a relatively static playing field but the nature of the business is dynamic.  It is always changing.  Each week more software flaws get found or are discovered, hopefully by good guys like white hats and trusted advisors. But that is often not the case.  First, we don’t know exactly how many bad guys are out there, but it’s safe to say a lot, perhaps outnumbering the good guys..  And they change their tactics constantly looking for a hole in the outfield to hit a line drive.  Next, companies regularly add new software, new appliances, new employees, and new applications to help make their organizations more efficient or process data more effectively.  All these things create more potential vulnerabilities, not less. 

Given these facts, you then can imagine the utility of an annual vulnerability assessment when things tend to change weekly, if not daily.  What about semi-annual assessments?  Better.  We know that in a resource constrained environment that might be pushing things, but the comfort that regular assessments give should help management and the board get over the added expense.  We know clients that do vulnerability assessments quarterly and applaud them and their tenacity.  We bet there are bigger companies that do them even more often. 

Cyber risk today has never been a bigger problem.  Cyber risk needs attention; it needs board oversight; it needs actionable information.  Vulnerability assessments definitely provide that actionable information to allow all constituencies in the corporate governance structure.  And they are more than “reasonable” in today’s regulatory and litigation prone cyber environment.

Paul Ferrillo

About Paul

Paul Ferrillo is a Shareholder in Greenberg Traurig’s Cybersecurity and Privacy Group. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation…

PART 2

In the first part of this article we discussed the cybersecurity industry and its growth prospects. For those who want to get into the industry but have no relevant academic training, consider this: it wasn’t until the beginning of the 21st century that many universities started to offer fully accredited Data Science degree programs, so many current data scientists are trained in various disciplines such as computer science or statistics. The key to success, is often a combination of business, data, and programming knowledge.

Similarly, for those looking to switch careers into cybersecurity, not having a formal degree in the field is not a disadvantage. Since the industry is relatively new, the barriers to entry are even lower. When you conduct searches online you will find anywhere between 30-50 cybersecurity job titles. 46 of them are included in figure 2. As you can see, a “cybersecurity” industry professional is anything from an information system manger, a programmer, auditor, a risk manager, a lawyer, etc.

  Job Title Description
1 Application Security Administrator Keep software / apps safe and secure.
2 AI Security Specialist Use AI to combat cybercrime.
3 Auto Security Engineer Protect cars from cyber intrusions.
4 Blockchain Developer Code the future of secure transactions.
5 Bug Bounty Hunter Freelance hackers find defects and exploits in code.
6 Cybersecurity Scrum Master Watch over and protect all data.
7 Chief Information Security Officer Head honcho of cybersecurity.
8 Chief Security Officer Head up all physical/info/cyber security.
9 Cloud Security Architect Secure apps and data in the cloud.
10 Counterespionage analyst Thwart cyber spies from hostile nation states.
11 Cryptanalyst Decipher coded messages without a cryptographic key.
12 Cryptographer Develop systems to encrypt sensitive information.
13 Cyber Insurance Policy Specialist Consult on cyber risk and liability protection.
14 Cyber Intelligence Specialist Analyze cyber threats and defend against them.
15 Cyber Operations Specialist Conduct offensive cyberspace operations.
16 Cybercrime Investigator Solve crimes conducted in cyberspace.
17 Cybersecurity Hardware Engineer Develop security for computer hardware.
18 Cybersecurity Lawyer Attorney focused on info/cyber security and cybercrime.
19 Cybersecurity Software Developer Bake security into applications.
20 Data Privacy Officer Ensure legal compliance related to data protection.
21 Data Recovery Specialist Recover hacked data from digital devices.
22 Data Security Analyst Protect information on computers and networks.
23 Digital Forensics Analyst Examine data containing evidence of cybercrimes.
24 Disaster Recovery Specialist Plan for and respond to data and system catastrophes.
25 Data acquisition Security Analyst Secure critical infrastructures.
26 Ethical / White Hat Hacker Perform lawful security testing and evaluation.
27 Governance Compliance & Risk Manager Oversee risk management.
28 IoT Security Specialist Protect industrial control systems.
29 Incident Responder First response to cyber intrusions and data breaches.
30 Information Assurance Analyst Identify risks to information systems.
31 Information Security Analyst Plan and carry out info security measures.
32 Intrusion Detection Analyst Use security tools to find targeted attacks.
33 IT Security Architect Implement network and computer security.
34 Malware Analyst Detect and remediate malicious software.
35 Mobile Security Engineer Implement security for mobile phones and devices.
36 Network Security Administrator Secure networks from internal and external threats.
37 Penetration Tester Perform authorized and simulated cyberattacks.
38 Public Key Infrastructure Analyst Manage secure transfer of digital information.
39 Red Team Member Participate in real-world cyberattack simulations.
40 Security Auditor Conduct audits on an organization’s information systems.
41 Security Training Specialist Train employees on cyber threats & awareness.
42 Security Operations Center Analyst Coordinate and report on cyber incidents.
43 Source Code Auditor Analyze software code to find bugs, defects, and breaches.
44 Threat Hunter Search networks to detect and isolate advanced threats.
45 Virus Technician Detect and remediate computer viruses and malware.
46 Vulnerability Assessor Find exploits in systems and applications.

So how will the changing “World of Work” impact your career in the short and long term? Having worked in the financial services industry for 13 years, I witnessed first-hand how technology, automation, and offshoring has drastically reduced the size of the workforce. This has given rise to the “gig economy” which challenges the very meaning of the term “employment”.  The hard fact is that the knowledge and skills you learn in college will most likely be obsolete in 5-10 years. As such, it is important to commit to lifelong learning as a job requirement and develop “human skills” which are the following combinations:

  • Programming + Communication
  • Artificial intelligence (AI) + Emotional Intelligence (EQ)
  • logic + ethics

Recently I chatted with Debbie Reynolds, a cybersecurity expert in Global Data Privacy & Protection, Speaker, Author, and Educator. She is a thought-leader who advises Fortune 500 Companies on how to handle data privacy and electronic evidence in high-stakes civil litigation. However, she did not get here with a degree relating to cybersecurity. A Philosophy major from Loyola University in Chicago, she learned basic computer and data skills in order to work from home, so she could care for her mother. She went on to work at a law firm focused on eDiscovery, which lead to her managing large legal databases. Over the years, she accumulated vast amounts of expertise in this field through a combination of legal background and data management. Now, she applies her skills and thought leadership to promote cybersecurity and data privacy. Her career path exemplifies how one can be successful in the “future of work”: develop a combination of technical skills and industry expertise, apply them to evolving industries and fields, and constantly re-invent yourself through life-long learning.

So, for those of you who are considering your career plans or looking for your next opportunity, take a look at the cybersecurity industry. For additional information here are places to find training for specific qualifications such as the NIST cyber security certification which is the “gold standard” globally adapted by the U.S. and many other nations for cyber governance practices.

The cybersecurity space is growing tremendously, like the internet when it first “started.” This will be the largest wave of up-skilling that industries have seen in decades. It is an accelerating, well-compensated field. Contrast that with the level of intellectual stagnation that many other fields represent and you will find that the opportunities are endless.

 

REFERENCES:

MarketsandMarkets. (September 21, 2018). Size of the cybersecurity market worldwide, from 2017 to 2023 (in billion U.S. dollars) [Graph]. In Statista. Retrieved October 02, 2019, from https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

Heather Lu-Lasky

About Heather

Heather Lu-Lasky, CFA, is the Founder & CEO of ChampAmerica Inc., a New York-based Career & Workforce Development and Management Consulting firm.

Cybersecurity can be overwhelming. Fortunately there’s nothing that says we can’t tackle it step by step. Implementing stronger information security policies is a good place to start.

Cultivate a security mindset throughout the organization.

As a general matter, IS policies serve three important purposes.

First, policies help cultivate a security mindset. Simply having information security policies in place raises employee awareness. Requiring employees to read them and sign an acknowledgement sends a clear message. Namely, information security is an organizational imperative – not “an IT thing.” Reinforce the message with training and tests.

Management support for the policies is critical to achieving this purpose. Nothing undercuts an initiative like non-compliance at the top.

Educate employees about the importance of data security.

Second, policies educate employees about the security program. More precisely, policies are the foundation for procedures. Security procedures can be burdensome and confusing, even intimidating to many. We need to make people care about data security first before diving into the details.

Policies are an opportunity to explain and emphasize universal reasons to care such as:

  • Information is a valuable asset. It must be kept confidential, accurate, usable and available to the employees who need it to do their jobs.
  • Security incidents disrupt normal operations. Systems go down. It costs time and money to investigate and repair the damage.
  • Data breaches are bad for the bottom line – and future opportunities. Breach notifications and fines are expensive. Loss of reputation and client confidence may be even more costly.

Define and emphasize accountability

Every organization should expect and require compliance with security procedures. The third purpose of information security policies is to define accountability.

Policy particulars include potential consequences of non-compliance, such as remedial training and negative performance evaluations. However, balance penalties with resources. Make it a policy to have on-call support for security questions and technical problems. Finally, specify who has authority to approve exceptions to standard security procedures based on business needs.

Policies can be a powerful weapon in the cybersecurity war. For maximum impact, take a step back and focus on purpose. Set information security goals first and specific policies will follow naturally.

Helen Geib

About Helen

Helen Geib is General Counsel and Practice Support Consultant for QDiscovery.  

Tell us a bit about yourself and how you came to be in (or a customer of) the legal business?

I am not an attorney by training but have been involved in the legal public policy realm for most of my career. This included working seven years on The Hill for the late Senator Arlen Specter, in legislative affairs at the Department of Homeland Security and teaching graduate courses both at Georgetown University and Johns Hopkins.  Early on in my academic career I did study at the Hague Academy of International Law and have stayed close vicariously to trends in the legal world via my wife, an attorney who has worked both at law firms and in government.

What do you do for a living right now?

I am the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. In this role I explore and identify trends and emerging products that can impact on security preparedness.  I am also Adjunct Faculty at Georgetown University’s Applied Intelligence Program where I teach graduate courses on risk management, homeland security, and cybersecurity.

I have a deep background in marketing, government relations in both the public and private sector in cybersecurity, homeland security, and emerging technologies space. LinkedIn named me as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 550 million members. I was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018. In both 2017 and 2016, I was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards.

I am also a member of The AFCEA Cybersecurity Committee, a member of the Electrical and Electronics Engineers IEEE Standards Association (IEEE-SA) Virtual Reality and Augmented Reality Working Group, a Subject Matter Expert to The Homeland Defense and Security Information Analysis Center (HDIAC), and an Advisory Board Member for The Center for Advancing Innovation. I also sit on several company boards of advisors.

Also, I am a founding member of the CyberAvengers that includes two prominent legal minds, Paul Ferrillo and Shawn Tuma what promotes hygiene and corporate governance in cybersecurity. (I recommend following the blogs of my fellow CyberAvengers  https://thecyberavengers.com/   Paul Ferrillo, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma, Christophe Veltsos. They are a group of SMEs who address a combination of technical, legal, and policy issues related to information security).

Do you think the legal industry is headed in the right direction, the wrong direction – or which direction?

From the outside looking in I see the legal world following the path of many other industries. This includes consolidation of practices, assimilating new and disruptive technologies, and being more competitive.  Also, law is becoming much more global as a result of the increasing connectivity of data and business. GDPR is a good example of how domestic law has had to confront the international legal implications of global compliance. As to direction, I think it is neither wrong or right but being forced to address new realities or an industrial era that lacks privacy, has data and IP at perpetual risk, and is influenced by the digital transformation of key industries such as health, financial, and transportation.

What advice would you give to the younger generation contemplating law as a career?

Since I teach and serve as a mentor, I am often called on to provide career advice.  This advice always includes getting real world experience either during your academic years or shortly thereafter. Interning and working on The Hill is a great learning experience for everyone to see how laws are made and to understand political discourse. Many government agencies and companies offer internships and fellowships that provide unique experiential insights are stepping stones to future opportunities. With law students, clerking is certainly a good option. From a perspective f the competitiveness of the market, my advice to students would be study very hard, get exceptional grades and go to the best ranked law school that might admit them.

How ready for change do you think the legal industry is?

I believe that many of the larger firms are adapting to new technologies and the rapidly changing global regulatory environments. It does take brining on resources, expertise and having the agility to make and act on directional decisions that include M&A and new policy. It also takes investment of funds and that is why some of the larger firms are better positioned than smaller or midsize ones. Also, because of the growing and encompassing social media landscape that has changed the paradigm on how we communicate, traditional branding and marketing of firm capabilities are no longer sufficient. I can envision the legal industry incorporating social media influencers and chief marketing officers like other industries are doing in the near future.

Is more – or different – leadership required? In what ways?

A different more tech-savvy, and digital marketing leadership will be required to reach new clients, promote capabilities, and especially to brand firms so they stand out for increasingly competitive services.

How deep do you think will be the inroads of technology in the industry?

The inroads are already quite deep in areas of E-Discovery and legal research. More and more administrative functions are being automated at law firms. Eventually artificial intelligence will take the predictive and forensic analytics capabilities of addressing case history, precedents, and statistical likelihood of successful litigation to new levels. Already advanced computer data bases and access via smartphone communications and virtual meetings have changed the pace of practicing law.

