Navigating the Shifting Landscape of Cybersecurity in Law
The salient point of this discourse centers on the evolving landscape of cybersecurity within the legal profession, particularly the critical necessity for law firms to recognize and address emerging risks associated with data management. We elucidate the pressing concern that, while many firms focus on data theft, they often overlook the significant dangers posed by the manipulation of data, which can lead to erroneous decision-making. Our guest, Steve Durbin, the Chief Executive of the Information Security Forum, articulates the paramount importance of understanding the value of data and the imperative for firms to develop robust security measures that extend beyond mere compliance. This episode delves into the intricate interplay between cybersecurity, legal practice, and the transformative impact of artificial intelligence on both fields. As we navigate this complex terrain, we aim to equip legal professionals with insights and strategies to fortify their defenses against multifaceted cyber threats.
A profound exploration into the realm of data protection and cybersecurity within the legal profession unfolds as we engage with the esteemed Steve Durbin, Chief Executive of the Information Security Forum. The discussion pivots on the evolving nature of cybersecurity, which has transcended traditional IT concerns to manifest as a strategic business risk. The conversation emphasizes that the legal sector, often perceived as a bastion of confidentiality, must awaken to the reality that their repositories of sensitive information are immensely valuable to malicious actors. Durbin articulates his perspective on the nuances of data integrity, highlighting that the alteration of data can be as detrimental as its outright theft. This insight serves as a clarion call for legal practitioners to reevaluate their cybersecurity strategies, ensuring that they not only safeguard against unauthorized access but also maintain the sanctity of their data against internal and external threats. The dialogue further delves into the cultural shifts required within law firms to adapt to this new landscape. Durbin posits that the intersection of law and technology necessitates a profound transformation in how legal professionals perceive and prioritize cybersecurity. The conversation underscores the importance of situational awareness, urging legal firms to cultivate an understanding of their data usage and the implications of its potential compromise. Through anecdotal evidence and empirical observations from the cybersecurity arena, the podcast delineates actionable steps for law firms, advocating for a proactive stance in cybersecurity rather than a reactive one. Ultimately, this episode serves as an indispensable resource for legal professionals seeking to fortify their defenses in an increasingly perilous digital environment.
Takeaways:
- The legal profession faces significant challenges regarding data protection and cybersecurity, with an emphasis on understanding the implications of data management.
- There is a critical need for lawyers to recognize that even small firms are potential targets for cyberattacks, and complacency can lead to severe consequences.
- The evolution of cybersecurity requires a cultural shift within law firms, prioritizing security as a crucial element of operational strategy and client trust.
- Strategic intuitive intelligence can guide legal professionals in navigating the complexities of modern cybersecurity threats, ensuring they remain resilient and proactive.
Companies mentioned in this episode:
Transcript
One of the things I've always been bothered about with data protection is not somebody actually exfiltrating or stealing the data.
Speaker A:I've always been more worried about somebody just going in there and changing it slightly.
Speaker B:You've entered Legal L where sharp legal minds meet the power of strategic Intuitive intelligence and inner awareness.
Speaker B:Hosted by someone that is a veteran, an author and is an individual experienced in specialist security operations.
Speaker B:Strategic intuitive intelligence and transformational psychology.
Speaker B:This is not your typical legal podcast.
Speaker B:We explore what most lawyers never say out loud.
Speaker B:Burnout, grief, inner dissonance and what it really takes to sustain a legal career with clarity, purpose and personal alignment alongside powerful solo insights.
Speaker B:You'll hear thought provoking conversations with members of the Help Lawyer network, lawyers, legal support professionals and expert witnesses sharing real stories from the front lines.
Speaker B:This is the space where law meets what's rarely talked about.
Speaker B:Welcome to Legal Al.
Speaker B:Where wisdom meets the law and strategic intuitive intelligence guides the way.
Speaker C:Well, good morning, good afternoon, good evening, ladies and gentlemen, wherever you are in the world, wherever you are listening to this, this is John from legalool and thank you for joining me today.
Speaker C:Today I've got a really important guest actually and this, this conversation that we're going to have is a conversation that is needed in this day as we move into beyond 26.
Speaker C:You know, from a 26, 27 onwards, the world is changing, online is changing, the legal industry is changing.
Speaker C:Cybersecurity used to be an IT issue, but now it's becoming more of a risk issue and a data issue and a strategic business risk.
Speaker C:And I don't, I don't have, I don't claim to be an expert in that field, but I was recently on a podcast with a gentleman by the name of Steve Durbin.
Speaker C:I really enjoyed it and I had to bring him on because he's talked about risks and how the change in paradigm in information security is changing the way that we do business for the legal industry.
Speaker C:Mergers, acquisitions, criminal cases.
Speaker C:There's so much that is at high stakes and requires knowledge, decision making and more.
Speaker C:So my guest is Steve Durbin.
Speaker C:He's the chief executive of the Information Security Forum and I'm going to bring him on, he's going to discuss, he's going to, we're going to have a conversation just about the emerging risks in the legal industry and Steve can let you know a little bit about his work.
Speaker C:So I'm going to bring him on now.
Speaker C:Steve, welcome to Legal Oil.
Speaker C:It's good to see you.
Speaker A:Good to see you, Jock.
Speaker A:Thanks for having me on.
Speaker C:I'm looking forward to this, looking forward to this discussion because as I said at the beginning, cybersecurity has changed.
Speaker C:And from our last discussion that we talked about when I was on your podcast, it became clear to me that we perhaps look at cybersecurity in a different way now.
Speaker C:It has changed that we used to just think it was getting hacked and having our information compromised in some way.
Speaker C:But now we're moving forward.
Speaker C:This becomes a terrorist problem, it becomes a business risk, it becomes so much more.
Speaker C:So let's talk a little bit about you and your work that you do.
Speaker C:The Information Security Forum, your background, how you got into cybersecurity as the chief executive and you claim, or your team has claimed, that you don't actually you're not a security professional in the cybersecurity world.
Speaker C:But I would challenge that bearing the conversation that we had.
Speaker C:So I'm glad to have you on.
Speaker C:Steve, please continue.
Speaker A:No, as I say, it's great to talk to you again, Jock.
Speaker A:I really enjoyed our last conversation.
Speaker A:I'm sitting here smiling.
Speaker A:You know, I don't consider myself to be a security professional.
Speaker A:And the reason that I say that is my background is very different.
Speaker A:You know, my degree was in French literature.
Speaker A:So I sort of come to things from, from that perspective.
Speaker A:I started work in the City of London working with banks, selling computers, moved into consultancy, spent some time with, with a number of different organizations before moving into security from a position of actually not knowing a huge amount about it.
Speaker A:I'd been doing a lot of M and A work and, and that kind of thing, working with fast growth businesses.
Speaker A:When I was at EY and I had a phone call one day from a headhunter who said, you know, I think this might be something you'd be interested in.
