Episode Transcript
[00:00:00] Speaker A: Welcome to the relay presented by Lex Amica. My name is Gabriel Stewarts, founder and CEO of Lex Amica, the leading attorney referral network. We're leaders who are passionate about leveraging technology and AI to enhance law firm practices. Our listeners are the owners and C suites at personal injury, consumer and mass tort law firms like yourself. My guest today is Foster Davis, co founder and CEO of Breach Bits. Today we're talking about cybersecurity. The headline statistic that I read a couple weeks ago is that a thousand percent more Americans. That's right. Not a hundred percent. A thousand percent. That's ten times more Americans were affected by data breaches this year than last year. This is not a small thing. This is the biggest topic that people are not talking about in the personal injury industry. I'm at 30 conferences a year. Not very many people are talking about this. It's all about marketing and litigation. This is a way to really hurt your business. Foster is a friend of mine and someone that I really trust in this space, which is why he's on the podcast today. Foster, it's great to have you on the show. Thanks so much for joining us.
[00:01:00] Speaker B: Great to be here, Gabriel. Thank you.
[00:01:02] Speaker A: Yeah, Foster, Cybersecurity is something that I am really not hearing many attorneys or leaders talk about in the space. I think that they're. Because we're kind of an SMB market where law firms range in the plaintiff side from between, you know, just a few dozen people to a few hundred that there were very under resourced when it comes to things like cybersecurity generally. So really wanted to talk to you about what's going on in the space right now and as always, give some very actionable takeaways by the end of the podcast episode for people to walk out, walk into the office for the day and start to work on. So just kind of high level, what's going on in cybersecurity right now? What are the trends that you're seeing across the country?
[00:01:43] Speaker B: I think you did a good intro there talking about, you know, because what we see also is that people know it's an issue. They see the headlines and they don't know what to think about it. How does this affect me? How does this, how does this, how should I be thinking about it? Where do I stand? Is this going to matter to me? What if something happens? So I'd say confusion, a little bit of anxiety. But the other thing that's kind of frustrating about security is that it's invisible and so it's difficult to wrap your mind around a little bit as opposed to other challenges that the business that these business leaders would have.
[00:02:17] Speaker A: Right. Cybersecurity is something that it can be really bad and nothing's going wrong. And then all of a sudden everything's gone wr and you are cleaning up the pieces.
[00:02:26] Speaker B: Yeah. Or maybe you're one of the lucky ones and you never did anything about it and you emerge just fine. It's, it's, it's tough to know where you stand and is it going to matter or not?
[00:02:36] Speaker A: Right. So how, how do you think about this? Because frankly, that is something that I, as a business owner, I'm always kind of. It's hard to think about. It's very easy to say, okay, well, here's the roi. Like, if I'm looking at marketing, I'm going to spend this money and then I'm going to get some multiple of that back as roi. Cybersecurity is a little bit like buying insurance. You, you, you hate to spend money on it. You know, on some level you should, how do you, how should you even be thinking about cybersecurity? Like spend a million dollars on it tomorrow or spend zero and it may or may not change the outcome. So how do you even think about it?
[00:03:08] Speaker B: Well, So I spent 15 years in the military and the National Security Agency, and for us in the military, we would always want to know where we stand because it could literally interrupt our operations. It could literally affect our ability to complete our mission. Not every business is like that, but many businesses, they'll find out after the, after an attack. Take a manufacturing company. If the manufacturing line was shut down, they are losing a million dollars a day until the line comes back up. Now, for law firms, I think one of the patterns is there's a lot of data. So does it affect you operationally or would it merely affect your liability? Now, one of the biggest things that I'm sure your audience has heard about is this idea of ransomware where imagine if an attacker came in and locked down all of your computers so that nobody could use them. You can't get your files, you can't get your word documents. You can't even maybe get to your data storage or data rooms. Would that affect your business? If the answer is yes, then it's probably something you need to be concerned about from an operational standpoint. On the other hand, I really like how you put spending dollars on security is similar to spending it on insurance. And actually, so the two things I usually suggest to people, if you don't know where you stand, you don't even know if you have a good security program. There's two things you want to do. Number one is try to figure out where you stand. And for example, that's something that we do for people, but also buy some insurance because a cyber attacker because, and we know, because we are cyber attackers. If I really want to break into a company, I will. It's just a matter of how long. And so no matter what you do, make sure you have some insurance.