Technology is having a major impact now on the legal industry and will exponentially grow in the coming digital transformation. The combined value of digital transformation — for society and the industry — could be greater than $100 trillion over the next 10 years, according to a new research by the World Economic Forum (WEF) The research, which is part of the Forum’s Digital Transformation of Industries (DTI) project, focuses on the “combinatorial” effect of digital technologies — mobile, cloud, artificial intelligence, sensors and analytics, among others.

Technological advancements certainly have been profound and impacting. Consider a short list of technologies that have been introduced into the marketplace in the last two decades: the MP3 audio format, flash storage, the mega search engine, Wi-Fi, multicore processors, big data, social media, smartphones, Bluetooth, virtual reality, connected vehicles, 5G, satellite imaging, machine learning and artificial intelligence.

Renowned Futurist Dr. Michio Kaku characterizes the technological shift we are experiencing as moving from the “age of discovery” to the “age of mastery.” He characterizes it as  period in our history where we will be able to harness our technologies and control our destinies.

What do you consider is the greatest challenge facing the industry?

Cybersecurity! A primary requirement of the legal profession is to obtain data and explore evidence, access the implications of that evidence, and prepare accordingly to protect and serve the client.  Cybersecurity is integral for the profession to operate. Unfortunately, most law firms (and companies for that matter), lack the critical awareness, policies, and technologies to best secure the crown jewels. This jewels include private firm interchange, records, and especially privileged attorney client communications.

The risks to law firms are already very high. A 40-year law firm Mossack Fonseca, closed as a result of a data breach that revealed the Panama Papers. About two-thirds of law firms have experienced some sort of data breach, according to a 2017 cybersecurity scorecard from Logicforce, a LexisNexus company.

Law firms are also facing a daunting list of security and operational challenges that have been affiliated with emerging technologies: cybersecurity, privacy, encryption, connectivity, spectrum, block-chain, biometrics and quantum computing.

With the growing emerging technology challenges increasing risk to revenues and reputation, law firms should consider hiring cybersecurity professionals to augment their IT shops.  If possible, they should also explore brining in outside expertise from SMEs who understand the latest developments in technologies and compliance directives in the cyber ecosystem.  The growing amount of sophisticated phishing, ransomware, and DDoS attacks are challenging and outside help is becoming more of an imperative.


Wildcard questions:

If you weren’t doing this, what would you be doing?

My passion has always been astronomy and space exploration. I still have the response from Carl Sagan to a letter I wrote to him in high school about exploring educational and work in the field of exobiology (the study of life on other planets) . If I were young again I would have loved to pursue a career with NASA.

What would you like to be known for?

I have devoted my professional career to security, both homeland and cybersecurity. I would like to be known for being a forward-looking leader in the security world for evangelizing emerging technologies and being a significant contributor to the policy and ethical discussions of how we manage risk. What I have concluded from publishing over 200 articles, numerous speeches, and as working as a Subject Matter Expert is all areas of homeland security and cybersecurity, is that security outcomes really depend on a three tiered formula. 1) You need the innovation and expertise from the technical and engineering people in government and industry. 2) You need the business and policy perspectives to integrate management approaches and to commercialize technologies, and 3) you need evangelists to explore, communicate, and help provide vision for all connected to the internet to understand and meet the challenges of world of algorithms; x’s and o’s. I try to dabble in all three tiers, but focus primarily on evangelism.

What’s your favorite hobby or activity outside of law?

I am a former Virginia powerlifting champion and won several meets when I competed almost two decades ago. I still enjoy working out and weightlifting although I do not go as nearly as heavy anymore on the weights!

What’s your favorite sports team?

The Cubs in baseball. The Bears in Football, and the Bulls in basketball.

What’s your favorite city?

Chicago, my original hometown. I am still an avid Chicago sports fan.

What’s your favorite food?

Italian food is my favorite. I am a foodie and run a LinkedIn group called “DC Foodies” that has over 3000 members.

According to a recent New York Times report, the first half of 2019 saw nearly $2 trillion in merger and acquisition activity, with the majority of those deals taking place in the US. During the frenzied period of time leading up to consummation of the deal, consideration of the transaction’s impact on the acquiring company’s cyber insurance coverage may not be top of mind. But because merger and acquisition activity can significantly impact the risk profile of the insured company, cyber insurance policies typically contain very specific notice requirements in order for coverage to be extended to the newly acquired entity. Companies contemplating corporate transactions, therefore, are advised to review and operationalize those notice requirements early in the deal-making process to avoid coverage gaps when the deal is completed.

Cyber Insurance Policy Requirements for Newly Acquired Entities

Cyber insurance policies, like most other policy forms, typically provide coverage to the named insured identified in the policy, as well as to any subsidiary of the named insured that was created by the date the policy took effect. Carriers generally ask enterprises to identify all such subsidiaries during the insurance policy application process. Although disclosed subsidiaries may generally be considered “insureds” at the time a cyber policy issued, the policy is likely to contain provisions that specify the steps the insured company must take to obtain coverage for subsidiaries acquired or created, or for entities involved in mergers or consolidations, during the policy period.

The steps an insured company must take to secure coverage for a newly acquired subsidiary vary from policy to policy, but they typically are triggered by the revenue of the target company relative to that of the insured acquiring company. 

For example, under one cyber policy, if the target entity has revenue greater than 10% of the named insured’s total annual revenue, the named insured must: provide written notice before the acquisition, obtain the insurer’s written consent, and agree to pay any additional premium required by the insurer.

Another insurer requires an insured that merges with, acquires, or creates an entity with assets exceeding 10% of the total assets of the insured to provide full details of the transaction as soon as practicable. The insurer is entitled to impose additional terms, conditions, and premiums, at its sole discretion.

Under the terms of a different policy, if the named insured acquires or creates another organization in which the named insured has an ownership interest of greater than 50%, the organization is covered for insured events that take place after the date of acquisition or creation, but only if the named insured provided notice to the insurer no later than 60 days after the effective date of the acquisition of creation, along with any information the insurer should require. The insured may be exempted from that process if, among other things, the new subsidiary’s gross revenues are 10% or less than those of the named insured.

Takeaway Message

In light of the significantly varying triggers and requirements imposed by different cyber carriers, insureds that are involved in merger or acquisition activity should carefully review their cyber policies early in the deal-making process. Relevant provisions may be found in a variety of different sections of the policy depending on the form at issue — possibly within the conditions, definitions, “other provisions,” and exclusion sections — so a careful review of the cyber insurance policy at issue is required.

Click on the link below to download my free book

A Closer Look At Cyber Insurance
A Closer Look At Cyber Insurance

PART 1
If you were offered a job in the internet industry at the beginning of the world-wide-web, would you take it?
Sounds like a no-brainer, doesn’t it? The problem is, this is often a once-in-a-century kind of opportunity that most of us are too late to capitalize on. Whether you are a college student who is about to face the real world, or a professional with some experience, the evolution of the “World of Work” will have an effect.

Selecting a career in the era that we live in now is more challenging than ever before. In this digitized global economy, the IoT (Internet of Things) is no longer at the forefront of our minds; rather, it is the Internet of Everything. Massive data, artificial intelligence, and cross-border data flow are transforming how we conduct business and how we live our lives.

The millions of jobs that will be eliminated by automation and AI will be replaced in part by millions more which are being added because of these technologies. This has left many people wondering: where should I go to avoid losing my job? The answer to that is simple: follow the data. Data is the new frontier for people seeking employment at all stages of their careers. Data scientist, for example, has become a highly sought-after position in recent years. But, where there is data, there is cybercrime, and there needs to be skilled professionals to protect the integrity of said data. Cyberattacks take on many forms and the power of AI has enabled more sophisticated attacks such as autonomous vehicle and drone hackings. As such, countering cyber risk is an all-encompassing effort that involves not only technology, but also people and processes.

The cybersecurity industry is experiencing exponential growth in the U.S. and worldwide (Figure 1). Per Cybint, a cyber security solutions company, there are currently 300,000+ cybersecurity jobs in the U.S. unfilled, and postings are up 74% over the past five years. By 2021, there will be 3.5 million unfilled cybersecurity jobs worldwide.
Size of the Cybersecurity Market Worldwide (USD BN)
The data economy is posing some of the starkest technical and economic challenges of our time. As both users and employees, we must alter our basic individual behaviors to ensure “safe engagement” and deploy unprecedented, deeply complex solutions and defense mechanisms to protect the core. The shortage of cyber-savvy individuals is well-known, so the number of talented new hires required is going to increase steeply. To make up for this supply-demand imbalance there are upsides in compensation and visa sponsorship. For international students this is a great beacon of hope.

Great, but I don’t have a degree in Cybersecurity or any prior experiences in the industry (or any experience at all). How do I get there? I will discuss that at length in the second part of this article.

Heather Lu-Lasky

About Heather

Heather Lu-Lasky, CFA, is the Founder & CEO of ChampAmerica Inc., a New York-based Career & Workforce Development and Management Consulting firm.

By Paul Ferrillo, Chris Veltsos, George Platsis, George Thomas, Shawn Tuma, Ken Holley and Chuck Brooks.

​Like you, we are passionate about this country, its hard-working people, its go-getter attitude, and its embrace of technology to drive efficiency and improve lives. Yet, we’ve also noticed a troubling trend. We’ve seen the continuous onslaught of cyberattacks, the resulting disruption and losses, and the very real impact it is having. We can’t stand by another day and let the national wealth of this country — meaning our ability to innovate, our ability to dream, and our ability to execute — be plundered by others to the tune of $600 Billion a year. As technology is now woven into the fabric of our societies and our economies, cybersecurity connects with national security, with economic security. We can’t afford to be distracted by politics, divisiveness, and other matters-of-the-moment and fail to recognize that cybersecurity is not only a big problem, it’s a huge problem. It’s a hideously expensive problem. And it is getting worse.

​Which brings us to this message. It’s time for a National “Stop the IP Brain-Drain” Strategy. We call ourselves the Cyberavengers. We’ve been around for two years, sounding the alarm, sharing ideas and solutions, writing, speaking, helping. We want to help prevent the next Business Email Compromise (BEC), the next ransomware case. We have seen the “Thanos” of the cyber world (insert here any nation-state you want) launch attacks after attacks.  He wants to snap his fingers again. But the Cyberavengers say “enough.” We all need to step up our game, for our country, our neighbors, our children.  At $600 billion a year, can anyone truly say what will be left in 20 years, when our children have to take over this mess?  As friends of ours say, this is not happening. This will not happen on my watch.  Period.

Many have said to us, “we need a strategy.”  The smart ones say, “we need an actionable strategy.”  That is the correct view.  We need a “whole of nation” approach.  We break our strategy down into three bite sized pieces, people, process and technology.  There are actionable items in each piece.  Adopt one piece of the strategy.  But please adopt more.  The government part of our strategy will take some more work.  But that needs to be accomplished too. As the only way we stop this Brain Drain is by a whole of nation approach.

But the CyberAvengers say “enough.” We all need to step up our game, for our country, our neighbors, our children.  At $600 billion a year, can anyone truly say what will be left in 20 years, when our children have to take over this mess?  As friends of ours say, this is not happening. This will not happen on my watch.  Period.
Paul Ferrillo

Stop the IP Brain Drain – People

1

Pay “Thanos” the respect he deserves – for the moment.  Cybersecurity is not government’s problem.  It is not solely the NSA’s problem or US Cyber Command’s problem.  It is not solely a corporation’s problem.  It is every single citizen’s problem.  We are not getting past stage one unless we recognize, “yes we are a target, yes we will be hacked, and yes, we might have been hacked already.”  Cybersecurity takes constant attention.  Respect the beast.  Then kick it in the ___________.

2

Cyber retraining/education of our workforce and our country.  This must go along with step 1 if we are to succeed.  Our view?  Time for at home, at work, efforts to stream NIST Cybersecurity Framework to everyone.  From government to business to schools (and especially our K-12 schools).   Whether it was the OPM breach, Sony, Target or hundreds of others, we have all been attacked.  The NIST cybersecurity framework can be (and should be) the curriculum of our country.  It is mandatory in for the US government already.  But it needs to get down to the employee, manager, and officer level of EVERY organization for the game to really change.

3

Passwords can no longer be our kid’s name, or our dog’s name, or “0123456” — this is an easy one.  How many people reuse your password constantly since they are too much of a pain in the neck to remember? Well guess what, attackers know that too.  When they get your credentials from a breach at Retailer X, they can try and get you at Retailer A, B and Store C and D.  Make your passwords tougher to break. Don’t reuse them. Use pass phrases like “ThreeBlindMiceLike5EarsOfCorn.”  Just no more, “0123456” or “password.”

4

Use multi-factor/two-factor authentication always, everywhere, from your retailer accounts, your bank accounts, your place of business.  Always turn it on.  Never not use it.  It helps with credential theft types of attacks.  For many organizations, it will cost you very little to enable 2FA.  Or nothing.

5

Directors of companies – you are in the spotlight today:  don’t let anyone tell you differently.  Breaches causes loss of reputation.  Loss of reputation causes loss of sales. Loss of sales and the post breach clean up costs can run into the tens of millions of dollars. And unanticipated losses can cause lawsuits.  Against you.  That is the circle of life.  Boards need training and guidance too in order to fulfill their fiduciary duty of oversight over cybersecurity.