Speaker A:And I said, well, I don't really know anything about it.
Speaker A:And he said, that's why I think you should be interested.
Speaker A:He said, because it's a really fast growing space and I know you like that kind of thing.
Speaker A:You like change, you don't like to be in an environment where everything is predetermined.
Speaker A:He said, so I think you'll find this quite challenging and interesting and fun.
Speaker A:So why don't you actually at least have a conversation with them?
Speaker A:So I did.
Speaker A:And that was, gosh, I don't know, 16, 17 years ago now.
Speaker A:And I've been at the ISF ever since.
Speaker A:And so it was purely by chance.
Speaker A:I didn't sort of move into security and my lens, if you like, that I have always viewed it is through that sort of.
Speaker A:So what from a business standpoint other than trying to get into the sort of nuts and bolts of, of it.
Speaker A:And so that's why I sort of, you know, claim that I don't know much about security because I don't have a traditional route into it.
Speaker A:And my perspective has always been what's it mean for the business?
Speaker A:How can we demonstrate business value?
Speaker A:Why should people be interested in security?
Speaker A:And that I think in the early days certainly was, was sort of formed by the fact that as I said when I was doing M and A, you know, the last thing we would do would be to go near anyone in security because they'd stop the deal happening.
Speaker A:So we wanted as possible.
Speaker C:So ey, is that Ernst and Young?
Speaker A:Yeah, yeah.
Speaker C:It's interesting because people don't think of accountants as being involved in security.
Speaker C:But you know, many years ago when I worked in the high risk security industry, I worked with Deloitte and Tush.
Speaker C:And so I expected when I went into it, I thought they're not going to do what's this?
Speaker C:But they do a lot of risk work and there's.
Speaker C:And of course we were involved with data centers and things like that and protecting information.
Speaker C:So I get, I get where it's coming from.
Speaker C:And people don't realize that in the financial industry this is a big problem.
Speaker C:Security and intelligence and risk analysis that goes with it, especially mergers and acquisitions.
Speaker C:Have you now you said you've been doing this for many years and what changes have you seen?
Speaker C:Dramatic changes.
Speaker C:Things have changed, I think in the last couple of years, dramatically with it.
Speaker C:And we'll talk about that in a bit.
Speaker C:Introduction to AI.
Speaker C:How dramatic has been the change from when you entered to where it is now?
Speaker A:I think when I entered it was probably still very much a bits and bytes type environment.
Speaker A:We were still talking a lot about governance structures that were probably not fully formed.
Speaker A:We didn't have the same level of interest, interest in it from certainly from regulators, legislators, that, that kind of thing.
Speaker A:We had no concept of things like, you know, GDPR for instance.
Speaker A:Oh yeah, that's a massive, massive change.
Speaker A:So it was, it was still sort of very fledgling I think as I would say over the last sort of five.
Speaker A:Well, Covid was, was real turning point, I think for the industry because suddenly pretty much overnight we had to move to an environment where we're protecting data that's not within the strict confines of the organization.
Speaker A:So it was going to be in people's homes, it was going to be used by people where you had no control over it at all.
Speaker A:And so we had to adapt as an industry to that.
Speaker A:And I think that was actually very good for us.
Speaker A:And then obviously bringing it bang up to date.
Speaker A:Now, you know, as you've just mentioned, we've got things like AI, we've got a much, much better understanding in the boardroom of the value of data, not just within the company, but to other people who may want to exfiltrate it, steal it, fiddle with it, do whatever with it for their own, for their own good.
Speaker A:And so I think we've moved from being quite a technically focused space and typically, you know, you would have people moving into that, from it.
Speaker A:They would move in perhaps from the police force and the military, that, that kind of thing, into it being something that is much, much more business related today.
Speaker A:That's not to say that we've, you know, done away with all of that technical aspect, but the relevance, the need for business resilience, you know, those are the sorts of things that people are now much more excited about than they were before.
Speaker A:Because I think you could probably get away with things a little bit more in the past.
Speaker C:Yeah, I'm seeing a lot of, of and for, you know, education coming from intelligence work, intelligence services that are bringing in.
Speaker C:You've got the technological, you've got geospatial, you've got, you know, human intelligence.
Speaker C:There's so much that's coming into it now.
Speaker C:It's gone beyond it just being a guy with a computer and trying to identify.
Speaker C:There's a whole gamut of it.
Speaker C:You, in one of your podcasts, one of your interviews, you were talking about the change in paradigm in 226, you know, the emerging threats.
Speaker C:And I, I'd like to talk a little bit about those emerging threats and what they kind of mean in the legal industry because as you know, in the financial industry is very sensitive.
Speaker C:But I don't think the legal industry is ready for it.
Speaker C:I don't think the legal industry from what I see, understands the potential of these emerging threats in the cases and the data and analysis that they're dealing with on a day to day basis.
Speaker A:Yeah, I think the legal profession is always a very interesting one.
Speaker A:I'm sort of reminded of conversations I had probably going back, I don't know, six, seven years with partners in that space where they had got very excited about being able to store matters in the cloud, for instance, but hadn't really thought through the security implications of that.
Speaker A:So they saw the benefit being able to access it, you Know, from all areas, you know, whenever they wanted to, but hadn't actually sort of joined the dots, that actually that was very valuable information and they needed to protect it.
Speaker A:Well, to what degree do you then take it?
Speaker A:You know, how are you going to manage that security element if, if you like?
Speaker A:Because one of the things that that again is, is a characteristic of the security space at the moment is the fact that it's very fast moving legislation.
Speaker A:Regulation is not.
Speaker A:It's very slow moving or the bureaucracy.
Speaker C:Behind it's crazy just to get something changed.
Speaker A:Exactly.
Speaker A:So you've got this cultural mismatch.
Speaker A:So I think it's been quite difficult for some in the legal profession to make that change, make that leap if you like.
Speaker A:They can see benefit, but they don't fully understand perhaps how culturally they need to change.
Speaker A:I think that is evolving.
Speaker A:I think certainly AI has done wonders for that.
Speaker A:But you know, if anything of data has value, you need to be absolutely certain as to how you are protecting it and who is able to access it.
Speaker A:And that really then filters through the whole way in which you manage your data estate.
Speaker A:And you know, we talk a lot at the ISF about protecting the crown jewels.
Speaker A:Well, in the legal environment, those crown jewels are changing on an ongoing basis, depending on which case you're looking at.
Speaker A:Everything potentially has value if you're bringing it to the court, otherwise you're not going to use it.
Speaker A:Right.
Speaker A:So why would you store it?
Speaker A:And so I think there are a number of sort of changes that the legal profession has to go through.
Speaker A:And again, it's a bit like financial services space.
Speaker A:You know, you mentioned this.
Speaker A:If I look at the banks, if I look at fintech, they've got a massive, massive advantage over some of the legacy banks because they're able to start with a relatively blank sheet of paper, so they can implement a number of those things already.
