All too often at Legalweek and other legal tech conferences, I am inundated with meetings with vendors who want to tout their shiny new AI product or enhancement. Often these shiny new tools are neither shiny nor new. So, it’s a treat when I get to talk to someone about substantive issues and what’s going on in the real world. And right now, one of the biggest things going on that’s not talked about much is cybersecurity, its risks, and accelerating frequency of attacks.
So my recent conversation with Michel Sahyoun, the Chief Solutions Architect of NopalCyber, was a welcome chance to learn. NopalCyber is a cybersecurity consulting firm that Sahyoun heads. I also spoke with him at a recent ILTA conference and found him not only knowledgeable but also capable of explaining things in a way I can understand. From experience, I know the latter is a skill in short supply in the cyber world.
I got a chance to chat with him at Legalweek and catch up on ongoing cyber threats in the age of AI.
AI Risks
If we didn’t have enough cybersecurity issues and bad guys lurking, AI brings a whole new dimension to the risks. Add to this the complacency and disinterest of many business leaders, particularly (as I well know) those in law firms, and you have a perfect storm brewing.
Like I have discussed, Sahyoun too has noted the widespread use of GenAI for all sorts of things. This of course creates a discovery trail, but it also creates cyber breach risk. Often people get in a rush to get deliverables from AI tools and cut corners. They don’t take the necessary steps to adequately protect confidential and private data.
A far bigger threat though, says Sahyoun, is how good and fast AI tools can create a breach. According to Sahyoun, the average time to exploit a breach is now only 29 minutes. Reacting at that speed, particularly while trying to run a business, is difficult.
Moreover, AI bots can automatically launch repeated automated attacks to probe for and exploit vulnerabilities. This, combined with automation, have increased the numbers of attacks to “crazy” levels, notes Sahyoun.
The attacks can also target certain kinds of information once they are ingrained. AI tools can be used to pull out such things as bank account numbers, social security numbers, passwords, and the like. No more time-consuming searching — time that the exposed party historically had to remediate and cut off the breach. AI tools can also infiltrate an entity’s own AI system, exposing even more.
Sahyoun also believes that one protection on which many rely, cyber insurance, is getting much more expensive. Moreover, carriers are looking carefully at what insureds say in their applications and reviews versus what they are actually doing. If there is discrepancy, insurers then use that to deny claims. So, what many believe is a safe harbor may not be.
Sahyoun is seeing overreliance on what internal IT teams are saying when that advice isn’t exactly right. Says Sahyoun, “there is little oversight between risk and technology.” Entities may have certain software protections but if they aren’t implemented correctly, they not only fail to protect, but they also can nullify insurance coverage.
Sahyoun reiterated for me that entities often think that because they have backup systems, they are safe. But as I have also written, failure to read the fine print of software protection platforms results in a bitter surprise when a breach happens and there is in fact no backup provided.
Finally, he says, too many entities are driven by compliance standards to overly focus on data leak protections but ignore the ever-expanding potential for attacks.
Some Protections
To combat this and deliver at speed, NopalCyber keeps track of known and potential vulnerabilities identified by government agencies. Once it’s disclosed, NopalCyber will give notice to its clients of the vulnerability and the need to be on the lookout and immediately capture it. NopalCyber will also provide responding software from its inventory, if there is some, that enables prompt capture or, if needed, remediation.
Sahyoun and his company has also been working with their clients to respond much faster to attacks given the abilities and speed of AI tools to initiate and exploit vulnerabilities.
On the proactive side, NopalCyber provides continuous white hat attacking to expose weakness in client systems. This will expose the potential for known attacks that are in existence but can also demonstrate misconfiguration and attack paths so they can be shut down before something happens.
Why Am I Telling You All This?
So, why am I devoting space to cybersecurity and Sahyoun in particular? It’s because I continue to believe that law firms are particularly exposed. Law firms have all sorts of valuable information that belong to clients or even other parties. The bad guys know this. They know how embarrassing it will be for firms to report a breach to clients. Not to mention the fact that such an event is a good way for a client relationship to be abruptly terminated. And law firms may have made certain security representations to clients that they unknowingly can’t meet.
Complacency and disinterest are particularly acute among law firms. All too often law firm leaders rely on IT who don’t speak the same “language.” The leaders don’t understand what IT is saying but figure they must know what they are talking about. They then conclude with little additional investigation that they are protected by software, backup, and insurance. All too often, none of the three hold up.
And to be honest, law firm leaders are not that interested to begin with. Cybersecurity is nothing more than a cost and not a revenue-producing one, at that. So, lawyers ignore or don’t apply the same investigatory zeal to their own security as they do to their clients. In the age of GenAI, that’s a huge mistake waiting to happen.
So, investigate and ask questions. Talk to people like Sahyoun. Before it’s too late.
Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law, and the practice of law.
The post Lawyers And Cybersecurity: Talk To An Expert — Before It’s Too Late appeared first on Above the Law.