Stop the IP Brain Drain – Processes

1

The NIST Cybersecurity Framework. — yes, our old friend.  Hug it daily.  Each one of its core elements has great value to any organization. Cybersecurity vulnerability assessments should no longer be considered “nice to have” annually.  Attackers don’t wait annually to attack you.  They attack daily.  Do your own NIST CSF progress review at least quarterly.  Where you are vulnerable, fix it, patch it, or do something to control the risk.  Everything you can do to make your company more resilient will come back to your company 100X in terms of preserving your corporate reputation.

2

#patchit — So basic and yet so important.  Remember when Patch Tuesday was an assortment of 50 or so problems published by the major developers?  Now its like a list of 200 or so CVE’s, a week, and every week.  How do you keep up?  Time and resources unfortunately. But you got to do it!  Prioritize your patches.  Fix the critical ones within 72 hours. Remember attackers won’t wait. They won’t delay.  Many of our worse breaches (see, e.g. Equifax August 2017 breach announcement) have occurred by a failure to timely patch a known vulnerability.

3

#backitup — many a ransomware attack can be foiled (and would be foiled) by following these three steps – A) back up your network once a week to back up media, and keep the media or device fully segmented from everything else. Keep this copy on site. B) keep a second backup offsite, so, God forbid, your building has a fire or a flood, you can follow your business continuity planning, and disaster recovery plans and get back online quickly.

4

Multi-factor/two factor authentication — it’s a must have. Like now

5

Email filters — what are they?  They are solutions that help companies filter bad or fraudulent emails out of inboxes.  They play tricks like changing your email address from something like www.homedepot.com to www.homedepote.com   Sometimes a little trick like that can cause an employee to click on the link or attachment when he or she should not.  That can cause a small problem for the employee (computer starts malfunctioning) and huge problem for the company (evolve into a full data breach).  Filter solutions are good. They work. They are not that expensive.

6

A good, thorough cybersecurity supply chain risk management process (see e.g. NIST cybersecurity framework 1.1) — here is where the country is getting ransacked every day.  There is an old saying, if you can’t get in the front door, try the back or door or a window.  So that is what an attacker does. They are smart enough to know that the prime contractor probably has strong defenses.  And smart enough to know that 100 of the prime’s subcontractors have far fewer and far weaker defenses to a sophisticated attack.
What is the plan here?  A) prioritize your vendors from “extremely valuable and consequential” to those that don’t have real access to your network secrets, B) diligence the heck out of the one’s that matter, use questionnaires, on site visits, audits and other contractual tools that you can to assess and monitor, and C) for the most important ones, like the subcontractor that makes the wings on your new joint strike fighter (JSF) jet, suggest that they employ and pay for machine learning anomaly detection solutions (there are a few good ones) to catch potential IP theft before it happens.  Our losses in the DoD space can’t even be calculated they are so huge.  How do you put a price tag on 10 years of anti-ship missile development, or on the F-35 JSF.  You just can’t.  Cyber vendor due diligence plans, with real fines and penalties, will need to be mandatory in the DoD space.  They should be implemented by everyone else under NIST CSF 1.1.  No exceptions.

Stop the IP Brain Drain –  Technology

1

Identity and Access Management (IAM) — what does this mean?  By using stolen credentials, attackers have almost free reign to attack companies.  When an employee tries to sign in from home to work from a project at 9 PM at night, is it really them?  Are they really signing from Lithuania, or is it an attacker using stolen credentials?  IAM solutions try to assure that only the right person, with the appropriate level of access, is signing on to your network.  Simple, yet not so simple unless you are monitoring this access with a machine learning solution.  IAM solutions have gone from being a nice-to-have solution to becoming a must-have-for-business solution. Along with two-factor authentication they can really help limit access to your network.

2

Encryption and Micro-tokenization. Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. MicroTokenization replaces data elements with tokens, transforming data in transit into random strings of characters that have no meaningful value to hackers.They can be used both “at rest” and “in motion.”  If data has no meaningful value to hackers, well, then…… sounds like a pretty effective defensive measure to us!  These methods of data anonymization are no longer just for large enterprises.  Middle market and private companies can afford them now as well as technology and efficiencies have improved.  So can military subcontractors in the DoD space.  We are beginning to think that for anyorganization storing or holding large, valuable data sets, encryption and micro-tokenization solutions are now beginning to be must-haves solutions.

3

Machine learning anomaly detection solutions — you have heard about these sorts of solutions before.  They look for anomalous network activity — like, e.g. the beginning stages of a ransomware attack — which if detected could serve to allow a company to stop the attack before it progresses. They are important for any organization that has valuable data. And lots of it to monitor.  They are extremely important in situations where companies may not have adequate resources (human and capital) to staff a fully functioning security or fusion center.  Here the machine learning solution can serve as another pair of hands, like a trusted advisor, to guard your network.  We have plenty of clients using them today.  Very few complainers.  Just happy campers.

4

Get help when you need it from a qualified MSP – finally, and again for resource-constrained companies, there are alternatives, like the professional cyber investigator, called in the business a managed service provider, or MSP.  They can handle almost anything you can throw their way.  Experienced MSP’s are very good when it comes to breach detection and remediation.  They also can add things like threat intelligence to the mix – which can improve detection time.  Any organization might consider an MSP to assist their security efforts.  For smaller ones, they can be a lifesaver.

Our Stop the IP Brain Drain Plan

We won’t claim that is short plan is the be all end all of cyber defense improvement plans. But the status quo isn’t a viable option anymore. We’re all in this together. It’s the fight of the twenty-first century. And it’s a fight that we must win.

Did we fail to mention one piece of technology? Most likely, and if you feel strongly about it, give us your suggestions, your ideas, but be ready to show that the tool you’re supporting is truly effective.

​We needed to have an actionable strategy.  Here is one.  None of its pieces are out of play in today’s target rich environment.  Our plan is not perfect.  But given we are losing $600 billion a year to IP theft, we should not let perfect get in the way of good.  Imagine using our plan and lowering this amount to $300 billion next year, $100 billion in two years.  You get the point.  Imagine the good we could do in this country with that money?

Paul Ferrillo

About Paul

Paul Ferrillo focuses his practice on cybersecurity corporate governance issues, complex…

Chris Veltsos

About Chris

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato

George Platsis

About George

George Platsis is a consultant, author, educator and public speaker.

George E Thomas

About George

Over his twenty-five year professional career, Mr. Thomas has held a series of positions in banking, trading, asset management and auditing at a broad range…

Shawn Tuma

About Shawn

Shawn Tuma (@shawnetuma) is an attorney internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for two decades

Ken Holley

About Ken

Kenneth founded Silent Quadrant – a Washington, D.C.-based information technology services and consulting practice serving the nation’s top lobby firms – in 1993

Chuck Brooks

About Chuck

Chuck Brooks is the Principal Market Growth Strategist — Cybersecurity and Emerging Technologies for General Dynamics Mission Systems

Cyber criminals target law firms and other legal services providers for both their own and their clients’ data. Clients naturally demand their data be protected. Cybersecurity is an organizational imperative across the legal industry.

For lawyers, it’s also an ethical duty.

Keep the client’s information confidential is one of the first rules of lawyering. Lawyers must take competent and reasonable measures to safeguard clients’ confidential and privileged information. There are common law duties of confidentiality and privilege, and the duty of confidentiality is part of every state’s rules of professional conduct.

Lawyers also have a duty to keep clients reasonably apprised of matter status so they can make informed decisions about the legal representation. Does that duty extend to security incidents involving client information? It’s a reasonable interpretation of the rule.

The ABA agrees. ABA Formal Opinion 483, published in October of last year, calls on lawyers to use reasonable efforts to:

  1. Monitor data security involving client information;
  2. Act promptly to stop security incidents and mitigate damages;
  3. Determine the scope of the breach;
  4. Provide appropriate and accurate notice to affected clients.

Confidentiality and keeping clients informed in the electronic age demand at least a basic understanding of information technology and information security. This lines up squarely with the duty of competence – the paramount ethical obligation to clients. Lawyers must have the knowledge and skills necessary for the representation. Data security today impacts all practice areas.

There are three parts to technology competence. First, knowing what you don’t know. Second, learning what you must know. Third, seeking help from qualified people to fill in the gaps.

Responsibility doesn’t end at hiring technical experts (necessary and important as that is). Lawyers have an ethical duty to supervise staff, consultants and service providers. Within the law firm, this includes policies and procedures, employee security training and reasonable compliance monitoring. For consultants and vendors, data security should be part of initial and ongoing evaluations.

State ethics rules set the minimum standard of conduct for the legal profession. As lawyers we are called to go beyond the minimum and give our clients the best in professional practice and service. That includes keeping their information safe from cyber criminals.

This series will continue with seven essential steps to cyber preparedness.

QDiscovery

HPC PRESENTS:

HPC CyberMatch™ – A Turnkey Solution for Cyber Training & Employment

ACCESS WORLD-CLASS CYBERSECURITY EDUCATION - AND ADVANCE YOUR CAREER IN THE HPC CYBERMATCH™ MARKETPLACE

Today’s widespread reliance on technology and digital services creates Cybersecurity risks that need to be managed responsibly.

The NIST Cybersecurity Framework was created to provide a uniform standard that government and businesses could adopt to guide their cybersecurity activities and risk management programs.

Subsequently, the NICE Cybersecurity Framework was created to identify the human capital requirements and standards that NIST requires for successful deployment. Critically, it provides a common, consistent lexicon to help employers create a cybersecurity workforce capable of engineering, maintaining and continually improving a cybersecurity program based on the NIST Cybersecurity Framework.

The combined NIST/NICE Frameworks have now been approved as the governing framework for Cybersecurity for the US government, a growing number of critical infrastructure sectors (financial services, healthcare, energy etc.) and an extensive list of international governments.

The NIST/NICE Frameworks reflect 3 levels of professional qualification – and 33 job types, which are necessary to achieve it. For organizations seeking to implement and comply with NIST/NICE, these job types are at the heart of a growing number of job listings. Almost any job in the public marketplace may be traced back to one of these 3 categories and 33 job types.

We want to make it easy to engage with Cybersecurity – to get qualified, more qualified and get hired.

We want to make qualifications more transparent and more closely align dialog between cyber-qualified individuals and prospective hiring organizations.

In short, we want to close the Cyber employment gap.

We have reflected this in our HPC CyberMatch™ Curriculum. This is a simple 3-step training program that teaches the knowledge (certifications),  skills (practice labs)  and abilities (virtual internships) – to gain practical experience and enjoy access to experienced CISOs in a wide variety of industries.

The HPC CyberMatch™ Curriculum is designed as self-paced learning – available 24/7 to meet individuals’ and organizations’ particular schedules and requirements. It is priced to be accessible to anyone. Conveniently monthly billing keeps things very affordable while you build your future skillset.

The upside of having these cybersecurity qualifications is very evident in a rising job market.

In addition, we are introducing the HPC CyberMatch™ Marketplace. For those individuals who are cyber-qualified (whether via HPC or otherwise), the HPC CyberMatch™ Marketplace provides real-time exposure to prospective employers who are actively seeking to hire cyber-qualified individuals on a contract or permanent basis. In short, it’s the fastest way to get hired in Cybersecurity – and it’s the best place by far for employers to find you.

No-one does Cyber like we do. And we do it for YOU.

Get started.

 

NIST FRAMEWORK

The NIST Framework was created to provide a uniform standard that government and businesses could adopt – a common Cybersecurity language.

NICE FRAMEWORK

The NICE Framework was created to identify the human capital requirements and standards that NIST requires for successful deployment.

We support the full lifecycle of Cyber learning, qualification and employment. Problem solved.

HPC CyberMatch™ NIST/NICE Training & Talent Marketplace

HPC provides a full curriculum of always-on, self-paced learning for all levels – plus unique access for cyber-qualified individuals and employer organizations to our HPC CyberMatch™ Marketplace. In addition, we make it easy to stay on top of the industry through our timely interviews, articles and events via world-class HPC media.

Here’s how it works:

NIST-CSF FastTrack™ Rapid Adoption & Automation Training Platform

HPC CYBERMATCH
NICE Cybersecurity Workforce Development Training & Staffing Platform

NIST/NICE
Entry Level Positions

NIST/NICE
Intermediate Level Positions

NIST/NICE
Advanced Level Positions

NIST/NICE Certification (Knowledge) Training Platform

NIST/NICE Practice Labs (Skills) Training Platform

NIST/NICE Virtual Internship (Abilities) Training Platform

HPC CyberMatch™ NIST/NICE New Hire Contracting Platform

The NIST/NICE Frameworks stipulate 3 professional levels and 33 job types, which we reflect in HPC’s comprehensive training modules:

It’s easy to get started.

Entry Level Positions

HPC NIST/NICE

ENTRY LEVEL

Intermediate Level Positions

HPC NIST/NICE

INTERMEDIATE LEVEL

Advanced Level Positions

HPC NIST/NICE

ADVANCED LEVEL

All Levels – Practical / Labs

HPC NIST/NICE LABS

ALL LEVELS

​No, cybersecurity is not that easy, but it should be.  Because having looked at the newspapers it is clearly not easy, or people just are not communicating well about the basics.