Speaker A:Whereas some of the larger organizations in the banking space, of course, will have multiple legacy systems that they've got to try to work through.
Speaker A:And legal is not different from that perspective.
Speaker C:Ladies and gentlemen, before you get back into the episode, I have a huge ask below.
Speaker C:There's going to be a link and if you click that link, it's going to take you to a page.
Speaker C:And that page is about the Ryan Larkin Invitational Adventure Race.
Speaker C:It has been set up by a foundation, 62 Romeo Sleep Foundation.
Speaker C:And I have a colleague of mine that's taking part in this race.
Speaker C:It is a race that is going over 62 miles over three days in Colorado in June.
Speaker C:And we are raising funds to support this excellent cause.
Speaker C:We've lost many veterans to suicide.
Speaker C:Many.
Speaker C:The numbers are just astronomical.
Speaker C:One veteran to suicide is enough.
Speaker C:The numbers that we get on a daily basis is just.
Speaker C:Is exploding.
Speaker C:And so we have organizations like this that are now trying to combat veteran suicide, supporting veterans when they come back from duty and they fight an even greater war.
Speaker C:And the 62 Romeo project is run by a gentleman by the name of Rob Sweetman.
Speaker C:And he is developed the Sleep 101 program for first responders and veterans, law enforcement.
Speaker C:And it's phenomenal.
Speaker C:And this Ryan Larkin Adventure Race is also in memory of Ryan Larkin, who was a Navy seal.
Speaker C:And so please support this organization, support this race, and especially support my friend in Team Relentless.
Speaker C:Team Relentless is the team that's going forward to the race.
Speaker C:It is a race, as I said, over three days, 62 miles.
Speaker C:And each team, there's 10 teams.
Speaker C:And each team will be taking part on tests, strategic tests that are.
Speaker C:I don't even know what's going to happen over them, but these are going to be military tests that they're going to do over this period of time, helping to test them to the resilience, their skills, their adaptability, and also their team resilience, the team building as well.
Speaker C:So please support this phenomenal cause, support Team Relentless by offering your donation today to support veterans.
Speaker C:I'm a fellow veteran.
Speaker C:I support all veterans.
Speaker C:Please join me in supporting veterans.
Speaker C:No matter whether you're a British veteran like me or whether you're an American veteran, we're all brothers and sisters in arms and we all support one another.
Speaker C:So please click the link below, go to the page and support Team Relentless, who will be taking part in the Ryan Larkin Invitational Adventure Race in June.
Speaker C:And those dates and everything about that will be underneath.
Speaker C:Let's get back to the show.
Speaker C:God bless.
Speaker C:There's a lot of law firms and, you know, partners and in the law firms, they don't realize that there's such a high value target for criminal infiltration and ransomware and all sorts of things.
Speaker C:What kind of risk do you think then?
Speaker C:What is the change in emerging risk that law firms are missing because they're prime targets?
Speaker C:Is it, is it across the board litigation, mergers and acquisitions, or why are they becoming prime targets?
Speaker A:I think it is across the board.
Speaker A:I think that there is immense value in.
Speaker A:If you look, let me step back.
Speaker A:If you look at the legal profession, they probably rely more heavily on data than some of the other industries that are out there.
Speaker A:Now we can debate whether or not.
Speaker A:That's, that's the case.
Speaker A:But I would certainly say that because you're using it, I would agree to it to achieve something.
Speaker A:Right?
Speaker C:Yeah.
Speaker A:One of the things I've always been bothered about with data protection is not somebody actually exfiltrating or stealing the data.
Speaker A:I've always been more worried about somebody just going in there and changing it slightly.
Speaker A:And so then you make decisions based on flawed data.
Speaker C:Right?
Speaker C:Okay, yeah.
Speaker A:And that's a concern for me because, you know, if you look at the average time that an attacker spends on your network, they could be there 90 days, 120 days, 180 days.
Speaker A:They're gleaning a tremendous amount of information.
Speaker A:They're watching how you behave.
Speaker A:They're not involved in smash and grabs.
Speaker A:Certainly some are, but you know, they're very serious about.
Speaker C:There's a long term surveillance going on.
Speaker A:Exactly, yes.
Speaker A:And that's how they can cause the most damage.
Speaker A:You then have this challenge over deepfakes.
Speaker A:You know, every senior individual is aware of that, should be aware of that.
Speaker A:Doesn't matter if you're a partner, if you're a chief executive, if you're a finance director, you know, again, if you have a position of authority, people will want to try to, you know, exfiltrate some data, perhaps replicate your voice.
Speaker A:And it's very easy to do.
Speaker A:Very easy to.
Speaker C:It's actually scary how easy it is to do.
Speaker C:I remember when you asked me that question and I think, I don't know if I answered it right, but I kind of thought about it afterwards and I was like, you know, from my other point of view in what we talked about, I realized there was a lot more to it.
Speaker C:And so I started looking into it a lot more.
Speaker C:After our conversation, I thought, you know, this is really, really scary.
Speaker C:And I thought about this in the legal industry because I had seen a case where someone had replicated a voice and so easy and exfiltrated information actually stole money, not from a law firm, but just from an individual.
Speaker C:And I think to myself, and this goes back to what you're saying, somebody inside changes something.
Speaker C:If they create a space that somebody can get in, then the damage from the inside happens because they've opened the door.
Speaker C:And I think about how easy, how many people inside a law firm, the legal industry and the financial industry in massive business, that even dealing with lawyers, corporate lawyers, you could have a deep fake that replicates someone's voice image.
Speaker C:I mean, it's scary.
Speaker C:It is scary how damaging this can be.
Speaker C:What do we do to stop it?
Speaker A:Yeah.
Speaker A:And the big issue for me around it, you see, is reputational damage.
Speaker A:Massive.
Speaker A:Because that is incredibly difficult to unpick if you lose data, okay, fine.
Speaker A:But reputational damage and the thing, you know, the good thing or the bad thing, depending on how you want to look at it about the Internet, is once it's out there, it's out there.
Speaker A:You can do your best, take things down.
Speaker A:It's out there.
Speaker A:And so I think a lot more focus needs to be on how you manage reputational risk within these sorts of firms.
Speaker A:Where typically, you know, if you look at lawyers, corporates will want to work with a particular firm, they may want to work with a particular partner.
Speaker A:There's immense reputational value and therefore potential damage involved in all of this.
Speaker A:So we're in an environment where you really do need to be exceptionally careful about how you manage your personal profile, how you manage personal data, how you really behave, I would say, online.
Speaker A:And that, for some people, is quite a difficult one to get your head around.
Speaker C:It is.
Speaker C:I had a.
Speaker C:It's funny, I had a conversation with a lawyer recently, small law firm, and I was chatting to them about this, the whole idea of how they should be taking their cybersecurity seriously.
Speaker C:And the thing that was said to me was, John, we are such a small firm, why would they even bother?
