Tom Lambotte founded GlobalMacIT to help lawyers who wanted to use Apple products in their firms and now runs the largest Managed Service Provider for Mac-based law firms. His newest product, BobaGuard, is a way to provide his high-quality IT approach to small and non-Mac law firms, giving them the digital security they need.
Caroline Chambers: What is the biggest threat facing law firms right now?
Tom Lambotte: The biggest security threat is a common one, the thought that “It isn’t going to happen to us.”
There is a belief, especially in solo and small law firms, that we are too small to be worth hacking. Fortunately, the legal profession is embracing technology; however, this adoption is a blessing and a curse. It is a blessing because now 40% of lawyers are more capable and empowered and can manage their own technical issues as compared to a few years ago. They do not have to pay for professional IT services to do tasks like managing servers and workstations.
It is a curse because, although they can manage their own technology, managing the security aspect is more difficult. It sometimes is an afterthought when it comes to security until they get hit with malware or ransomware. Like car insurance, an individual may get the minimum coverage, and then have an incident not covered. It is too late to get the coverage, and it costs more for repairs than paying for more insurance coverage.
Believing that they’re not at risk is a general issue. Another big problem is they don’t know where to start; they don’t have the time. A solo or small law firm is in charge of sales and marketing and HR and finance. Somewhere in there, they need to manage their technology, and within the technology, they have to do the security, and they don’t have the time, skill, patience, or desire to handle it. Security gets kicked further down the road, hoping nothing is going to happen. The biggest legal strategy against security threats is the Hope Strategy, also known as the Ostrich Strategy.
CC: I would call it security through obscurity. “Oh, nobody’s gonna worry about me.” So I know in South Carolina, there’s a duty to be competent with technology, is that what you find across other states as well?
TL: Yeah, I think that’s up to 41 states. The duty of technology competence. But what does that mean? “Well, I’m competent; I know how to restart my computer.” We tried to talk about that, but I found it’s not a fear. It’s not a strong enough emotional trigger to get lawyers to take action.
There are so many easy things that are not done. And then there are the advanced strategies that small firms literally have not been able to access at all. The majority of IT companies, like my company GlobalMac IT, have a ten-user minimum. So for smaller firms, they are turned away and sent home, and that’s what I did for a number of years. I would say, “sorry, I can’t help you. I’m going to provide value and direction, but I can’t help you. It’s not worth your money for me to do it for you.” So they get sent home, and they’re like, “Well, I tried, I have nowhere else to go,” so they give up.
CC: If you had to choose just one IT security tip to share with an attorney who’s starting their own firm, what would it be?
TL: One security tip is two-factor authentication. Two-factor authentication is beyond a best practice – it is a starting point to build your firm’s technology security.
Phishing scams are very sophisticated. I am aware of one tech-savvy individual who fell victim to a well-developed phishing scam. The individual received an email from someone he knew. The email signature was the same. A link took him to a website that was an exact replica of the legitimate homepage; only the domain was different. Once the person entered information, the criminals now have it.
I must emphasize that cybercriminals are paid very well, and they are very skilled. Many cybercriminal organizations operate like regular 9-to-5 jobs, Monday through Friday. They have team huddles. They have business plans. These are organized groups that do their research. They are well funded. They study psychology and social engineering.
For example, regarding social engineering, cybercriminals know who is working from home and when. They know that 4 pm on Friday is when we are the most distracted. They know the best time to send emails and well-crafted webinar invites. They have the same statistics that legitimate businesses use when marketing. They may know when they send phishing emails on Monday mornings at 10 am they have a 7% open rate. When they send emails on Friday afternoon, there is a 14% open rate.
One tip regarding links in phishing emails is to confirm that the domain is the actual domain. These are security steps that all businesses, large and small, should follow. Focusing back to law firms, it is important to know your audience – the practice and the size. The technology is still manageable for a solo or a small firm – maybe seven or fewer people.
CC: Any tips to help a law firm choose an IT professional or Managed Service Provider?
TL: For a smaller firm, with a headcount of five, six, or seven people, the technology is still manageable. As the firm grows, the complexity of managing all the technology grows exponentially, and it is important to recognize and manage that growth path. Growth beyond that is the critical point for many firms in deciding to hire a third-party IT service to support their technology. There are small firms that hire an IT firm, despite the cost and pay a high maintenance fee for the security to ensure that they are protected. Often, these small firms can get great service at a much lower hourly rate from a reputable IT consultant.
For Apple users, which is the core of who we serve at GlobalMac IT, I recommend using the apple consultants’ network. Do a search in your area, network, and find two or three people. I recommend creating a list and then give them a call and vet the top choices. Do this before you need them.
If you want to hire a full IT company, they are going to charge you to come in; they are going to have a user minimum. Usually, a small firm is going to pay more than what makes financial sense at that time. Now, the problem when hiring an hourly IT person is they only get paid when you call them. Some are not proactive; they may not put all the tools and security solutions on your environment because there is no skin in the game for them to do more than what is asked. A good IT company knows a client’s specific needs, including what existing hardware and software are already being used.