Ransomware continues to explode across the national scene, striking everyone and everything, especially those like municipalities and school districts who can least “afford” to deal with its consequences.  Never a day goes by further without news of yet another unprotected database being found by white hats, left out in the wild without protection or passwords, available on the internet for anyone to view its millions of pieces of PII.

Lastly, let’s not forget, no-one has solved the supply chain problems in this country that plague its industrial base, and most every industrial sector.  Digitalization is good.  No, it’s great!  Outsourcing creates great opportunities.  It also creates risk that most companies need help even understanding let alone dealing with and managing.

​I talk with lots of friends daily on things like the above.  I stated to one over the weekend, “It seems like we have made little progress since 2013 (and “name that breach”).  He stated to me, “Paul, things have gotten worse since 2013. Not better.”  It was hard to argue with him. Things are not good.

​There are lots of issues here, too many to discuss in 1000 words – let alone 1500. And I am not here to dwell on the bad stuff either.  That is not me.  That is not what the CyberAvengers stand for (a group of superhero friends of mine who you might see frequently on social media). Let’s try to fix some of these issues. Today. Now.  Here are ways to do so:

1

Let’s stop treating cybersecurity like a “black swan,” infrequent event.  It is far from it.  It is no different than other recognized forms of corporate risk: financial risk, liquidity risk, fire risk, or currency risk.  Cyber is a daily risk that needs to be dealt with daily.  In the culture of the company.  No more lip service.  No more, “I am not a target” baloney.  If you have data, you are a target.  If you think you haven’t been hacked already, think again.  You have been. You are being hacked now.  Treat Cybersecurity with the respect it deserves.  Like that million dollar contract or client you cannot afford to lose.  As we know from the AMCA breach, if you lose on cybersecurity, you can lose on everything.  Cyber is corporate risk, entity risk, regulatory risk and D&O risk all rolled into one. The consequences of potentially messing up are, well….., disastrous.

2

Let’s stop vendor, nerd and tech speak.  Let’s speak English to each other.  Me to the CEO of a new client, “does your company regularly back up its network, once a week, and store the back up media onsite, off site and in the cloud?”  “Well, Paul, I am not really sure.”  Oh boy,  Red alert, alarms flashing, bad answer.  If the CEO can’t answer, and the IT Director can’t, or won’t answer, I call in the cavalry for the CEO.  IT people not only need to speak English to corporate people, lawyers do too. Lawyers have to advise clients not just on what to do, but how to do it and who can do it.  We lawyers need to extend ourselves so we can to help others in their time of need. So we can help our country in its time of need.

3

All companies should consider adopting the NIST cybersecurity framework before others make that decision for them – yes I mean, Congress, the regulators, or all of the above.  The Framework fits in with item 2 – it is in plain English. Lay people can understand it and appreciate it. Question for the CEO, “when was your last vulnerability assessment?” “Well Paul, I don’t know what one really is, but I think we are ok.”  Red lights again.  Alarms.  Do your assessment. You won’t regret it.  Your company won’t regret it. And your Board of Directors will say, “Job well done!”

4

Remember that #thebasicsmatter. More than you ever know.  Phishing training on a quarterly basis?  Not perfect, but highly effective. And it doesn’t cost much.  #Patching?  #PatchIt regularly. Especially critical CVE’s within 72 hours.  It’s a must do. Not a nice thing to do when you have the time or you can afford it.  #BackItUpX3? You mean: on site, on segmented basis, off site (fully segmented) and in the cloud?  Yes, that is what back it up X3 means.  The cyberavengers have a good chart on this stuff.  It’s free.  Please take a copy. Bring it to your office and give it to your CEO.  Yes, vendors, it is NOT PERFECT.  But it’s a good start.  It follows the NIST Framework.  And it’s in English – https://www.thecyberavengers.com/wp-content/uploads/2017/10/The-CyberAvengers-Easy-To-Do-List.jpg

I could go on and on about the benefits of machine learning anomaly detection (great to have), encryption and micro-tokenization (really great to have) and identity and access management solutions (which, today, are almost a must have).  But I won’t.  They cost money. And many companies don’t have a lot, or if they do, don’t know how to spend it wisely.

 

#thebasics matter.  Start with the above. Rinse and repeat.  Mic drop.

Paul Ferrillo

About Paul

Paul Ferrillo is a Shareholder in Greenberg Traurig’s Cybersecurity and Privacy Group. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation…

The legal industry is under attack by cybercriminals. Need a second reason to care about cybersecurity? How about this one? Your business depends on it. Clients work hard to protect their and their customers’ data. They expect the same standard of care from outside counsel and other legal services providers.

Security of customer, patient and employee personal data is serious business. Data breaches of personally identifiable information (PII) and protected health information (PHI) trigger various legal and regulatory obligations at both federal and state levels. Common requirements like consumer data breach notifications are onerous and expensive. Data breaches may also lead to substantial fines and open the door to civil suits.

To protect themselves from supply chain breaches, many companies now require their vendors – including legal providers – to respond to detailed, extensive security questionnaires. Some additionally demand vulnerability tests, periodic security audits and similar guarantees. Competition for legal work is fierce. Security questionnaires are an easy way to eliminate unqualified contenders.

Health care, financial services and other highly regulated sectors were the leading edge of this trend. Companies in all industries are requiring stronger data security protections from providers. They’re also allocating risk by aggressively negotiating data breach liability and indemnification provisions in vendor contracts.

Illustrative of this trend, the Association of Corporate Counsel in 2017 published Model Information Protection and Security Control for Outside Counsel Possessing Company Confidential Information. The document’s stated purpose is to help in-house counsel set expectations with outside counsel and other legal service providers. Recommended baseline security controls include:

  • Robust information security policies, procedures and an incident response plan
  • Employee training and background screening
  • Encryption, logical access controls and physical security
  • Operational procedures and controls to ensure technology and systems align with applicable standards and certifications
  • Continuous monitoring, annual vulnerability tests and breach reporting

If there’s a silver lining, it’s this: Cybersecurity is a business opportunity as well as a risk. Data security and its close cousin data privacy are fast-changing areas of law and technology. Clients are looking for lawyers and providers who offer informed counsel and practical guidance. Getting your own house in order is the critical first step.

QDiscovery

A Webinar on October 17, 2019 at 10 (est)

Join some of the biggest names in #cybersecurity, #privacy and corporate #communications, crisis management in a discussion of the issues in light of recent news headlines.

Paul Ferrillo

About Paul

Paul Ferrillo focuses his practice on cybersecurity corporate governance issues, complex…

Richard Levick

About Richard

Richard Levick, Esq. is Chairman & CEO of LEVICK, representing countries and companies in the highest-stakes global communications matters…

Kate Fazzini

About Kate

Kate Fazzini covers cybersecurity for CNBC. She is the author of the forthcoming book Kingdom of Lies: Unnerving Adventures in the World of Cybercrime…

David Kinnear

About David

David brings a unique and timely perspective on the role of data, automation and artificial intelligence in the modern and efficient delivery of services for legal consumers…

“As we race from case to case, and from big cyber breaches, to even bigger cyber breaches, what are we learning?  What makes the difference between a “small crisis” and a potentially “catastrophic, entity threatening” cyber crisis. We look at this issue from all angles, press and public opinion, crisis communications and legal, delving into the biggest cases ever to find what we think is the key — good governance, good planning and great crisis managment.”

Business Email Compromise: How to Avoid Becoming a Victim

How likely are you to quickly respond to an email that appears to come directly from an executive-level individual at your organization, an email from a trusted third-party vendor, or an email that is flagged as high importance by a “business partner?”  Malicious actors are banking on immediate action being taken, whether it’s the source of the email (i.e. CEO of the company), the urgency described in the message, or both.  Emails impersonating legitimate individuals for nefarious purposes, also known as business email compromise (BEC), is a rapidly growing threat aimed at committing financial fraud through eliciting deceitful wire transfers.

What is BEC?

Malicious actors running BEC campaigns rely on deception techniques to masquerade as legitimate and trusted sources. Using research and social engineering tactics to portray executives, business partners, suppliers, or even legal authority figures, their goal is to induce illegitimate money transfers.  Those who fall victim to a BEC attack are deceived, thinking that they are simply doing what is asked of them by a reputable individual and performing an ordinary transaction, like wiring funds or completing a supply order, when in reality they are being duped by a fraudulent request.

BEC attacks generally work in two ways.  One, email accounts of targets are spoofed by cyber criminals to appear like they have originated from a different source.  For example, the message is designed to look like it is sent from [email protected], when the actual address is [email protected]  Another spoofing attempt is when email addresses are created with just a slight change so that they appear legitimate.  This could be something as simple as using an underscore __ instead of a hyphen — in the email address.  Without paying careful attention, the receiver has no reason to believe the email is fraudulent.

The second method is through compromised accounts.  This involves cyber criminals obtaining credentials to email accounts of individuals they want to pose as and distributing illegitimate messages.  Credentials can be gathered several ways, such as through database breaches, phishing scams, or brute force attacks.  In this case, the email account is legitimate, but the message is not.

Why You Should Be Concerned

BEC attacks “have seen an explosive 476% growth between Q4 2017 and Q4 2018.” 1 The likely cause behind this drastic increase is because they are low risk for cyber criminals and highly effective in achieving their purpose simply because of human nature.

Further, a BEC campaign uses simple technology, can be put into action rapidly, and carries the potential for a large payout.  If that’s not reason enough to be concerned, BEC attacks are also capable of circumventing traditional security practices like anti-virus scans or spam filters.

Obvious flags for email filters like grammatical errors or misspellings usually do not catch BEC attacks because these messages are targeted and constructed with thought.  A BEC attack also does not rely on malware to achieve its purpose, another reason why they are able to evade scans and filters.  Instead of an individual clicking on a malicious link or downloading an attachment containing malware, a successful BEC campaign only needs to deceive the target with a message that appears to be legitimate.

Extensive research is performed ahead of launching an attack in an effort to make the message as personalized as possible. Using a combination of publicly available information, like a bio on a company website, useful data from social media, and relevant material found on the dark web, emails can be written in a manner that appears legitimate and entices the recipient to take action.

The results of these attacks are significant and costly.  BEC attacks “yield an average of $132,000 per attack” and it is difficult to recoup the money after it has been transferred.  A public service announcement from July 2018 released by the FBI stated that victims of BEC attacks lost more than $12.5 billion from October 2013 to May 2018.

Losses suffered go beyond just monetary, including loss of operations and damaged reputation, which can end up being costlier than the transfer of funds itself.  A BEC attack has the ability to disrupt business continuity, demanding valuable resources be used to ensure operations are brought back up to speed, and whenever an organization is in the news for a cyber attack, they run the risk of losing customer faith.

Don’t Be a Victim: How to Protect Against BEC Attacks

There is no silver bullet that will prevent a BEC attack from being successful.  Instead, the best way to prevent BEC fraud is through security awareness training.  Creating a “culture of security” will help reduce the risk of a successful BEC attack.

Employees at every level of your organization should be trained how to recognize common deception tactics, like domain name spoofing (i.e. an email address that appears legitimate) and learn other best practices.

This includes not posting personal information, or anything that could be leveraged against you, on social media.  The less ammo that cyber criminals have to work with, the less likely their email will appear to be legitimate.  

People are often referred to as the “weakest link” in an organization’s security posture, but they can also be your biggest strength when it comes to mitigating risk, as long as they are properly prepared.

Beyond training, additional accounting controls should be implemented to help combat BEC attacks.  For example, requiring some sort of confirmation from the requesting party before authorizing payment should be standard protocol.  This could be as simple as calling the individual that the message is coming from to ensure that they were behind the request.  If it’s a legitimate request, it may add more time to the transfer process, but it’s better to be overly cautious and confirm the funds are going to the right place versus losing them for good to a malicious actor.

Regular assessments of networks and systems should already be included as part of your overall security strategy, but they can also be helpful in deterring BEC attacks.  Performing investigations can determine if email servers were compromised and that alterations were made allowing for nefarious emails to be sent using your network and appear as legitimate messages. Identifying this intrusion can potentially prevent large sums of money from falling into the wrong hands.

Another best practice to mitigate BEC threats is to implement multi-factor authentication on all email accounts at your organization.  This practice requires multiple steps to login after entering a password, such as receiving a unique code on a mobile device and then inputting the text.  Even if a cyber criminal has credentials to an email account, multi-factor authentication will help prevent them from being able to access it and send fraudulent transfer requests, since they likely won’t have the means to verify it’s the appropriate person logging in.

Lastly, perform due diligence on your vendors, suppliers, customers, or anyone involved with the potential transfer of funds. Determine which individuals specifically you will be interacting withand learn their processes and habits.  This will help trigger caution if their normal business practices suddenly differ, like an urgent request out of the blue, or an email from someone you’ve never worked with previously.

Steps to Take if an Attack is Successful

In the unfortunate event that a BEC attack is successful and funds are fraudulently transferred, all is not lost, but you must act quickly.  This involves contacting your financial institution immediately and requesting either a recall of the funds or asking them to not allow the transaction to go through.

Additionally, pending certain criteria, you can implement the Financial Fraud Kill Chain (FFKC) process that is offered through the FBI.  Its intention is to provide an additional outlet for recovering funds and should be used in conjunction with normal procedures at your financial institution.  Even if your circumstance does not qualify for the FFKC process, you should still contact your local FBI office to report the incident.  You’ll also want to file a complaint with the IC3, as they can assist both your financial institution and any involved law enforcement with their efforts to recover your funds.

