.png)
Leadership In Law Podcast
Are you a Law Firm Owner who wants to grow, scale, and find the success you know is possible?
Welcome to the Leadership In Law Podcast with host, Marilyn Jenkins! Cut through the noise. Get actionable insights and inspiring stories delivered straight to your ears - your ultimate podcast for navigating the ever-changing world of law firm ownership.
In each episode, we dive deep into the critical topics that matter most to you, from unlocking explosive growth to building a thriving team. We connect you with successful law firm leaders and industry experts who share their proven strategies and hard-won wisdom.
So, whether you're a seasoned leader or just starting your journey as a law firm owner, the Leadership in Law Podcast is here to equip you with the knowledge and tools you need to build a successful and fulfilling legal practice.
Your host, Marilyn Jenkins, is a Digital Marketing Strategist who helps Law Firms Grow and Scale using personalized digital marketing programs. She has helped law firms grow to multiple 7 figures in revenue using Law Marketing Zone® programs.
Powered by Law Marketing Zone®
https://lawmarketingzone.com
More Leads, More Cases, More Profit!
Leadership In Law Podcast
S03E130 Cybersecurity and Preparedness with Jason G. Weiss
Cyber threats don’t wait for anyone, and neither should we. I’m joined by Jason Weiss, former FBI agent who built and led one of the Bureau’s top digital forensics labs and now a partner advising on incident response, data privacy, and cybersecurity frameworks, to unpack the moves that keep firms and businesses safe when the clock is ticking.
We dig into the two fastest-growing risks: business email compromise that hijacks trust to divert funds, and modern ransomware that pairs encryption with double and triple extortion. Jason explains how AI has erased the old “bad grammar” tell, why social engineering should be the default assumption, and the simple verification habits that stop costly fraud. From independent call-backs to domain checks and link hygiene, the tools are straightforward, if your team knows and practices them.
Then we get tactical. Jason lays out the first-hour playbook: isolate affected systems to halt lateral movement, call counsel and your insurer to secure privilege and resources, and bring in a forensics team to scope, remediate, and guide notifications. We talk backups that actually save the day, immutable or segmented, verified daily, and the risks of restoring into the same vulnerable configuration. We also cover the frameworks that bring order to chaos: NIST 800-53, ISO 27001, and SOC 2, plus the incident response, disaster recovery, and business continuity plans that must be exercised, not shelved.
The biggest lever? People. Quarterly micro-training, phishing simulations, and a culture of “trust less, verify more” beat shiny tools every time. Jason shares why law enforcement helps but can’t be your only plan, especially with overseas actors, and how proactive testing and gap analysis cost far less than a real breach.
Reach Jason here:
https://www.fmglaw.com/
https://www.linkedin.com/in/jasongweiss/
Law Firm Marketing Fix
Fix Your Law Firm’s Marketing in 10 Simple Steps
Download Your Free Checklist - https://fix.lawmarketingzone.com/
Ready to level up your law firm marketing? Book a FREE Discovery Call with Marilyn Here: https://lawmarketingzone.com/bookacall
Leadership In Law Podcast with host, Marilyn Jenkins
Powered by Law Marketing Zone®
https://lawmarketingzone.com
A full-service Digital Marketing Agency helping clients increase Leads, Cases, and Profit by getting their digital marketing right.
Subscribe on your favorite Podcast listening platform!
Like, Share, and Review us!
#leadershipinlawpodcast #leadershipinlaw #lawmarketingzone #marilynjenkins
The Leadership in Law Podcast is there to equip you with the knowledge and tools you need to build a successful and fulfilling legal practice.