Speaker C:And I go immediately, I got red flags coming everywhere.
Speaker C:And this is.
Speaker C:And this is what I'm seeing in the industry.
Speaker C:They think they're small enough that they're not gonna be targeted.
Speaker C:That's a bit of an illusion, wouldn't you say?
Speaker A:I would, I would.
Speaker A:You know, if I look at some of the breaches that have taken place and the attacks have taken place, they're not necessarily on the very large firms, because some of the large firms are spending the money, are putting in place some of the defenses that are required.
Speaker C:Yeah, they are.
Speaker A:They're going after lower hanging fruit, which is the smaller guys.
Speaker A:They don't have perhaps the resources in place to put some of these things then perhaps making do with the basic level.
Speaker A:But if they're working with other firms, if they're working with large corporate clients, they may not even be the target.
Speaker A:They just may be the route into the organization that they're working with.
Speaker A:So I think that the days of I'm too small to get noticed are pretty much gone now.
Speaker A:If you're working in any way, shape or form with data online, you're a potential target, and you have to adopt that mindset.
Speaker C:I also Think, and I think this is a bit of a misnomer, really, because I see a lot of cyber professionals saying, protect your data, protect your data.
Speaker C:Anything can be found out about you.
Speaker C:And then I know from dealing with other people in the security world, your data's out there.
Speaker C:Once it's out there, they know everything about you anyway.
Speaker C:It's not about protecting your data.
Speaker C:It's about managing the risk.
Speaker A:Yeah, it is go.
Speaker A:It is about managing the risk.
Speaker A:And I think it's about having a mindset that says at some point in time, irrespective of what I do, I could be attacked.
Speaker A:How am I going to respond?
Speaker A:So it's moving, and this is one of the shifts in the industry.
Speaker A:It's moving from this notion that I can protect everything to the notion that I can't protect everything.
Speaker A:So in that environment, I have to spend my time thinking about how I'm going to recover, how I'm going to minimize the impact of any particular attack on me personally or on my organization, and really starting to put in place some of the processes, some of the ways in which you're going to recover, and then rehearsing those, because you have to do that before an attack takes place.
Speaker A:It's too late then, you know, you have to be prepared.
Speaker A:And you hope, of course, that it's not going to happen.
Speaker A:And therein lies the rub as well.
Speaker A:Because if you've been doing this for a number of years and you think, you know what, I haven't been attacked, why am I doing it?
Speaker A:Why am I doing it?
Speaker A:Waste of time.
Speaker A:I'll give myself a year off.
Speaker C:Yeah, I've seen that in the industry as well.
Speaker A:Yeah, absolutely.
Speaker A:You know, I spent all this time, all this money, and nobody attacked me.
Speaker A:Well, good for you.
Speaker A:You've got to ask yourself, though, why didn't they attack you?
Speaker A:Was it because you made yourself look unattractive?
Speaker A:I always say to people, you know, you want to try to make yourself look like that guy in the bar who's down the end of it, drooling into his beer, and he is the last person you want to go near.
Speaker A:That's what you do, because you want the attacker to go to lower hanging fruit, somebody who is he to go after?
Speaker A:So you want to make yourself look really unattractive.
Speaker C:And that's the problem in the legal industry is because they don't want to be unattractive, they want to be attractive.
Speaker C:And that.
Speaker C:That therein lies the problem.
Speaker C:And the other thing is, is that I think they also.
Speaker C:And I've seen this is they'll, well, I would rather spend my budget on Google advertising than I would separate part of that budget for the security.
Speaker C:And you mentioned something that I think is important for the legal professionals out there.
Speaker C:And bearing in mind that legal professionals are working in mergers and acquisitions, they're working with big companies.
Speaker C:You said something that, yeah, you want to be unattractive.
Speaker C:They may be trying to do a smash and grab or get information or ransomware.
Speaker C:But here's the thing.
Speaker C:What if they're surveilling you?
Speaker C:What if you're the legal firm and you don't even know that you're being surveilled digitally over a long period of time?
Speaker C:So how can we mitigate that risk?
Speaker C:Because we are protecting, we're closing doors, we're closing potential weak points in the system and then maybe internally.
Speaker C:But how do we identify?
Speaker C:Do we just take it?
Speaker C:Did the legal firms say, okay, we're being surveilled anyway, let's just agree on that.
Speaker A:Yeah, I think that's not a bad going imposition, to be honest.
Speaker A:I think you have to assume if you're doing anything of value right, then you have to assume that somebody is going to be interested and that changes the way in which you then think about things.
Speaker A:And a lot of this, of course, that we're talking about is a culture change.
Speaker A:You know, you can have finest, you can spend an absolute fortune putting in software and goodness knows what else.
Speaker A:Ultimately, the vast majority of attacks that take place come via people, people doing things that they perhaps shouldn't do, clicking on something without thinking about it, that downloads ransomware, that then off we go sharing information that perhaps they shouldn't have done, maybe for good reason.
Speaker A:You know, my corporate network is down.
Speaker A:I've got to get this information across to a client.
Speaker A:I'll use my personal website, my personal email.
Speaker A:Yeah, no, it's about causing people to actually step back and just think for a minute before they actually click.
Speaker A:And we can do a lot more if we focus on our online behavior, about the way in which we view digital assets and just think a little bit more about how we access how we share that information.
Speaker A:And you know, and if it looks fishy, it probably is.
Speaker C:Hi, if you are a legal expert or an expert witness and you would like to join our exclusive legal community, then connect with me on Help Lawyer and let's have a conversation.
Speaker C:And I think also Steve in Let's take a criminal case or something like that as well, people don't realize how in your mind you may put something online that's very simple.
Speaker C:It could be an image of you at a restaurant or wherever.
Speaker C:And they don't realize that that one image is given so much background intelligence you don't even know.
Speaker C:And so if you're working for a law firm or a big company, you have to get into the mindset that what I do, no matter what I do, is going to be surveilled.
Speaker C:No matter what I put out there, what can they find out about me?
Speaker C:And does this cause a risk to my company or even the people in the company?
Speaker C:Because you know as well as I do, one image, one voice message, anything, anywhere.
Speaker C:It's so scary how someone can get your information so easy.
Speaker C:Like I think about sitting on Starbucks and minute I get into Starbucks straight away, VPN comes on, I, I try to cover.
Speaker C:I know that that's just panacea for the pain because if anybody really wants to get in the can, but it is so scary there.
Speaker C:And if you're dealing with any kind of data, I think we need to even go beyond the technology, beyond AI.
Speaker C:We'll talk about AI in a minute.
Speaker C:But how they are presenting themselves online can actually give somebody information?
Speaker A:Of course they can.
Speaker A:And I think one of the other things that perhaps some people don't fully understand is the degree of sophistication of the cybercriminal today.
Speaker A:You know, it is.
Speaker A:And organized crime has moved into that.
Speaker A:We've got nation states backing certain actors.