Within your own network and systems, work to try and identify the malicious actor so that they can be contained and further damage can be prevented.  Also, be sure to involve all relevant parties within your organization, or partner with a company that can help provide support.  This includes forensic accounting, strategic communications, and litigation support.  A united front can help control the situation and ultimately recover from the fraudulent transfer.

Oldest Trick in the Book

While certain cyber attacks are becoming increasingly technical, the art of deception is a simple tactic that has been around for centuries.  Despite its simplistic nature, preventing a BEC attack cannot be achieved by installing software and rather requires a culture of awareness to be established.  With emails becoming increasingly personalized and targeted, it is more essential than ever to learn what to look for to avoid falling victim to this type of attack.  Cyber criminals are going to continue using attack methods that are low-effort, successful, and offer large payouts, which for now, is the case with BEC attacks.

The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates or its other professionals.

ANTHONY FERRANTE

Anthony J. Ferrante is a Senior Managing Director and the Global Head of Cybersecurity at FTI Consulting. Mr. Ferrante is an expert in cybersecurity resilience, prevention, response, remediation and recovery services.

Mr. Ferrante has more than 15 years of top‐level cybersecurity experience, providing incident response and preparedness planning to more than 1,000 private sector and government organizations, including more than 175 Fortune 500 companies and 70 Fortune 100 companies.

Mr. Ferrante maintains first‐hand operational knowledge of more than 60 criminal and nationalsecurity cyber threat sets, and extensive practical expertise researching, designing, developing and hacking complex technical applications and hardware systems.

Prior to joining FTI Consulting, Mr. Ferrante served as Director for Cyber Incident Response at the U.S.

National Security Council at the White House where he coordinated U.S. response to unfolding domestic and international cybersecurity crises and issues. Building on his extensive cybersecurity and incident response experience, he led the development and implementation of Presidential Policy Directive 41 – United States Cyber Incident Coordination, the federal government’s national policy guiding cyber incident response efforts.

Before joining the National Security Council, Mr. Ferrante was Chief of Staff of the FBI’s Cyber Division.

He joined the FBI as a special agent in 2005, assigned to the FBI’s New York Field Office. In 2006, Mr. Ferrante was selected as a member of the FBI’s Cyber Action Team, a fly-team of experts who deploy globally to respond to the most critical cyber incidents on behalf of the U.S. Government.

Mr. Ferrante previously served as an Adjunct Professor of Computer Science at Fordham University’s Graduate School of Arts and Sciences, where he served as the founder and co-director of the Master’s of Science in Cybersecurity program in the Graduate School of Arts and Sciences. During his time at Fordham University, he served as the co-director of the undergraduate and graduate cybersecurity research programs.

Paul Ferrillo

Paul Ferrillo is a Shareholder in Greenberg Traurig’s Cybersecurity and Privacy Group. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation, and internal investigations. He assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Paul represents public companies and their directors and officers in shareholder class and derivative actions, as well as in internal investigations. In particular, he has coordinated numerous internal investigations on behalf of audit committees and special committees, and handled the defense of securities class actions alleging accounting irregularities and/or financial fraud. He is also the author of Navigating the Cybersecurity Storm: A Guide for Directors and Officers (Advisen 2015) and Co-Author of Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives (Advisen 2017).

The legal industry is under attack – cyberattack. The threat is real, significant and immediate.

Consider the costs of a data breach:

  • Downtime/loss of billable hours
  • Loss of reputation
  • Consulting fees to security experts
  • Corrupted or lost files
  • Breach notifications
  • Hardware and software replacement

Most readers will be familiar with the fate of Mossack Fonseca of “Panama Papers” infamy. In 2017, several foreign nationals were charged with insider trading after hacking as many as 48 law firms handling M&A matters. The same year saw a major multinational firm, DLA Piper, institute a temporary network and phone system shutdown because of the global Petya ransomware attack.

The headline makers are just the tip of the iceberg. In a survey for the ABA 2018 TechReport, 23% of lawyers reported their firms had experienced a data breach at some point. There are undoubtedly more who have been hacked, but just don’t know it.

Think it’s a Big Law problem? Adjusted for firm size the percentages are higher for mid-sized and small firms.

Ransomware is a universal threat to all industries. Moreover, law firms and other legal services providers are an especially tempting target because they’re a one stop shop for vast quantities of business and personal information. Data that was collected from a wide range of companies, pre-selected for value and often better organized than the originals.

The ABA aptly characterizes firms in particular as both attractive and soft targets for cybercriminals. Despite the heightened threat level, legal lags behind other sectors in cyber preparedness. Law firms are vulnerable to many attack types:

  • Phishing and spear-phishing
  • Ransomware
  • Business email compromise
  • Data exfiltration
  • Denial-of-service
  • Data theft and monitoring for insider trading
  • Viruses and malware
  • Hacktivism

Compounding the problem, legal professionals are an easy target for phishing/spear-phishing. We publish our email addresses, phone numbers and extensive biographical information on websites and public social media accounts. The purpose is client service and marketing. The unintended result is a data gold mine for bad actors.

Cybersecurity isn’t something other people do. It’s everybody’s problem. This post is the first in a series setting out three reasons why legal professionals must be vigilant about data security and seven essential steps to guard against cyberattacks.

QDiscovery

By Paul A. Ferrillo

Regarding the actions of Russia during the dark days of World War II, the great Winston Churchill once said, “[Russia] is a riddle wrapped in a mystery inside an enigma; but perhaps there is a key. That key is Russian national interest.” The quote was meant to give his British subjects some idea of allegiances at the time given the sweep of Nazism through Europe. It was meant to rally the British to understand that if attacked by Germany, Russia would no doubt respond in kind.  And Germany did attack.  And Russia responded as Churchill and others had predicted.

This quote is meaningful to me when it comes to cybersecurity, because today, years and years after the first mega cyberattacks, like Heartland Payment Systems and Target, business people are still trying to figure out the key or keys to cybersecurity.  Figuring out this “key” is critically important, because given its inherent complexities cybersecurity is hard enough to explain on its own (the term “distributed denial of service” comes to mind).  A “key” might act as a “secret decoder ring” for the laypersons what run and guide public companies, like its directors and officers. And especially general counsel who often find themselves right in the middle of the big “mess” of the day where an “uphill” fight is all but assured.

What are the keys?  What makes cybersecurity tick?  There are many vendors that might like to lob an infected USB stick my way for approaching this subject.  But tough noogies. The stakes are too high.  Think Russia, China, Iran and North Korea.  Its going to be a long hot summer.  We think we have figured out the keys to cybersecurity.  They should not be a secret.  If they were, there may not be anything left soon for our adversaries to steal 5 years from now:

 

5 Keys to Cybersecurity:

1

Cybersecurity is not so complex; its better to “deal”: Why overly complicate something that is inherently complicated and filled with mystery. I don’t know. I have never understood this point. Especially when most of cybersecurity finds its foundation on protecting your “Crown Jewels,” i.e. your most important IT, IP, PHI, or customer digital assets? If you are a hospital system, your most important asset is the PHI of your patients. Yes, there are other things that are important, like your medically connected IoT devices. But HIPAA regulates and demands you protect your PHI to within an inch of your life. So….. you had better think about doing so. See? Not so complicated.

2

Its your people, not your technology that matters most: Huh? I don’t get it. I though cybersecurity was mysterious, filled with computers, servers and clouds. No, not so much. Should a hospital, vendor, or service provider for a hospital leave a patient database on an AWS server open to the public, without proper configuration and a strong password? No you should not. Should doctors, nurses and residents share passwords on the floor as they try frantically to save lives, and reach to any terminal available to get mission critical information? Yes, I get it, that is their job. But they should not share passwords. Training and education can save companies loads of trouble if it’s religiously instituted and followed. Spearphishing training is remarkably effective. If its given the chance to be effective. Complicated issues here? Not so much.

3

Mission critical question to ask IT, “how long does it take us to patch critical vulnerabilities?” — you might not like the answer — One recent article notes, “Forget the stealthy hacker deploying a never-before-seen zero day to bring down your network. IT security professionals admit that one in three breaches are the result of vulnerabilities that they should have already patched.” See “Cybersecurity: One in three breaches are caused by unpatched vulnerabilities,” available at https://www.zdnet.com/article/cybersecurity-one-in-three-breaches-are-caused-by-unpatched-vulnerabilities/.  There are a lot more issues around the concept of patching.  Too many patches, not enough people, not enough time, and the every present, “and then there was another patch Tuesday.”  I get it. I understand it.  But I am just telling you the truth.  Some of the major breaches you have heard of like Wannacry were caused by an unpatched vulnerability.  Note that this is not a fault based question, its really a resource based question.  If an organization doesn’t have enough resources to effectively patch all critical vulnerabilities within a week or two, then it needs to find/get/hire those resources.  The stakes here are too high, especially when the bad guys prey on unpatched vulnerabilities.

4

Breaches stink! But a bad breach response (or an untimely one) could get you in even more trouble. What people learn in cybersecurity is that, for the most part, if Company A gets hacked today, it is more than likely that Company B will be hacked Monday, and Company C will be hacked Tuesday. What do we mean by this?  Simply put, if you are straightforward with your customers, patients and investors, they will likely forget your breach pretty quickly and move on to focus on the inherent value of the company instead.  There will always be another breach.  But if, for instance, you are slow to respond, slow to disclose, or inadequately disclose what happened to your constituencies, you will likely be tortured a good long time.. by the media, high activity bloggers, and most importantly, the regulators too.  Why the torture? I truly think it is a “risk allocation” problem. As between a company and its customer, it was the company that stored the customer’s data. So if there’s a breach it is the company that needs to inform the customer what happened, so the customer can protect himself or herself. So what is the moral to this story?  Memories of bad breaches that were handled well and timely disclosed tend to fade.  Bad breaches that get badly handled or where disclosures were delayed for months or years? Big problem – and a potentially big regulator problem as well if you are a public company or regulated entity.

5

How do I best protect myself?  Encrypt or tokenize your data to make it useless to the attacker — if everyone is or will be hacked at some point regardless of defenses (especially when a nation-state comes knocking at your server door), then protect your data by encrypting it or by tokenizing it so that if stolen it will be useless.  So what do we mean here?  If the ingredients of the “secret sauce” on your Bronco burger are your most critical asset, do something so that the ingredient “ketchup” looks like “XQ1%5HWP” if the attacker steals it.  This topic doesn’t get talked about much.  It is more confusing than not for some.  But the point is, if you data looks useless to an attacker, maybe the attacker will decide you are not worth the hack, and will go somewhere else.

So these are the “keys” as we describe them.  Yes there are more, but these are pretty big.  Perhaps the biggest key?  Adopt the NIST cybersecurity framework (or one of its regulatory variants) and stick to it.  The Framework will assist you with many of these keys.  And it many even provide answers to some of the major questions a layperson general counsel might have about cybersecurity.  We need to take the mystery out of cybersecurity.  More people need to get to the basics as we describe them about.  If we do, this nation will be far better off down the road.  And the ingredients to the secret sauce for your Bronco burger will likely not end up on the menu of one of your competitors in a foreign country.

Several years ago, a series of massive and highly publicized retail data breaches took the issue of cyber security out of IT circles and inserted it into the mainstream news, cocktail party banter, and corporate board agendas. Those breaches also served to introduce the concept of cyber insurance to a much wider audience. Interest in and uptake of cyber insurance began to grow, largely driven by the breach response services (including incident response, forensic investigation, notification and credit monitoring costs) and class action lawsuit defense coverage available under those policies.

Although cyber policies still provide tremendously valuable coverage for breach events, they’ve come a long way since then. Recent iterations of cyber policies go far beyond data breach coverage and offer protection against a wide range of the most vexing cyber threats and privacy exposures affecting companies in every business sector.

Additional Coverages

Some of the key cyber exposures for which coverage may be available are:

Cyber Extortion

Coverage is generally available for ransomware payments, as well as for other types of cyber extortion, such as threats to publicly disclose protected information or to interrupt computer systems. Coverage typically includes response services, and insurers can assist with ransom negotiations. Some insurers also will assist with obtaining digital currency to pay ransom demands.

Social Engineering

Some insurers offer coverage under cyber policies that expressly applies to social engineering attacks — i.e., phishing, business email compromise — that result in the transfer of company funds to unintended third parties.

Coverage for Senior Executive Losses

At least one insurer provides coverage for identity theft and theft of funds from personal bank accounts of executive officers resulting from a third-party breach of the company’s network security.

Corporate Identity Theft

Coverage may be available for losses incurred as a result of fraudulent use of the company’s electronic identity, including the establishment of credit in the company’s name, electronic signing of the contract, and the creation of a website designed to impersonate the company.

Contingent Business Interruption

Some insurers offer coverage for loss of business income, forensic expenses, and extra expenses sustained as a result of the interruption of the insured’s business operations caused by an unintentional and unplanned interruption of computer systems operated by a third party business that provides necessary products or services to the insured pursuant to a written contract. This coverage can be especially valuable in today’s digital and interconnected economy.