[00:04:45] Speaker A: Right. So I like the way that you're looking at it mathematically though, which is, if something were to happen, what is that going to cost me? And I guess the other part of that is what is the percentage chance that that happens? But also with risk mitigation, it's. Is that an existential issue? Right? Because it's not just to say like, yeah, you're not going to go and, you know, pull the trigger on a gun just because there's, you know, a one in a million chance that it's loaded. You would never do that because it's so bad that you just can't take that risk. So. But then the other thing that you said that's interesting is cybersecurity is not a binary. It's making it not worth a hacker's to try to get in. Because if they wanted to, if Russia wanted to hack any company in America, they probably could. But the question is, is it worth it for a hacker for a bad agent to get into a company? So how do you look at that in terms of like, you're a small, medium sized business, you have a few hundred employees, what's kind of a reasonable level of threat prevention that you would say balances how bad things can be versus the fact that we all have limited resources and we don't want to spend too much on kind of that insurance policy, Right.
[00:05:53] Speaker B: And because it very much is a outrun your friend, not outrun the bear. And attackers definitely will go for the easier targets.
[00:06:01] Speaker A: And so wait, so let's drill down at that, because I think that that may be the most interesting thing you've said so far is like your goal is not to be perfectly secure. Your goal is to be more secure than another person the hacker might want to hack.
[00:06:14] Speaker B: Security is not something that you achieve. Put your pencil down and say, okay, we're done. Security is a process. Security is, is about keeping up with attackers are always getting better. Your business is always changing, whether you know it or not. Your data is changing. And so it is about, it's A process. Security is a process, but it is about making it so that attackers just aren't interested. And I think that definitely applies to your audience because from what we've seen as we, because we have, we have the ability to basically see the security posture of any company. And so when we look at law firms, we actually see a wide variance. There are some, it could be a 200 or it could be a 12 person law firm and they have excellent security. We can't even find a way to break in same size companies though. And some are just abysmal. We, we already broke in, you know, essentially.
[00:07:01] Speaker A: And what does that look like? How do I know if I'm one of those law firms where like, oh crap, like somebody may have already broken in? Because I get the occasional emails from people I've done business with. Here's a PDF link from, you know, Joe Schmo on the team I've never talked to before and obviously their email account has been hacked. How do you, what are some of the basic. And maybe this isn' something we can get into because it's not universal. But like, how do you figure out which camp you're in?
[00:07:28] Speaker B: How do you figure out where you stand?
[00:07:30] Speaker A: Yeah, yeah, yeah. Like, how do I know if I should be thinking of myself as in the camp of well, I might have already been hacked because everything's so bad, or actually things are pretty good here and I may need to do a couple of things to shore it up, but I'm, I'm pretty in a pretty good spot.
[00:07:43] Speaker B: Right. And so the way we approach it is if you want to catch a thief, you hire a thief. If you're at the bank and you have a vault, if you want to know if the vault can be breached, you hire a thief. The thief's going to tell you, well, I can break into a vault, but all vaults, all locks are rated by how long it takes to get in. So you just want your vault to be, to go through so much pain for the attacker. Now, attackers want to go home at night, they want to see their kids. They're not trying to spend all this time and so knowing where you stand. The way that we look at it, and one of the highest security practices is have an attacker tell you. And they can usually tell you because they're going to plan the attack, they're going to see, well, actually I would just go this way instead of that way and they'll find your weak spots. There's lots of different ways to do that, but that's one way to know where you stand. That's probably the, one of the best ways to know where you stand.
[00:08:31] Speaker A: And to put it in terms that I think a lot of folks in our industry are with, if you're going to trial on a case, you're going to go and you're going to run a jury focus group because you're going to fake a fake version of the trial before you go to trial to figure out what the weaknesses in your case are. And you're saying similarly, you need to hire someone in to simulate attack on your law firm to figure out where the gaps are. And that's really the only way you figure it out is just by running a simulation to figure out what's going on. You can't just, you're not, it's not going to be helpful necessarily to just say like, hey, I've got this checklist here. Just hire someone to come in, try to break it. And if they break it, then you know what your, your weaknesses are. And if they don't break it, you know that it's strong enough.
[00:09:14] Speaker B: How do you know if you're ready for the big game? You could run some drills, but how do you really know if you're ready for the big game? You're going to scrimmage, you're going to scrimmage, you're going to get the best players on the other side, you're going to scrimmage. And that's one of the best ways you'll know if you're ready for the game. And actually, what we call this in the security industry is red teaming. Imagine getting your red penny jersey on and being the scrimmage team, blue versus red, red teaming. But that actually has legacy roots in the law industry because for that exact reason. Now, I don't know if they still call it red teaming, but that's where we were influenced a lot in security because we saw how like a pretrial motion would go through to be ready to know with a focus group.