Speaker A:It isn't, you know, that, that happy, go lucky cyber criminal sitting in the kitchen with a hoodie, having a play around.
Speaker A:You know, these are highly sophisticated businesses.
Speaker A:So if you're a law firm that's working on a fairly major, I don't know, merger or acquisition or anything else.
Speaker C:For that matter, internationally.
Speaker A:Internationally, you have to assume that somebody is going to be wanting to make things difficult for you.
Speaker A:And I think it's that kind of mentality, understanding is highly sophisticated.
Speaker A:And to your point, a lot of your information is already out there.
Speaker C:Absolutely.
Speaker C:I know something that you're saying there I think is really important.
Speaker C:And I want to take a segue into this before we even talk about AI in the mergers and acquisitions and international trade that we deal with.
Speaker C:Let's just talk about the war, right?
Speaker C:Let's talk about Iran, let's talk about North Korea, China.
Speaker C:These are bad actors.
Speaker C:These are, as you say, highly sophisticated.
Speaker C:And I know in our network we have 800 odd law firms in our network.
Speaker C:I know there's Middle Eastern law firms that are on there.
Speaker C:I know Iranian law firms.
Speaker C:I know them from the breadth of across the world.
Speaker C:Here's a point now we're in an age where, yes, the war's going on.
Speaker C:We may be reducing their potential military ability, but we are not reducing their potential cyber ability.
Speaker C:We know the cyber attacks are increasing even from Iran.
Speaker C:They're not stupid, they're very intelligent.
Speaker C:They know what they're doing.
Speaker C:They've got a phenomenal cyber force as well as North Korea.
Speaker C:And people don't think of that danger.
Speaker C:We're moving into a world now that is completely different.
Speaker C:We're not really putting boots on the ground.
Speaker C:We are putting tech and AI into these zones.
Speaker C:And that proliferates down to the boardroom.
Speaker A:It does, it does.
Speaker A:Joe.
Speaker A:I think that there was a time when we started talking about the change in which war would unfold.
Speaker A:And I think there was for a little while we said, you know, future wars are going to be entirely cyber based.
Speaker A:Well, I think we were wrong.
Speaker A:I think that actually it's a combination still the physical plus the cyber.
Speaker A:But you should never underestimate the power of cyber because to your point, yes, the adversary is probably exceptionally well drilled, but they're going to have proxies out there as well in all sorts of different parts of the world.
Speaker A:And they may well be keeping them hidden.
Speaker A:They should be keeping them hidden until they want to bring them back to life.
Speaker A:So even if you were to knock out the Internet in, let's say, you know, Iran or wherever it happens to be.
Speaker A:Exactly.
Speaker A:That's not going to stop the proxies.
Speaker A:To assume that they haven't planned for that is absolute madness.
Speaker C:And I think people don't realize that.
Speaker C:They're thinking the proxies are people that are maybe going to like.
Speaker C:Back in the day when I was in the military and we were dealing with the Iraq, we were worried about them planting bombs in London.
Speaker C:We had bombs in London.
Speaker C:We had explosions going off.
Speaker C:You remember that.
Speaker C:But we're going beyond that now.
Speaker C:We're not having terrorist cells that are operating just on that physical side.
Speaker C:You're right.
Speaker C:We have proxies that are cyber.
Speaker C:They don't need to be in Iran.
Speaker C:We probably got them here in the US in the uk.
Speaker C:China has just opened up a massive embassy in London.
Speaker C:Huge one.
Speaker C:And I'm sure they're going to have cyber proxies all over.
Speaker A:Absolutely.
Speaker A:And, you know, governments around the world just.
Speaker A:It doesn't matter who you want to pick.
Speaker A:Need to wise up to this.
Speaker A:I mean, you can't.
Speaker A:And that will Require investment, certainly in the security services.
Speaker A:The security services, particularly in the UK and the us, I say do a pretty good job.
Speaker A:Yeah, they're stretched pretty thin.
Speaker A:They're stretched pretty thin.
Speaker A:And governments need to wake up to the fact that, that the world has changed.
Speaker A:But we're back into that culture change.
Speaker A:We're back into the speed at which these things can be brought about and changed.
Speaker A:But I think raising that level of awareness that this is not simplistic, this is hugely complex.
Speaker A:And attacks on things like critical infrastructure, hopefully this won't happen.
Speaker A:But we've obviously, certainly from a European standpoint, we're headed towards a crisis from an oil perspective.
Speaker C:Absolutely.
Speaker A:We can produce some of that.
Speaker A:If you look at what the Norwegians are doing and various other countries, they're producing their own gas and oil and what have you, an attack on critical infrastructure in that space would be devastating.
Speaker C:Absolutely.
Speaker A:It isn't just about whether or not you can get your tanker through the Strait of Hormuz.
Speaker A:It's about how are you stepping up the protection of critical infrastructure.
Speaker A:That is nowhere near the Middle East.
Speaker C:People don't appreciate that, and I don't think in the legal industry they appreciate either, because we are looking at purely something from a strategic, physical point of view and not where it actually goes down the line and how it can affect not only just the oil or power infrastructure or even water.
Speaker C:I mean, look at the cyber attacks that happen to, to imagine them shutting down or causing problems in the water that we have, which is which, that could be devastating for the whole of the world.
Speaker C:And so they're not looking at this.
Speaker C:And I think here's the other problem is the development of AI.
Speaker C:Where do you see that in everything that we are talking about?
Speaker C:Because AI is changing dramatically.
Speaker C:But are we really ready for the potential cyber flaws that are happening now and probably going to develop even further?
Speaker C:Not from just a government point of view or any operation, anything that's happening in the Strait of Hormuz or North Korea or any of these bad actors, but from there right down to the individual sitting in the boardroom or the lawyer sitting at his desk.
Speaker A:Yeah, I think that with AI, it's interesting.
Speaker A:A lot of the, the, the, the general sort of focus on AI has centered around, and it's moved fairly quickly as well.
Speaker A:You know, I do, I teach a, a, A course at Henley Business School with, with board directors there.
Speaker A:And when I first started talking about AI, probably, I don't know, about three, four years ago, most people were thinking about it as chat GPT because that's what it was, Right?
Speaker A:Yeah.
Speaker A:Now, of course, there's a, a much broader understanding of, of what AI actually is, what it can do.
Speaker A:And we've moved into, oh, it's going to take jobs away and we've seen lots of redundancies being made and that kind of thing.
Speaker A:Yes, it may well be impacting that kind of thing, but it's also, to your point, being used by cybercriminals to speed up the efficiency of their attacks.
Speaker A:There isn't much evidence at the moment that AI itself is being involved in conducting the attack.
Speaker A:It's more about the preparatory work before the attack happens.
Speaker A:So playing the sort of the what if scenarios, looking for, you know, opportunities to infiltrate networks, that, that, that kind of thing.
Speaker A:And the good news is that from a cyber industry standpoint, of course, we have access to these tools as well.