Bricking

Although cyber policies typically exclude coverage for damage to tangible property, some carriers have introduced endorsements that are triggered when a hacking event causes the “bricking” (loss of use or functionality) of the insured’s computer hardware or electronic equipment by maliciously reprograming the software installed on that hardware or equipment. Bricking coverage applies to the costs to repair or replace the affected hardware or equipment when it would cost more to reinstall software.

Betterment

A particularly valuable new coverage is now offered by some insurers for improvements to the insured’s hardware or software following a security breach that exploited a weakness in the insured’s computer system. Coverage is available if it is determined that such improvements will reduce the risk of a future breach related to that weakness.

Consequential Reputational Harm

Some carriers are offering coverage for lost profits associated with the loss of current or future costumers because of reputational damage resulting from a covered cyber event. The lost profits must have been incurred during a “reputational harm period,” a designated window of time following discovery of the cyber event.

Loss Adjustment Costs

Calculating the costs associated with a system damage or business interruption insurance claim can be complicated business, particularly when costs must be allocated to an uninsured waiting period designated in the policy form. Some cyber carriers are providing coverage for the cost to retain professionals, such as forensic accountants, to assist the insured in the calculation of its financial loss.

Invoice Manipulation Loss

Many insurers are now offering coverage specifically designed for phishing attacks and other schemes to trick the insured company into transferring funds to a fraudster instead of to an entity to which the insured owes money. Now, at least one insurer provides coverage to companies that have been unable to collect payment for their goods and services as a result of an “invoice manipulation loss.” Invoice manipulation means the release or distribution of a fraudulent invoice or payment instruction resulting from a security or privacy breach. The policy covers the insured’s net cost to provide the goods or services, exclusive of profits.

Corporate Identity Theft

Coverage now is offered by some carriers for financial loss resulting from the fraudulent use of the insured’s electronic identity, including the establishment of credit in the insured’s name, electronic signing of contracts, and creation of a website designed to impersonate the insured.

Telephone Hacking

Companies may be able to obtain coverage for losses resulting from the hacking of their telephone system, including reimbursement of costs for unauthorized calls and use of the company’s bandwidth.

Management Liability

Coverage may be available for senior executive officers if they are sued in connection with a covered cyber event.

A Word of Caution

The coverages described above may not be available from all insurers, and not all insureds will qualify for all types of coverage. In addition, some coverages may be subject to sub-limits and important conditions, such as requiring the insurance company’s consent before incurring any expenses.

Concluding Thoughts

Cyber insurance isn’t just for companies with large amounts of credit card data. Coverage is constantly evolving to address emerging cyber risks from which no company is immune. Companies should carefully consider how a well designed cyber insurance policy can protect them from the expense and disruption of today’s pervasive cyber threats.

Click on the link below to download my free book

A Closer Look At Cyber Insurance
A Closer Look At Cyber Insurance

Having worked in India at an LPO for nearly 6 months now, I have seen the use of technology in almost every aspect of legal work. I have been lucky enough to be part of a team which embraces and pushes technology to continually improve efficiency. Recently this technology push has started to expand into areas where I did not have much prior experience. Specifically, we have had the opportunity over the past several months to apply what we have learned to data breach reviews.

I think that everyone can agree that data breaches are becoming a large part of the legal conversation over the past several years. And with large data breaches often comes increasingly stringent requirements for notification to those individuals affected. Because of this, there is a growing sector of the legal review industry that is dedicated to reviewing this information. Before working at an LPO I had no idea this field was as large as it is. I also did not realize the opportunities for technological applications that this type of work would present.

From the data breach reviews we have ran at LO2 I personally feel that the use of technology is just as important, if not more important, than technology applications in traditional document review. Part of the importance of technology in data breach comes from the nature of the information which is being reviewed. For example, most sensitive information follows a similar pattern. Social security numbers are always the same amount of numbers arranged in a similar pattern; bank accounts also follow a specific arrangement. This consistency has allowed us to structure searches in the documents which are able to more quickly identify those documents which have potentially sensitive information easily.

The uniformity of the information being searched for also allows us to build in more complex search strings and patterns which may not always be available when searching for more nuanced text. Even the structure of names allows for more targeted searches as they follow similar patterns. One other tool we have utilized is batching similar document types. Not only is it helpful to batch documents by their format, but also using document names allows for us to easily spot important documents which contain PII or PHI and then review an entire group at once. In my opinion noticing similarities in documents and then having attorneys review them in clusters is one of the best ways to improve efficiency as they learn the documents and can understand where to search others that are similar.

 

While PII allows for elegant search strings and batching, these tried and true technological methods are not as easily applied when looking for PHI. For finding PHI it is important to understand the nature of the documents you are reviewing. For this purpose, we employed several random and targeted searches to pull examples of documents which contained PHI. Once this was complete and we understood the relevant documents then we were able to employ similar techniques in grouping similar documents and building more advanced search strings.

As I discussed above, one of the main tools we used was dividing up the work by document format. An important step of any review is to understand what documents will pose the most difficulty. We found that often the documents with the largest amount of sensitive information would be Excel files. Because of this, they were segregated out from day one with their own search string pattern and batches. This allowed us to create a more efficient workflow and to utilize the strengths of the team to their full potential to meet deadlines. One thing to consider is the platform one is using. For example, with the platforms we usually use there is an option for reformatting large sets of data so they can be uploaded directly to the tool instead of an attorney have to manually enter each individual piece of information. This not only saved time, but also improved overall efficiency and morale as any attorney would suffer a productivity decline from entering hundreds of lines of PII. Not only that but finding technological solutions like this also decreases human error and increases the overall quality of the final work product.

Given the importance and sensitivity of the data for breaches, I have found the use of technology by the team immensely useful. It has provided a more accurate reflection of what data was lost than ever could have been accomplished in a traditional manner. It also meant that the efficiency was improved and produced something the team could be proud of. This type of work has really opened my eyes to how others could learn to implement technology on even non-traditional reviews. I think the main thing to remember is when you are facing a new type of legal work to not be afraid to use tools and tricks you have implemented before and see what works and what doesn’t. There is always some piece of technology or a different workflow that can help.

[Technology + Labor Arbitrage] > Labor Arbitrage

A Leading Provider of Technology-Enabled Legal Innovation, Contract Extraction, Contract Analysis and Document Review Solutions.

ABOUT

Legal Outsourcing 2.0, as the name suggests, is the next generation of Legal Process Outsourcing. We provide technology-enabled solutions and services to law firms and corporations.

There are essentially two differentiators in how we go about doing that. We apply the latest innovative technologies, including natural language processing and machine learning, to solve problems and create efficiencies. We also have experienced US-licensed attorneys, who have been employed by Am Law 100 law firms on staff at our production facility in India at all times.

The technology piece creates efficiencies – the American legal presence ensures quality.

All communications with the production team are with US-licensed attorneys to ensure there are no miscommunications. We are unique in providing our services by using a blended legal team which combines a rich mix of US legal talent on site at our India processing center with an experienced Indian legal team. In fact, we have more US licensed, Am Law experienced attorneys than any other LPO with a production facility in India.

The ratio of our American lawyers to Indian lawyers working on site in India at Legal Outsourcing 2.0 is less than 1 American lawyer to 50 Indian lawyers.  The ratio of American lawyers to Indian lawyers on site in India at other LPOs ranges from 1 American lawyer to 250 Indian lawyers, to most LPOs in India not having any US legal talent on site at all.

APPROACH

Law firms produce more revenue the more hours they bill.

Traditional LPOs charge a lower hourly rate, but their business model is the same hourly business model as a traditional law firm. That business model creates a disincentive to adopt new technology and create efficiency. Our business model is different. It can be summed up by this equation:

[Technology + Labor Arbitrage] > Labor Arbitrage

The result: our solutions are better, faster and less expensive

We obtain superior results by complying with the highest industry standards.

Our quality management practices have been certified as compliant with ISO 9001:2015.

Our information management systems, designed to keep information assets secure, have been certified as compliant with ISO 27001.

WHAT YOU NEED TO KNOW ABOUT CYBERSECURITY TODAY
Join this exclusive webinar on Tuesday July 16th: 11am (est)

High Performance Counsel and Paypro have teamed up to bring best-in-class Cyber Security experts together to provide their top tips on some of the the greatest Cybersecurity challenges faced by all companies today.

Large and small, if you have a digital footprint, you are exposed. Over 95% of cyber-attacks occur because of human error. Do you feel your employees are adequately trained? What is your response process to a cyber-attack?

Understanding cyber terminology, threats and opportunities is now critical for future managers, lawyers and business professionals.

Our experts are qualified and knowledgeable in cyber security essentials, social engineering, malware, cybercrime, cyber insurance, online privacy and much more.

Join us as we walk through the biggest threats in cyber security for your business and what you can do to protect yourself and your company.

[640],shadow=true,start=,stop=

HEAR FROM SOME OF OUR WORLD-CLASS PANELISTS AND THE TOP TIPS THEY WILL SHARE ON WHAT’S HOT IN CYBERSECURITY – RIGHT NOW!

David T. Kinnear

Top three in cyber:

  1. Business impact of cyber readiness
  2. Human capital conundrum
  3. Launch of CyberMatch

 

Bryan Dickens

Top three in cyber:

  1. Shrinking of the deficit in the cyber workforce
  2. Increase of the current cyber workforce’s hands on skills and abilities
  3. Address the nation’s digital illiteracy

Rick Lemieux

Top three in cyber:

  1. The NIST Cybersecurity Framework
  2. The NICE Cybersecurity Workforce Framework
  3. The Cybersecurity Talent Shortage and the Latest Burning Glass Report

 

Chuck Brooks

Top three in cyber:

  1. Supply chain vulnerabilities
  2. Insider threats
  3. ML and A.I. in cyber

 

Paul Ferrillo

Top three in cyber:

  1. Cyber regulatory activity heating up both a federal and state level –  New NY law and potentially regs bigger than CCPA
  2. The “third party” cyber security due diligence problem getting worse
  3. Lack of attention to details – ransomware – can we ever “back it up”?

 

ABOUT HIGH PERFORMANCE COUNSEL

HIGH PERFORMANCE COUNSEL (aka #hipcounsel) delivers world-class media coverage, actionable intelligence and essential professional development assets – designed to equip and empower modern legal industry professionals.

i

MEDIA
& EVENTS

Our media coverage highlights the individuals, organizations, strategies & solutions designing and driving the next decade of innovation in law.

PROFESSIONAL DEVELOPMENT

Our professional development assets include critical cybersecurity training & certification for modern day legal industry professionals – and the clients they serve.

GLOBAL COMMUNITY

Our growing community of modern legal industry professionals is second-to-none. This is a community for everyone focused on the future of the legal industry – and making it the best it can be for participants and clients alike.

Why not stop by for a glimpse of the modern legal industry unfolding around us: 

In industry first, HPC turnkey training modules enable any professional to qualify for NIST/NICE employment or achieve Cybersecurity professional advancement

New York, NY – July 9, 2019 — Leading legal and cyber industry media & training organization, High Performance Counsel (HPC), today announced a turnkey online Cybersecurity training solution that enables professionals from any background to acquire the qualifications to engineer and operationalize the NIST Cybersecurity Framework (NIST-CSF) across an enterprise and its supply chain plus the qualifications to perform the work roles identified in the specialty areas of the NICE Cybersecurity Workforce Framework (NICE-CWF).

The HPC NIST/NICE Curriculum reflects government and industry mandates for organizations to adopt and adapt the NIST-CSF qualification to meet Cybersecurity business goals and regulatory requirements. The NIST Curriculum also supports the education and training needs of individuals seeking employment and career development in the growing Cybersecurity sector.

HPC has committed to being the one-stop education partner that individuals and organizations need to gain cybersecurity competencies and certifications. Individuals may select whichever level of training they wish – or that which covers the job they seek to attain.

Says HPC Founder & CEO, David Kinnear: “There is a generational need for Cybersecurity professionals qualified to support government and private sector needs. We’ve created a refreshingly simple, modular and accessible training solution to meet the complex training and experience requirements of the NIST Framework. It’s a great way for individuals to upskill in their career endeavors. It also makes things much simpler for organizations seeking to train existing team members.

Three simple & affordable subscription options:

HPC NIST/NICE ENTRY LEVEL

This curriculum is aligned with the stipulations of the NIST/NICE Framework to support the requirements of the following roles & job titles:

This 12 month subscription program provides students access to all the necessary materials to achieve Entry Level accreditation PLUS over 200 additional accredited training programs that will help students prepare for the most sought after certifications in Information Technology (IT), Information Security, Technology and Business Skills.*

*Note: examination fees excluded

HPC NIST/NICE INTERMEDIATE

This curriculum is aligned with the stipulations of the NIST/NICE Framework to support the requirements of the following roles & job titles:

This 12 month subscription program provides students access to all the necessary materials to achieve Intermediate Level accreditation PLUS over 200 additional accredited training programs that will help students prepare for the most sought after certifications in Information Technology (IT), Information Security, Technology and Business Skills.*

*Note: examination fees excluded

Got Cyber? Get qualified. Start here..

ABOUT HIGH PERFORMANCE COUNSEL | CYBER

HIGH PERFORMANCE COUNSEL (aka #hipcounsel) delivers world-class media coverage, actionable intelligence and essential professional development assets – designed to equip and empower modern legal and cyber industry professionals.

i

MEDIA
& EVENTS

Our media coverage highlights the individuals, organizations, strategies & solutions designing and driving the next decade of innovation in law and cybersecurity.