[00:09:50] Speaker A: That's fascinating that it really comes full circle. That's, that's actually always wanted to know where red team came from. I always thought it was like red was bad, but it sounds like it's just, you've got two different teams.
[00:10:00] Speaker B: One, yeah, it's a, it's a double.
[00:10:01] Speaker A: Purpose, I guess, one on either side. I mean, what's nice to hear you say about that is like, that's not rocket science in the sense that I need to find somebody who can tell me how bad things are by running a simulation against My company. And then from there then I can know what I need to shore up. That's not crazy. I feel like 15 minutes ago it seemed like it was going to be really complicated. I was going to have to learn a whole bunch about cybersecurity. But in fairness, that's a pretty simple heuristic, which is if I haven't had someone attempt to break into my house from a cyber perspective, then I just don't know how secure that house is. I think that's like a really straightforward way to approach the basics of cybersecurity. I'll make the pitch for you so that you don't have to. That's what your company does, which is penetration testing. It's. You'll run those simulations against any company of any size. You've done it for massive companies. Small companies give a score to see where you know so a company can know where they, they rank. But from my perspective, that's, that's like a no brainer. Like if you don't know how secure you are, start there. Just figure out if you can be broken into because you're not wasting money by figuring that out. You're not going and buying stuff that you don't need just to feel better. Don't go and get duped by someone who's just selling a bunch of cybersecurity firewalls just for the purpose of doing it. You may not need that. What you need to know is where your gaps are.
[00:11:25] Speaker B: Right? And your audience, they're all running a business. They already know how to do this. They know how to do it with the other parts in their business. They know where they stand with everywhere else in their business, shouldn't they? You should know where you stand with security. And then especially for this audience, even if you don't do it for yourself, what we found is there's a large demand in mergers and acquisitions. So if you're involved in that next deal and your buyer or seller, we see it a lot on the buy side, especially if you need to know, have somebody check before you buy. No. Before you buy.
[00:11:56] Speaker A: No. That's, that's great. And I'll say from the legal side, plaintiffs lawyers, injury firms, you all have personally identifying information. You have personal health information. You need to be HIPAA compliant. Like the risk profile for the average personal injury law firm includes Social Security numbers, includes medical records. It includes every bit of identifiable information. That's not the kind of thing you want to end up on the dark web. That's the. Because those are the big Cases, those are the juicy cases for the lawyers that are on the other side, for the people that are suing because they're going to lose all of their information. And yes, it may be the case that everyone's losing their lunch. New York Times is talking about how everybody's Social Security numbers out there, but at the end of the day, you're still liable for losing that Social Security number, even if it's been breached before. That's not a defense. And so it's on you. If someone gives you that information that's 100% on your business to lock that up. And we could go into a bunch of other stuff. Retention policies, deletions. You need to not be keeping information that you don't need. But I think for today, we'll stop here and just say, I think that's a really solid takeaway. You need to figure out how secure your house is by having someone come in and try to break into it. And then you can go out from there and start to figure out how urgent of an issue is this for your business. But I'm speaking to law firm ownership. The last thing you want is to be in a data breach lawsuit where you've lost your client's information, because it's really kind of the worst case scenario. There's a lot of businesses where the information, frankly, isn't that big of a deal. It's someone's phone number, it's someone's name, it's an email address. That's not the kind of stuff that people get sued over. People get sued over the stuff that personal injury firms collect day in and day out about from their customers. So that's, that's the big takeaway here, is go figure that out. Foster, thank you so much for being on the show.
[00:13:45] Speaker B: Can I leave with three specific things?
[00:13:47] Speaker A: Absolutely. Yeah, absolutely.
[00:13:49] Speaker B: Go for it. So the three things that you need to know where you stand, because the standard of care, you know, is evolving. There's a lot of case law that's actually coming out now or that's being developed now. The standard, you will be responsible for it, that's evolving. So know where you stand. Since we're scrimmaging, go ahead and get a good defense. And that would mean if you're not working with a managed IT and service provider, chances are we can probably break in. But when we see a firm that is working with a managed IT and security, it's much tougher to get in and buy insurance. So know where you stand, have some professionals running your IT and get insurance. Those three things you do that, you're probably pretty darn good.
[00:14:28] Speaker A: Love it. That's the blue team side. And then hire Foster to try to break in on the red team side and see how well you've done. That's it for today. Thanks so much for joining us.