CC: So, what can a small firm do to implement proactive security?
TL: Often with BobaGuard, we begin a relationship with a firm, and they generally have good in-house IT; the deficiency is with security. When a person or business moves from having their data stored and managed locally to the cloud, there is uncertainty in how secure their data is and the best way to manage security. After being hit with ransomware, they’ve heard about a large company in the news, and a smart firm owner becomes concerned with their security. BobaGuard exists to help with these issues.
CC: Can you explain? What issues does BobaGuard address, and how?
TL: BobaGuard includes eight different security layers that are turnkey. A firm does not need to spend any time doing research; we provide and make sure the users are comfortable with the tools. We know the right and best version of each tool.
- Unique cybersecurity training – Unique means engaging, not twenty slides of information followed by ten multiple choice questions that most can answer through simple reasoning. Anyone who has gone through HIPAA training or similar training knows this type of training. The training is often a reminder of legal or company policies and consequences if the policies are broken. That is not learning, and it does not benefit the participant.
BodaGuard has a short seven-minute video that features a cast of characters. It combines behavioral science techniques with storytelling to fundamentally transform learning the security culture. The questions are based on the content and the things that happen in the video, as opposed to information presented on a slide. The user retains more. The video holds their attention, so they learn. That is how, in real-life, you get people to intercept malignant emails more efficiently.
- Sound IT security policies – 50% of solo lawyers do not have any security policies in place. An acceptable policy includes how to handle email and other suspicious activity, how to run a backup and disaster recovery policy. These are simple things that you need to have in place, and we provide all the templates, and prioritize each for the lawyer to review and customize.
- Dark web monitoring – The problem with data breaches is that most everyone is desensitized. They do not pay attention to links they click or the information they provide. In many companies, not simply law firms, employees are required to lock their PCs when they step away from their desk.
The way criminals get paid is not by breaching a large company and stealing 10 million usernames and passwords; they get paid when they go to the dark web, which is the shopping cart for criminals. The criminals put the data they’ve collected up for sale, and then other criminals come in and select and buy the data.
This is something you as a user have zero control over. You might have great security hygiene, but you may be unaware that one of the websites you access was breached. In addition, you use the same password for other email and logins. To defeat this, the dark web monitoring scans the dark web continually and if any hits come up under your domain, it sends you a notification so you can see if that password, or variation of it, is currently in use.
- Phishing simulation – We send simulated phishing emails to our clients. That way we know if a user is clicking on email links or actually entering their credentials to introduce a security breach.
When a user clicks a link in a simulated phish email, the user sees a cartoon of someone fishing and letting the user know that this is a simulation and instructs the user what they missed; the user is redirected and starts mediation training.
In addition, we track who clicks on links and provide that information to an internal supervisor in case additional training needs to be done. Often a user who clicks on a simulated phishing link and is told what they missed don’t make the same mistake on a future phishing simulation.
- Proactive monitoring maintenance – This includes maintenance and patching for Apple and Windows computers with antivirus and web protection. This is standard for working with an IT company. It updates security patches, it automatically updates third-party software, including Office and Google, so it saves time.It has antivirus and web protection built in. The web protection part is DNS web protection that blocks a malicious URL domain. For example, if a user falls for a phishing email and clicks on the link, the website is blocked by this tool.
- $250,000 cyber insurance policy – This is a crucial type of policy to carry, but far too few attorneys have it. Reason number one is, in general, no one likes to deal with insurance. Secondly, almost all policies have a complicated application process. With our solution there is no application process at all. For example, once users at a firm sign out, the next day they have a $250,000 cyber insurance policy.
- Email backup – This solution backs-up all of the data in a firm’s Microsoft 365, or G Suite. It backs-up Contacts, Calendars, Emails, OneDrive or Google Drive. It covers the data protection gaps that are built into 365 and G Suite.
This is one of the solutions we just upgraded recently. And this is all accessible from within the web interface. So if you log in there’s not a separate portal – you can go into one portal to manage your security and to restore your files as needed. So, super helpful and really easy.
- Team-based password vault and process documentation tool – A user can store and create their passwords and share with others on the team. In addition, you can also use it to build your documentation for your processes. A firm can handle their SRP within their business and link them. It has versioning built in, as well.
These are the eight security layers. There is no long-term contract, everything is month to month.
Along with the layered security, we created a concierge setup where it takes 66 minutes to get all eight security layers running for the lawyer. Once a firm signs up, there’s a six-minute intake form, and then there’s a 60-minute Zoom call that we do with them. Through Zoom, they share their screen and allow us to take over. From there, we configure everything, we enable it, and by the end of that one hour, all eight security solutions are up and running.
We know technology is constantly evolving. It can create a concern; you want to know your firm is using the latest security technology or if you are vulnerable. With BobaGuard, security is one less thing the firm must worry about because we always stay on top of the changing technology. After all, the best solution today might be obsolete next year; or a new solution is developed that delivers twice the value and is easier to use.