PROFESSIONAL DEVELOPMENT

Our professional development assets include critical cybersecurity training & certification for modern day legal and cyber industry professionals – and the clients they serve.

GLOBAL COMMUNITY

Our growing community of modern legal and cyber industry professionals is second-to-none. This is a community for everyone focused on the future of the legal and cyber industries.

Why not stop by for a glimpse of the modern legal and cyber industry landscape unfolding around us:

NIST-aligned certification program reflects government and industry mandates of the NIST Cybersecurity Framework (NIST-CSF) as the governing standard for organizations and their Cybersecurity professionals.

New York, NY – July 3, 2019 — Media, events and education leader in the legal and cybersecurity industries, High Performance Counsel (HPC) has added a full suite of NIST-aligned training and certification to its growing portfolio of cybersecurity qualifications available for individuals and organizations. The NIST Curriculum reflects government and industry mandates for organizations to adopt and adapt the NIST-CSF qualification to meet Cybersecurity business goals and regulatory requirements. The NIST Curriculum also supports the education and training needs of individuals seeking employment and career development in the growing Cybersecurity sector.

HPC has committed to being the one-stop education partner that individuals and organizations need to gain cybersecurity competencies and certifications. With government and regulated industries now requiring individuals to be NIST-CSF qualified, the opportunity for forward-thinking professionals is becoming clear.

Key features include:

The NIST Curriculum is the only independently accredited certification training curriculum designed to teach organizations how to operationalize the NIST & NICE Cybersecurity Frameworks across an enterprise and its supply chain.

The NIST Curriculum is the first certification training program that teaches the knowledge, skills and abilities (KSA’s) to plan and engineer a NIST cybersecurity program plus the KSA’s to stand up and support a Security Operations Center (SOC) and Continual Improvement Center.

For those starting out or still at school, the NIST Curriculum is a timely add-on or top-up for existing qualifications, which  helps to advance or accelerate a career in cybersecurity. For current cyber professionals, it’s a highly convenient way to up-skill and attain career goals.

Says David Kinnear, HPC CEO: “For us, it’s about being part of the solution. While some bemoan the increase in automation taking away opportunity, we see a new world of opportunity for the individual who wishes to leverage their existing skillset in a digital era. The compensation potential for NIST-qualified Cybersecurity professionals can far exceed that of many lawyers and ad hoc reviewers. It frames a choice for the individual between the old and the new – where the new often pays better.”

ABOUT HIGH PERFORMANCE COUNSEL | CYBER

HIGH PERFORMANCE COUNSEL (aka #hipcounsel) delivers world-class media coverage, actionable intelligence and essential professional development assets – designed to equip and empower modern legal and cyber industry professionals.

i

MEDIA
& EVENTS

Our media coverage highlights the individuals, organizations, strategies & solutions designing and driving the next decade of innovation in law and cybersecurity.

PROFESSIONAL DEVELOPMENT

Our professional development assets include critical cybersecurity training & certification for modern day legal and cyber industry professionals – and the clients they serve.

GLOBAL COMMUNITY

Our growing community of modern legal and cyber industry professionals is second-to-none. This is a community for everyone focused on the future of the legal and cyber industries.

Why not stop by for a glimpse of the modern legal and cyber industry landscape unfolding around us:

HPC #ThinkTank Presents: Where National Security Meets Cybersecurity Meets Economic Security

June 18, 2019 at 12:30 (est)

Register here for this complimentary webinar presented by High Performance Counsel

There is not a day that goes by in which the news media reports a major breach or potential breach regarding our government, our military, our communications systems or our supply chain. Some breaches seek merely critical IP. Some breaches, like that of the F35 fighter program or the Sea Dragon anti-ship missile program, go right to the heart of our national defense. So the question quickly becomes: “How does this affect me?” Why? Because unless you are selling chewing gum, you likely have data of value, and/or you are part of the supply chain.

Our two experts, Kate Fazzini, Cybersecurity Reporter at CNBC, and Paul Ferrillo, a partner in Greenberg Traurig LLP, describe today’s perilous cyber eco-system, and what you can do to insulate your company from a serious cyber attack.

HPC Media Group and Cybint Roll Out Cyber Certification Curriculum for Legal & Consulting Industry Segments

The HPC/NY Cyber Offering is available for legal advisers and consultancies to offer clients.

NEW YORK, NY – May 8, 2019 – Legal industry media, events and education leader, High Performance Counsel and global cyber education leader Cybint Solutions are taking steps to help legal advisers and consultancies support the growing need for cybersecurity certification.

The HPC/NY Cyber Offering is a turnkey curriculum available to legal advisers and consultancies seeking to support clients in their cyber education and staff training requirements. The HPC/NY Cyber Offering provides a comprehensive suite of multi-level cyber education and professional development offerings. Classes range from cyber literacy for non-technical professionals to advanced, hands-on Simu-Labs and cyber range environment for those pursuing a cybersecurity career.

David Kinnear, Founder & CEO of High Performance Counsel commented: “Cybersecurity is both one of the greatest risks – and greatest opportunities – facing the legal sector and the clients it serves. Cybersecurity literacy is a must-have technical competency for legal professionals in today’s legal world. Clients live and breathe data – so they expect their advisers to understand the issues and, increasingly, offer proactive solutions for managing risk. With the Cyber Offering, we’ve taken a big step toward making this easier and more accessible for legal advisers, consultancies and clients alike.”

“With High Performance Counsel, we have found a partner who shares our commitment to closing the cyber security skills gap,” said Bryan Dickens, Former FBI Profiler and Cybint’s SVP. “Within the legal landscape, especially, there’s a growing need for cyber expertise and with HPC, I believe we can set law professionals up for success.”

Further information on the Cyber Offering and curriculum guides may be accessed here.

 

About High Performance Counsel

HIGH PERFORMANCE COUNSEL (aka #hipcounsel) delivers world-class media coverage, actionable intelligence and essential professional development assets – designed to equip and empower modern legal industry professionals.

Our media coverage highlights the individuals, organizations, strategies & solutions designing and driving the next decade of innovation in law. Our professional development assets include critical training & education for modern day legal industry professionals – and the clients they serve. Our growing community of modern legal industry professionals is second-to-none.

Further information: https://www.highperformancecounsel.com

Contact High Performance Counsel here

About Cybint Solutions

Cybint Solutions is a Cyber Education company committed to solving the skills-gap and market shortage in cybersecurity through innovative education and training solutions for all levels of expertise. Cybint integrates emerging cyber technologies, hands-on environments and evergreen content into a cutting-edge learning platform for businesses, higher-education institutions, government agencies and regional cyber centers worldwide. With an eye toward preparing the next generation of cyber experts, Cybint creates a deep and powerful global network of cyber knowledge that goes far beyond typical technical expertise. To further address the critical workforce shortage in the industry, Cybint launched the Cyber Talent Network platform which helps match qualified cyber professionals with employers in their region based on the candidates’ skills and capabilities. Cybint was founded as a collaboration of military-trained cybersecurity and intelligence experts, industry professionals and well-seasoned educators..

 

As law students and lawyers consider potential career opportunities in the legal profession, they are often interested in understanding which legal practice areas will be in high demand in the future.  As I look into my crystal ball and try to predict some of the high demand areas in the legal profession over the next several years, my “Top 3” are below. A common theme for these Top 3 areas is the growing impact of technology in our lives.

Privacy & Cybersecurity

As technology continues to rapidly advance, we have seen – and will continue to see – an explosion in the amount of data that is being generated in our society. This incredible rise in data reminds me of the iconic opening lines of the classic book “A Tale of Two Cities” by Charles Dickens: “It was the best of times, it was the worst of times,…” Some have said that “data is the new oil,” and there are great opportunities for all organizations to use data to accelerate their digital transformations, better serve their customers and improve the lives of others.

However, data is also a highly desired asset of cybercriminals and certain nation-states – who are becoming more sophisticated and more brazen. Unfortunately, we continue to read about organizations across all industries being subject to very high-profile data loss incidents and their associated negative consequences.

What this means is that clients will increasingly need guidance from lawyers to help them properly protect data and use data in a lawful and responsible fashion. At the same time, the areas of privacy and cybersecurity are increasingly becoming regulated and more complex as new laws are being enacted both inside and outside the United States. Data privacy and cybersecurity issues are also starting to permeate into many traditional legal practice groups and in my opinion it will be necessary for all lawyers to gain skills in these areas to be successful as they become more fundamental to the provision of legal services.

Artificial Intelligence Law

While there is no singular definition for Artificial Intelligence (AI), some Microsoft engineers have broadly defined AI as “a machine that can act using human-styled reasoning or perception.” All industries are making significant investments in the AI space as certain tasks which have been traditionally performed by humans may be automated via AI – especially those that are repetitive and routine in nature. Gartner – the leading research and advisory company – has forecasted that by 2022 the total AI-derived business value associated with the customer experience, new revenue and cost reduction will be nearly $4 Trillion.

In late February I had the opportunity to serve as a Co-Chair and speaker at a Practising Law Institute program in New York City entitled “Artificial Intelligence Law 2019.”  The title and agenda of this program made me realize that AI is quickly transforming into its own legal practice area that currently involves key disciplines such as data privacy, ethics, regulatory law intellectual property and employment law – and will probably include other disciplines in the future.

While AI is still very much in its infancy, its influence in our lives are starting to be seen every day as we routinely use and interact with digital assistants like Cortana, Alexa and Siri. As our clients continue to invest in AI solutions and the legal profession embraces AI as a tool for the delivery of legal services, lawyers will increasingly need to shape and navigate a growing AI law landscape that is also in its infancy and quickly evolving.

Legal Operations & Technology

Suffice to say that traditionally the legal profession has not been the proverbial “poster child” for embracing change and leveraging technology. But to quote one of singer and songwriter Bob Dylan’s most famous songs, “The Times They Are a-Changin’.”

We are increasingly seeing in-house legal departments and law firms being more open to digital transformation and using leading technology tools and data to achieve more and better serve their clients. The #LegalTech marketplace continues to grow exponentially to provide a wider range of technology solutions to the legal profession. Leading organizations like the Corporate Legal Operations Consortium (CLOC)  are gaining in popularity and influence in the legal industry. In addition, law schools are beginning to understand that they need to reimagine traditional legal education and provide courses to better equip “21st Century” lawyers for the growing intersection of legal operations, business and technology.

As legal organizations accelerate their digital transformations to deliver more high-impact legal services to their clients, those lawyers well-versed in technology tools, data analytics, project management, process management, design thinking and AI will be in great demand.

As we have just entered a new era known as the The Fourth Industrial Revolution, it is a very exciting time to be a lawyer. Be sure to “skill-up” to take advantage of the opportunities that are out in front of us.

High Performance Counsel Media Group and Cybint Solutions join forces to establish New York Cyber Center of Excellence.

The HPC/NY Cyber Center will serve as a national hub for legal industry professionals seeking Cybersecurity education.

 

NEW YORK, NY – April 1, 2019 – Legal industry media, events and education leader, High Performance Counsel and global cyber education leader Cybint Solutions are taking steps to close the critical global cybersecurity workforce skills gap. The two organizations are partnering to establish an innovative and progressive New York Cyber Center.

The HPC/NY Cyber Center will serve as a region-wide hub for top-tier cyber education, resources and thought leadership, meeting the needs of learners at all levels. Particular focus has been given to the unique cyber awareness and education needs of modern legal, medical and financial services practitioners, and the clients they serve. The HPC/NY Cyber Center will serve as a national hub for legal industry professionals.

Through the partnership, Cybint Solutions will deliver its comprehensive suite of multi-level cyber education and professional development offerings. Classes range from cyber literacy for non-technical professionals to advanced, hands-on Simu-Labs and cyber range environment for those pursuing a cybersecurity career.

We’re excited at the opportunities we see in the legal landscape and our partnership with High Performance Counsel,” said Roy Zur, Cybint Solutions CEO. “There’s a growing need within this space for hands-on skills and cyber expertise, and with High Performance Counsel, I believe we can make a difference, positioning the practitioners they serve for success and continuing to further our mission of closing the cyber skills gap.”

David Kinnear, Founder & CEO of High Performance Counsel commented: “From inception, the focus of High Performance Counsel has been on the needs of the next ten years in the rapidly-changing legal industry. Cybersecurity is both one of the greatest risks – and greatest opportunities – facing the legal sector and the clients it serves. Cybersecurity literacy is a must-have technical competency in today’s legal world – and a new competitive edge for many.”

About High Performance Counsel

HIGH PERFORMANCE COUNSEL (aka #hipcounsel) delivers world-class media coverage, actionable intelligence and essential professional development assets – designed to equip and empower modern legal industry professionals.

Our media coverage highlights the individuals, organizations, strategies & solutions designing and driving the next decade of innovation in law. Our professional development assets include critical training & education for modern day legal industry professionals – and the clients they serve. Our growing community of modern legal industry professionals is second-to-none.