Speaker A:Yeah.
Speaker A:One of the things that, that does, I suppose, puzzle me.
Speaker A:I suppose rather than keep me up, I don't, I don't tend to be kept up at night.
Speaker A:But it does puzzle me is what is going to be the impact of AI going up against AI.
Speaker A:That's something that I really do sort of noodle over from, from time to time.
Speaker C:I thought about that.
Speaker C:Like, I thought about that because I think about the big thing at the moment.
Speaker C:Everybody's talking about OpenClaw, and I even see lawyers talking about OpenClaw.
Speaker C:And I looked at it and I thought, okay, I've got a good set up here, I could probably run it.
Speaker C:And then I thought, wait a minute, this is potentially a security nightmare because, I mean, I've got NAS systems here and various other things, and I think I've done pretty well in securing it.
Speaker C:But that is scary because then I look at Claude and Claude's saying, we now have an agent that can work within your browser.
Speaker C:And I see lawyers jumping on and saying, my God, Claude is amazing.
Speaker C:It's cutting down our time.
Speaker C:We're doing this, it's working as an agent.
Speaker C:And I think, wait a minute, what if Claude starts to go against Open Claw?
Speaker C:And what, what if these agents are starting to compete?
Speaker C:And because they're.
Speaker C:And at the end of the day, here's the way I think about it and kind of I might be wrong.
Speaker C:No matter what AI is doing, there's a human intelligence, there's a human aspect to it, because it only does what human interprets or what a human being puts in.
Speaker C:And the data that it's picking up is from humans.
Speaker C:So we still have to go right back to the individual and to learn their modus operandi, how they operate, how they think about bad actors, criminals.
Speaker C:But it is scary.
Speaker C:I have thought exactly the way that you're thinking, Steve, is what if AI goes up against the eye?
Speaker C:Are we screwed?
Speaker A:Exactly.
Speaker A:And the other thing I think, you know, you mentioned, you know, lawyers getting very excited about being able to use CLAUDE or whoever it might.
Speaker A:Whoever it might be, that's fine.
Speaker A:But they still have to do the validation checks, because what if CLAUDE has picked up some erroneous data?
Speaker A:What if CLAUDE has had some of the data that it's feeding off be slightly changed to my earlier point, and has created data that is then being picked up again and reused?
Speaker A:So, me, when we talk about AI, I think the best outcome for AI is that the human working collaboratively with the tool.
Speaker A:Right.
Speaker A:No doubt you can get things done a lot quicker.
Speaker A:You can get to certain points, but that doesn't mean that you stop validating and switch off, you know, the brain.
Speaker A:You need to be looking at these things and saying, okay, does that actually make sense?
Speaker A:Yeah.
Speaker A:And questioning.
Speaker A:And I think the.
Speaker A:The assumption that because it's AI, somehow it must be absolutely right.
Speaker A:No, it's not at that point yet.
Speaker A:My personal hope is that it never gets to that point.
Speaker A:You know, whether or not we'll wait and see.
Speaker A:Right.
Speaker C:That could be a bit dodgy.
Speaker C:It's getting there.
Speaker C:It's getting close.
Speaker A:It is.
Speaker A:And I think that is.
Speaker A:Then.
Speaker A:Then we get into some.
Speaker A:Some real problems.
Speaker A:Because as soon as you.
Speaker A:You tell somebody that they can switch off because the machine's doing it for them, how do you begin to differentiate?
Speaker C:It's difficult because I see that it sometimes makes its own decisions.
Speaker A:Yep.
Speaker C:Just, even in a simplified thing, if I was, you know, developing a document and I have a.
Speaker C:And I put something in, I'm utilizing it, and it's particular, and then it will say, well, I see a better way of doing this.
Speaker C:Oh, actually, you know, and you look at it and you're like, I never asked you to add that in.
Speaker C:Why did you add that?
Speaker C:It takes away the whole context.
Speaker C:And so it does seem to make up its own mind as well.
Speaker C:And I think that is another risk.
Speaker C:So someone who's not a cyber professional could erroneously be missing this information, this change that's happening, and that creates a whole cyber problem.
Speaker C:Do you think that in the industry, maybe in the cybersecurity industry and further down, do you think that there needs to be training in a level of situational awareness?
Speaker A:Oh, absolutely, absolutely.
Speaker A:I Don't think you ever exist yet.
Speaker C:No or not.
Speaker A:I think it continually evolves.
Speaker A:And I think that the mistake perhaps that some people make is that it's a once and done.
Speaker A:And that's not the case.
Speaker A:For me, it's a bit like compliance.
Speaker A:And I go back to when I was at EY and we used to have to do these compliance things every year.
Speaker A:And you fill in the compliance thing and you know full well it's a checkbox exercise and the goal is to pass the test so that you can continue to practice.
Speaker A:Right.
Speaker A:Do you remember much of it?
Speaker A:Probably not, no.
Speaker A:And that is the danger.
Speaker A:And so whenever I talk about compliance, I always say that good security will result in good compliance.
Speaker A:Compliance will not necessarily result in good security.
Speaker A:And it's the same with situational awareness.
Speaker A:You have to keep reinforcing, you have to make it relevant, you have to keep updating and you have to keep looking at how the individual is reacting to that so that you can improve.
Speaker A:So it's an ongoing thing.
Speaker A:And I think that is one of the biggest changes in security that we've seen.
Speaker A:It's no longer something where you could produce a policy, you can produce a set of compliance standards and leave it.
Speaker A:It's now living and evolving, and it's something that needs to keep monitored on an ongoing basis because it directly impacts the way in which a business develops decision making that executives are involved in, and the way in which we actually go forward and hopefully run better businesses that deliver value.
Speaker C:Steve, I totally agree with you, but I don't see it coming down the line because the cybersecurity professionals are changing, they're developing, they're constantly keeping up to date.
Speaker C:But if we go into the boardroom or I speak to any lawyer and I start talking to them about their security policies, not that I'm an expert or anything, but just in passing, they don't seem to know about it.
Speaker C:They don't have a situational awareness.
Speaker C:I don't see that it's happening at a corporate level.
Speaker C:There's a small group of security professionals that are looking after the whole company.
Speaker C:But where is the education for the person who's just using the computer or the online?
Speaker C:Because it's like, don't do this, but know why?
Speaker C:How does that happen?
Speaker C:Here's how a bad actor may operate.
Speaker C:I don't see that happening.
Speaker C:I don't see it happening in the legal industry.
Speaker A:Yeah.
Speaker A:And I think you've hit on a really important point.
Speaker A:Security, I think in certain industries, legal being one, is still viewed as being a cost.
Speaker C:Oh God, yeah.
Speaker C:They won't spend on it.
Speaker A:They won't spend on it or they'll minimize the spend because they could use it somewhere else.
Speaker A:And that is the real challenge.
Speaker A:I think we have to move it from being cost to value.