Further information: https://www.highperformancecounsel.com

Contact High Performance Counsel here

About Cybint Solutions

Cybint Solutions is a Cyber Education company committed to solving the skills-gap and market shortage in cybersecurity through innovative education and training solutions for all levels of expertise. Cybint integrates emerging cyber technologies, hands-on environments and evergreen content into a cutting-edge learning platform for businesses, higher-education institutions, government agencies and regional cyber centers worldwide. With an eye toward preparing the next generation of cyber experts, Cybint creates a deep and powerful global network of cyber knowledge that goes far beyond typical technical expertise. To further address the critical workforce shortage in the industry, Cybint launched the Cyber Talent Network platform which helps match qualified cyber professionals with employers in their region based on the candidates’ skills and capabilities. Cybint was founded as a collaboration of military-trained cybersecurity and intelligence experts, industry professionals and well-seasoned educators..

 

By Chuck Brooks


There is a congruency with the legal community’s mission of preparedness and the practice of cybersecurity. A primary requirement of the legal profession is to obtain data and explore evidence, access the implications of that evidence, and prepare accordingly to protect and serve the client.  Cybersecurity also follows that framework.

There is, however, an urgent need for the legal community to add an element to their operations to make them more in line with cybersecurity; actions to enable providing better protection of their data against breaches.

Unfortunately, most law firms (and companies for that matter), lack the critical awareness, policies, and technologies to best secure the crown jewels. These jewels include private firm interchange, records, and especially privileged attorney client communications.

The risks to law firms are already very high. A 40-year law firm Mossack Fonseca, closed as a result of a data breach that revealed the Panama Papers. About two-thirds of law firms have experienced some sort of data breach, according to a 2017 cybersecurity scorecard from Logicforce, a LexisNexus company.

With increasing risk to revenues and reputation, law firms should consider hiring cybersecurity professionals to augment their IT shops.  If possible, they should also explore bringing in outside expertise from SMEs who understand the latest developments in technologies and compliance directives in the cyber ecosystem.  The growing amount of sophisticated phishing, ransomware, and DDoS attacks are challenging and outside help is becoming more of an imperative.

I have assembled a list of basic questions that can set the foundation of how firms can access vulnerabilities in data protection and take steps to protect themselves. My list includes:

While these general questions can serve as a first step, a technical vulnerability assessment is a good idea for any law firm, small or large, in this increasingly risky work of connectivity. Data breaches are a compelling threat and one that should not be taken lightly.


Chuck Brooks is the Principal Market Growth Strategist — Cybersecurity and Emerging Technologies for General Dynamics Mission Systems. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 500 million members. He has published more than 150 articles and blogs on cybersecurity and technology issues. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a  member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of  The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering  security and technology issues on Capitol Hill.  In academia, Chuck is an Adjunct Faculty member at Georgetown University in their Applied Intelligence Program was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years.  He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

 

Traditionally, the legal industry has been the most conservative when it comes to adopting new technology. That’s more true for electronic signature and digital transaction management (DTM) solutions, and for good reason. This is primarily so because of post-execution forgery detection, or lack thereof. The fundamental question is, how do you know that a PDF or a printed version of an electronically signed document is legitimate, has not been tampered with, expired, cancelled or rejected. Can that document be trusted when called to question or used as evidence? For that one reason, still today, most high value document transactions are signed with a wet ink and are physically mailed around. The promise of electronic signature and DTM is tremendous; such as cost and time savings, document tracking, document delivery, error elimination, sustainability, environment friendliness, and much more. However, if a digital and paper versions of an electronically signed document does not offer the same peace of mind that a wet signature on paper does, all the fancy tools are useless because they leave your client and you exposed.

How are documents with wet signatures protected in real life?

When a paper document is signed with a pen, there is no un-doing that. This way of signing the document alters the DNA of the paper. In the past we also had carbon copies. If a signed document is altered or even if a signature is forged, the forensics experts can easily detect the alterations and forgery. We all remember forensics experts on television talking about how they detect signature frauds by examining various characteristics of the signature and handwriting. So the paper-and-pen solution is pretty solid.

However, the problem starts when pen-and-paper documents are Xeroxed or scanned and stored and shared digitally.  Electronic versions of documents can easily be altered using free software such as Adobe Acrobat Reader. Anyone with the right means can just pick the image of a signature and use it to sign documents. And unfortunately, there is no way to stop that. As a result, the number of cases where courts can’t rely on eSigned documents is ever increasing. We could use document verification service but that’s just adding more inefficiencies, time, and cost to an already cumbersome and costly process.

How to detect if your document is legitimate?

An all-digital paper-free world is inevitable. People are already signing real estate deals, opening bank accounts, and securing sales agreements using electronic signatures. Whether it is an image of a signature super-imposed on documents or swish of your finger on a signature pad or tablet computer. Whether you can add digital certificates or have fancy software security wrappers around those eSignatures. What happens when you have to present those documents as PDFs or in print?

If electronically signed documents are part of evidence or proof, chances are you won’t be sharing your user ID and password to some online Cloud service (where your legally eSigned documents are stored) with the judge and a bunch of other random folks involved in the case. You are most likely to share PDF copies or printed copies. If the legitimacy of documents involved is called to question or document fraud is claimed including forgery of electronic signature, how would you prove against that claim?

ZorroSign gives that peace of mind by offering the same functionality that a wet signature on paper does and a quick and secure way to detect forgery. With its unique patent-pending proprietary Document 4n6 (Forensics) technology, ZorroSign offers post-execution fraud and forgery detection for digital and paper versions of an electronically signed document. Of course nothing stops an untrustworthy individual from altering a PDF document and even copying and pasting eSignature from one document onto another. However, if the document was signed using ZorroSign, a judge or a lawyer can, within seconds, verify and authenticate the document including full audit trail, attachments, and biometrics.

Furthermore, just like pen-and-paper signed documents, ZorroSign-ed documents never expire. They do not require 3rd party digital certificates which have to be renewed every year which means huge added costs. These signatures are legally binding without needing added security measures, third party digital certificates, or document verification certificates or services. As a matter of fact, ZorroSign 4n6 (Forensics) technology offers added benefits that even the traditional pen-and-paper signed documents don’t. For instance, you can have a complete audit trail of the data and the transaction with date and time stamps, biometrics, and attachments. It can also detect if a document is altered after it was signed using ZorroSign. Furthermore, ZorroSign automation engine supports broadcast and KYC templates and workflows which are extremely popular use cases among the legal community.

With ZorroSign’s electronic signature technology and digital transaction management platform, the legal community can have the peace of mind that they and their clients are protected against post-execution forgery and tampering of their legal documents.

DOWNLOAD PDF

 

ZorroSign Industry Use Cases

Legal industry – Electronic Signature and Digital Transaction Management

Use Electronic Signature, Digital Transaction Management, Biometrics, and ZorroSign (Document) 4n6 (Forensics) to Avoid Post-Execution Forgery of Legal Documents

Challenges

  1. Electronically signed documents are easily forged after execution.
  2. Current electronic signatures not fit to replace wet signatures.
  3. eSigned documents require purchase of digital certificates yearly to keep documents from expiring.
  4. Partial digitization of paper-based transactions.
  5. No detailed audit trail of legal documents signed electronically.
  6. eSigned documents are not upheld in the court of law.

About ZorroSign

ZorroSign is an eSignature, and a Digital Transaction Management company that offers a unique proprietary technology to protect legal documents against post-execution forgery.

Zorrosign Gavel

Challenges of the Legal Industry

Law firms of all sizes need world-class tamper-proof security and legal enforceability of legal documents with non-repudiation, audit trails with full progress tracking and bank-level encryption. They particularly require a way to protect legal documents against post-execution forgery. They want all that while becoming more efficient and cost-effective in running their practice. With ZorroSign eSignature, 4n6 (Forensics) Token, as a complete DTM solution, your law firm can have all that and execute legal contracts online and within minutes.

Use Cases

  • Retainer, fee and non-disclosure agreements
  • All facets of the incorporation documents for all types of business entities
  • Purchase agreements (assets, products, and services)
  • Sale/Purchase, Merger and Acquisition contracts
  • Comply with Sarbanes-Oxley Act (board minutes, transparency, audit trail)
  • General Policy management and compliance by Human Resource Department
  • Employment contracts and new hire packages
  • Comply with your Document Retention Policy
  • Power of Attorney and Proxy Agreements
  • Wills and Trust documents
  • Request and collect consent and acknowledgement from large number of employees at once.

Key Features

  • ZorroSign eSignatures are compliant with international laws & regulations, such as E-Sign Act, UETA, HIPAA, etc.
  • Highly trusted eSignature that can be verified and authenticated digitally and on paper. The entire document set is secured utilizing industry standard encryptions.
  • Documents signed with ZorroSign can have access authorization using password, biometrics (fingerprint & iris) or any other third-party authentication services if required.
  • 4n6 Token can contain any file types, audio file, video file and GPS and contains encrypted detailed transaction information.
  • Give secure access (view, validate) to only authorized users via 4n6 (forensics) token reader mobile app.
  • 4n6 Token does not expire and it cannot be altered, pasted or forged onto another document.
  • Define document specific and generic (user-specific) workflows.
  • Build a template library of frequently used documents.
Scales of Justice

1-855-ZORROSN (967-7676)

I am pleased to be able to speak with Jon Loew, CEO of AppGuard. Jon can you tell us about what your company does in the cyber realm and also a bit on your own background?       

Thank you for the opportunity to participate in this interview, Chuck. AppGuard provides autonomous endpoint security for organizations around the world.   Our technology has been proven effective in both the public and private sector, and features many revolutionary attributes. As a non-practicing attorney, I have a unique perspective into the concerns, and vulnerabilities related to cyber-risk for law firms.

Can you elaborate on some of those attributes?

Happy to.  Firstly, our technology is described as autonomous because our software requires minimal updates and can function without any connection to the internet. It knows all it needs to know the moment it’s installed, so your laptop could be disconnected from the internet for 2 years. Plug that thing back in now and it will block zero day malware today (Obviously if a client has added new applications, we need to update policy settings to accommodate these as well). Next, the size of our software is less than 1MB at the endpoint, which is a fraction of competitors software.  Lastly, because our software needs minimal updates, there is no CPU degradation (and certainly no file scanning).

Clearly, the legal industry is being targeted by cyber-attackers because they possess valuable financial records, IP, and medical data. This past year, LOGICFORCE surveyed and assessed over 200 law firms located throughout the United States. They found that every law firm assessed was targeted for confidential client data in 2016-2017 and approximately 40% did not even know they were breached. 

From your unique perspective as both a cybersecurity executive and an attorney, what are the special challenges the legal industry in protecting data?

Law firms and associated attorneys play a special role in our ecosystem. We expect them (and they are expected) to hold our information in the highest confidence. We expect our communications to remain private, and we engage in conversations with them we would often not have with anyone else. While most enterprises are worried about protecting their OWN confidential info, law firms have to worry about dozens or even hundreds of companies’ confidential information. Further, Law firms will do almost anything to protect their reputations as trusted advisors.   Lastly, Law firms have certain obligations that many other industries don’t currently have. Ethics rules that apply to the practice of law require a firm in some cases to notify ALL of their clients if data has been extracted from their enterprise regardless of how much data was extracted, and regardless of whether that particular client’s data was extracted. This can be devastating to a law firm. Hackers know all of this, and Law firms are starting to realize they are in the cross-hairs.

Cybersecurity, at its core, is risk management of people, processes and technology.  In the legal community a practice is often multi- office, multi-device, and usually under a minimal IT and HR budget. Can you share how your AppGuard products and services are designed for the distinct law firm eco-system.

If you combine this with the fact that most law firms don’t have robust IT departments, they are unfortunately ideal targets for hackers.  Many are relatively unprepared for attacks, and the reward for the adversaries are a high stakes bounty, the firm’s IP and confidential client data! Our software’s autonomous nature makes it extremely easy for even the most limited IT staffs to manage. Additionally, many firms (and their people) are also often spread out geographically, with confidential information sitting on endpoints (i.e. desktop, laptop, home office, etc). Once AppGuard is installed on these endpoints, the users are free to travel between offices, to and from work, do work on the road, and feel confident that they will not fall victim to a hack.    IT managers can also feel comfortable knowing that their attorneys don’t need training for our software – with AppGuard on their endpoints they would not be able to detonate malware on their devices, even if they wanted to, let alone by accident.

2017 was a scary year with an upswing in global ransomware, phishing, and DDoS attacks in industry and government.  From your review of the emerging cybersecurity threat matrix for 2018. What do you predict will be the top trends coming our way too watch? 

We believe that the threat to small and large businesses will continue to grow, while many of our competitors play catch up. Attackers will increasingly use more advanced capabilities, develop new threat vectors, and devise malware that is even more “stealthy” in nature. This is particularly worrisome to many CISOs because the only thing more concerning than being breached is not knowing how long the breach has been on-going. Ransomware will continue to grow as a preferred method of attack because of the quick reward associated with it, and the anonymity of crypto-currency. All the training in the world will still not prevent a user on your enterprise from being tricked by professional tricksters.   Companies will need to re-think the type of protection they are using, and will begin to utilize lesser known technologies as more well known vendors continue to allow breaches.  We wish everyone a safe, hack free new year for 2018. But if you want to ensure a positive outcome, you should probably install AppGuard on all of your endpoints.

Smiley

Thank you, Jon.   It should be noted that Jon asked me to add a “smiley emoji” after his final answer because he knows it was a shameless plug for AppGuard.   I’d say it was an effective one.

 
 
 
DOWNLOAD PDF