Speaker A:You know, how are you delivering value in this?
Speaker A:And we have to do that in a positive way as opposed to a negative way.
Speaker A:Because it's no good saying to a lawyer, you know, if you spend X amount of dollars, pounds, euros, whatever it happens to be, you may not be attacked.
Speaker A:Well, that's great.
Speaker A:Prove it.
Speaker A:Again.
Speaker A:You have to think about the mindset of the person that you're talking to.
Speaker C:Exactly.
Speaker A:And that's one of the things that traditionally security has not been good at because it's come from this technical space that I've been talking about.
Speaker A:Increasingly the best security leaders that are starting to come into the space have very strong interpersonal skills.
Speaker A:They understand empathy, they are able to get some of these messages across in a way that they understand.
Speaker A:And that means you have to tailor it to the environment that you're in.
Speaker A:And what I've always done is I've always tried to pick the most, particularly when we're talking about partnerships.
Speaker A:I've tried to go for the partner that really has the least possible time and interest because all the other partners sit around and watch and you try to convert that individual.
Speaker A:If you can come up with some form of value for that individual, then in my experience, the rest of them just flood through and follow.
Speaker A:Because, you know, if Joe can see the value, my God, there must be something.
Speaker C:It's that domino effect, isn't it?
Speaker C:If he's not interested, but you can convince him.
Speaker C:Yeah, it's like going into the boardroom, you say, look, if you can convince George because he's the hardest guy to deal with, then we're all in.
Speaker A:Exactly.
Speaker A:That's absolutely right.
Speaker A:But it's not for the faint hearted.
Speaker A:No, you know, it really isn't.
Speaker A:And it does require a fairly detailed understanding of how the legal profession works, of what constitutes value for them, and then adapting the security posture to that so they can see that there's some inherent value in adopting the different approaches that you're, that you're talking about.
Speaker C:I think you hit on something earlier that you talked about, the reputation.
Speaker C:Personally, I believe that lawyers are more interested than the reputation than anyone.
Speaker C:Right.
Speaker C:Because that's a big thing in the legal industry.
Speaker C:There's laws for it.
Speaker C:I mean, there's certain things they can't Say online, they're involved in a case, they may say something very innocuous, but actually can cause a problem in an investigation.
Speaker C:So I think that is, maybe that is the gateway, maybe that is the stepping stone that we use to say reputation, cybersecurity, all of this is one, it is not a separate issue.
Speaker A:Yes, I think you're absolutely right.
Speaker A:I mean, you know, if you lose your reputation as a lawyer, you're pretty much finished, you're done, pretty much finished.
Speaker A:You know, you need to look for something else to do.
Speaker C:And it's scary how they're utilizing AI to cut their corners and their time with very little knowledge of, of the security implications.
Speaker A:Yeah, it is, it's no, AI is immensely powerful.
Speaker A:You need to treat it with respect and with care.
Speaker C:And what do you think are the biggest problems in the legal industry at the moment in terms of, even with AI and with the security, what are they missing?
Speaker A:I think I'd go back to that understanding of the value of security in the day job because I think that all too often not all firms, you know, I mean, it's easier to sit here, isn't it, for us to sort of, you know, paint sort of broad brush pictures.
Speaker A:And not all firms are like this, but in the majority, I would say, particularly when we start to look at the small to mid size as, as well, there hasn't been that sort of light bulb moment that says, you know what, we need to make sure that we can implement security around all of this.
Speaker A:And because that means we can protect our reputation and because that means we can use some of these tools effectively.
Speaker A:Yes, to produce better case notes, be better prepared and so on.
Speaker A:And I think that's the real essence of it.
Speaker A:But it's about bringing security and making it look like another useful tool that helps the lawyer move forward more quickly, more effectively than his or her counterpart.
Speaker C:They can see it as something that the value goes way beyond what they, what they have and their perception.
Speaker C:They have to change their perceptions, change their whole perception of it and to see this value because at the moment they're all fighting about cost.
Speaker C:I find that, like I said, I find it sad that they would rather put money into Google Ads.
Speaker C:And I've said to, I've said to a lawyer friend of mine as well, but you may be on a case that has evolved with a lot of money, it's.
Speaker C:And one data risk can collapse that whole case.
Speaker C:And you don't, you just think by having a VPN you're sorted, which you don't.
Speaker C:And I think there's a lot to be said for training and changing their perceptions.
Speaker A:Yeah.
Speaker A:And I think that some of that around is also around some of the cost.
Speaker A:You know, it doesn't necessarily cost a huge amount of money to implement some of these things.
Speaker A:There is this sort of illusion, if you like.
Speaker A:I think that it all has to be hugely expensive.
Speaker A:It doesn't.
Speaker A:There are some basic things that can be done that are not massively expensive, particularly when you're talking about the legal profession, because the legal profession, as we all know, is pretty well known for some of the fees that they tend to charge.
Speaker A:And that's fine.
Speaker C:Don't get me on that.
Speaker C:That's another episode.
Speaker A:When you look at it within the context of that, that's the piece as well that they need to think through.
Speaker C:So let's give them some tips.
Speaker C:Steve, what tips could you give them?
Speaker C:What would you say to them, A small law firm who's listening to this and they're like, you know what, Steve, you've got a point.
Speaker C:I need to think about this.
Speaker C:I haven't.
Speaker C:What can they do now to begin that and to have to process where they're ready to go?
Speaker C:I can scale it if I need to.
Speaker A:Yeah.
Speaker A:I think the first thing they have to do is really understand how they're using data.
Speaker A:Maybe sound very simplistic, you know, but how are they actually using it?
Speaker A:How dependent are they upon it?
Speaker A:Because if they can answer that question, then very quickly they're going to see that they need to do something about it.
Speaker A:But for me, they have to sort of opt in, if you like.
Speaker A:And I think all too often they're scared by it or they think, oh, it's going to, you know, we're going to go into this whole technical realm.
Speaker A:No, just take some very basic look at how am I using data.
Speaker A:If I didn't have access to that data, what impact would it make on my caseload, on how I would be going into court, on how I would be effective, on my reputation?
Speaker A:Because now, if you can answer those questions, you're ready to take the next step, then you move on and you say, okay, now what could I do to protect that?
Speaker A:You know, would I be implementing things like a vpn?
Speaker A:Would I be talking to other people in the.
Speaker A:In my legal circle?
Speaker A:Would I be talking to.
Speaker A:If you're in the uk, would you be talking to someone like, you know, the ncsc?
Speaker A:Would you be talking more globally to an organization like my own about some of the basic things that you can put in place?
Speaker A:So I think you begin that voyage of discovery which lawyers are very good at.
Speaker C:Yeah, absolutely.
Speaker A:You're playing to their strengths.
Speaker A:You're giving them information and they should be thinking, particularly in the small to mid size space, they should be thinking about how they're using technology, where are they storing information?
Speaker A:If they're storing it in the cloud, are they backing it up?
Speaker A:Are they just putting it all with Amazon web Services or are they doing something different?
Speaker A:Are they holding it separately, are they holding it locally?
Speaker A:What are they actually doing with information?
Speaker A:You know, in the olden days, of course it would all be written on paper matters.
Speaker C:That's true.
Speaker C:And then it would be in your archive and your metal cabinets.
Speaker C:I remember that nowadays it's not.
Speaker C:But here's another thing though, it's scary how many of them are actually using cloud servers and they think it's secure but they don't realize that this is a data center that is also has risk.
Speaker C:Is there a better viable option for a small law firm to say, have their own NAS system or do you.
Speaker A:Think that's depends how much they've invested or prepared to invest Quite often if they have got the right kind of contract with a cloud service provider, if you're a small company, then the cloud provider is probably going to have a better level of security provided though.
Speaker A:Jon, you've opted into it.
Speaker C:Yeah, that's true.
Speaker A:Don't go cheap.
Speaker A:Don't go cheap.
Speaker A:You know, this is really valuable information.
Speaker A:Cloud services providers can provide you with high levels of security, but they will charge you for it.
Speaker C:Yeah.
Speaker A:So if it's cheap, it probably means it's not giving you the level of protection that you need.
Speaker A:So if you don't have the resources in house.
Speaker A:Yes, I would say outsource them, but you don't outsource responsibility for if and when it goes wrong.
Speaker A:So you have to understand that you're still responsible for that data irrespective of where you happen to be storing it.
Speaker A:And so you may then decide that you want to take some of that data and store it yourself.
Speaker C:But that's a business, it is a business thing.
Speaker C:And I kind of want to, I want to tidy this episode up.
Speaker C:I'm going to get you back on.
Speaker C:We talk more.
Speaker C:There's so much to talk about.
Speaker C:But let's talk about when a breach happens for a law firm in the legal industry.
Speaker C:What should they be doing?
Speaker C:They've had a breach because obviously it could be red team, the testing, you know, you're testing the systems, let's say they find a breach, what is their next step?
Speaker A:Wow.
Speaker A:I mean, if a law firm is breached, that is.
Speaker A:Yeah.
Speaker C:I would.
Speaker A:I would hope that they have run through their resilience testing beforehand.
Speaker A:I would hope that they have run some cyber simulation exercises where they are ready to respond to that kind of thing.
Speaker A:If they haven't, I would say they're being negligent and I would say that their clients would be coming after them for that.
Speaker A:There is an assumption that the client makes that if they're sharing information with their lawyer or their accountant, that those are solid.
Speaker A:Absolutely solid.
Speaker A:And so it's a big, big issue if the law firm is hacked or suffers a breach.
Speaker A:So they should have been rehearsing how they will respond to it.
Speaker A:They will have to be notifying various regulators.
Speaker A:They will have to follow a certain process.
Speaker A:They will have to be looking at how they're going to recover from that in terms of the data.
Speaker A:So you would hope that they have backups.
Speaker C:I'm surprised at how many don't.
Speaker A:Yep.
Speaker A:If you think about, you know, let's go back in time, right.
Speaker A:When they had their paper matters, they would put them the really important stuff, they would put in fireproof safes.
Speaker C:That's right, I remember that.
Speaker C:Yeah.
Speaker A:So now we've moved into the data world.
Speaker A:What's the equivalent?
Speaker A:Just out with my cloud provider.
Speaker A:And it'll be good.
Speaker A:No problem, don't worry about it.
Speaker A:No, you have to verify, you have to trust.
Speaker A:And there may be an instance where actually you need to hold some of that data somewhere else, separate.
Speaker A:You know, it's interesting if you look at some of the advice more recently from National Cyber Security center in the uk, a little bit tongue in cheek, what they were saying was that if you've got absolutely important information that you can't do without, you may want to consider actually storing it on paper still.
Speaker A:Because the advantage of paper is it can't be hacked.
Speaker A:You can protect it.
Speaker C:Do you know what?
Speaker C:I know, honest, Steve, I never thought of that.
Speaker C:Because there is.
Speaker C:That is still viable.
Speaker A:Absolutely.
Speaker A:You know, so I think that again, I'm not suggesting that all these law firms pack in their machines and go, right, that's it, you know, back to.
Speaker A:Right, lads, back to the quill pen.
Speaker C:Oh, no, absolutely no.
Speaker C:Steve, it's been awesome having you on.
Speaker C:I've thoroughly enjoyed this conversation and I'm sure that the people in the legal industry throughout the world listening to this is going to help.
Speaker C:Let's talk a little bit about ISF and how the ISF can actually help law firms.
Speaker C:I don't know if you have a membership for law firms, but if they want to or they're cyber professionals.
Speaker C:Talk a little bit about your organization.
Speaker A:We do, we do.
Speaker A:I mean we're a global organization, so we're a membership organization and not for profit.
Speaker A:We focus only on information security and risk management.
Speaker A:We don't do anything else.
Speaker A:And we have members from Australia right the way through to the Americas and all the pieces in between.
Speaker A:And our members get access to a whole range of risk tools, policies.
Speaker A:They have access to our analysts 247 pretty much.
Speaker A:We don't charge for that other than the membership fee.
Speaker A:And we do have law firms in the membership who get immense value from it.
Speaker A:So if anyone listens is interested, then they should just get hold of me on LinkedIn.
Speaker A:It's probably the easiest and be happy.
Speaker C:Absolutely.
Speaker C:And I'll have the details down in the show notes and things like that.
Speaker C:Steve, thank you for being me in Legal.
Speaker C:Well, I'm.
Speaker C:I really thoroughly enjoyed this conversation.
Speaker C:I'm sure we could have got more.
Speaker C:I'd love to have you back again at some point so we can discuss it more.
Speaker C:I'm sure the world is going to continue to keep changing.
Speaker C:AI is going to keep changing, cybersecurity is going to keep changing.
Speaker C:And I think it's actually an exciting, evolving subject matter that covers all spectrums of the intelligence cycle.
Speaker C:So thank you Steve, for being on me in League Oil.
Speaker A:No, I've been a pleasure Jock.
Speaker A:Thanks for having me.
Speaker C:God bless.
Speaker C:If you're a lawyer, then I invite you to consider joining our exclusive legal network on Help Lawyer.
Speaker C:Just send me a message and we will book a time to have a private conversation together.
Speaker B:You've been listening to the Legal owl where law meets the unseen layers of clarity, leadership and inner alignment.
Speaker B:If this sparks something in you, trust that feeling.
Speaker B:Let it lead you for deeper insights, real conversation and strategic guidance.
Speaker B:Hence, connect through the Help Lawyer network and subscribe to the show wherever you listen to podcasts.
Speaker B:If you prefer a more private connection, you'll find the path when you're ready.
Speaker B:Until next time, stay present, think deeper and lead wiser.