SPEAKER_02:Welcome to another episode of the Leadership in Law Podcast. I'm your host, Marilyn Jenkins. Please join me in welcoming my guest, Jason Weiss, to the show today. Jason is a partner at Freeman, Mathets, and Gary and a nationally recognized expert in cybersecurity, digital forensics, and information governance. Jason brings more than 20 years of experience to the table, including 22 years of decorated service with the FBI, where he founded and led the Bureau's largest digital forensic laboratory, earning the first perfect third-party audit score in FBI lab history. He now advises clients on cyber incident response, data privacy compliance, e-discovery, and cybersecurity frameworks like NIST, ISO, and CMMC. Jason has accredited digital forensic labs, served as an internal ISO auditor, coached companies through cyber intrusions, and even held an assistant general counsel role for cyber and product safety with a Fortune 200 company. He joins us today to unpack cybersecurity from both the civil and criminal perspective and what every organization should know before, during, and after a cyber event. I'm excited to have you here, Jason. Welcome.
SPEAKER_03:Thank you so much for having me.
SPEAKER_02:Absolutely. Tell us a little bit about your leadership journey. It's pretty impressive what you've done.
SPEAKER_03:I spent a few years back in the early days doing to civil defense work, insurance work, little family law just for fun. Then I had an opportunity to go into the FBI, which I took and I spent 22 years in the FBI. 21 plus of those years being in the science and technology branch, where I basically focused on computer forensics and cyber investigations. After I finished my time with the FBI, where I was fortunate enough to have been promoted by the director to lead the Orange County Regional Computer Forensics Lab. I helped build that lab from the ground up. I was actually the first agent ever assigned to the what's called the RCFL or Regional Computer Forensics Lab program. And then I spent seven years managing the lab in Orange County. And then after that, I did basically more forensics focusing on mobile forensics, and I retired, went to a different law firm, my first law firm after retirement life, where I was a cyber breach coach. Then I went in-house counsel where I did was where I did cybersecurity law. And now I am with Fagrine, could be happier with Fagree. I'm with a Freeman Mathis Aguirre and could be happier.
SPEAKER_02:Awesome. Wow, that's so interesting. So with all the stuff that you've done, how do you how do civil and criminal perspectives on cyber incidents differ the most?
SPEAKER_03:Great question. Criminal is very different. In some ways, it's probably easier because you have the power of the search warrant.
unknown:Okay.
SPEAKER_03:And the power of the search warrant can't be under undervalued. If people don't want to cooperate, you can make them cooperate. And that's a good thing in a criminal investigation. In the civil side, it's a little more established, and there's a lot more rules in terms of what you can and can't do. You have obviously one of the most confusing aspects of doing cyber laws, you have 50 different states with 50 different data breach notification laws, which create a lot of not confusion, but it's a lot of extra work. It'd be great if we could ever get the government to get together and come up with a federal data breach protection law and a federal privacy law. So we have some consistency throughout the states in terms of how these issues are handled.
SPEAKER_02:Interesting. Yeah, agreed. So we're hearing a lot in the news about different things, data breaches and stuff. What cyber threats are you seeing rise the fastest right now for both business and law firms?
SPEAKER_03:The two big ones right now are business email compromise attacks, where they where the threat actors try and trick people into wiring of money and give or giving them a lot of gift cards. And so that's a very common hey, this is your boss. Something just changed. Can you rewire the money to a different account? And surprisingly, that's still very effective and very profitable for the threat actors. And ransomware attacks are obviously big. If you deal with double and triple extortion type ransomware attacks, they're still very profitable for the threat actors, assuming that the client has the ability and the desire to pay a ransom.
SPEAKER_02:Interesting. Yeah, and I get emails periodically that it's an invoice that needs to be paid, but it's nothing I ever did. And I can imagine they look very real.
SPEAKER_03:Yeah, oh no, these threat actors have we used to always joke in the FBI if we could get people to take their powers of evil and make them powers of good, this country would be in much better shape. Because the level of creativity and ingenuity that go into these attacks truly astonishing sometimes in terms of how careful and how care how careful they are. And uh, I just you I don't want to say you got a hand it to them, but you have to be impressed by the level of effort they put into their scams and schemes. And it all really comes down to social engineering, identifying and understanding when you're being socially engineered.
SPEAKER_02:Yes.
SPEAKER_03:And normal to you to say, but you should almost get to the point where you assume you're being socially engineered unless you can prove to yourself otherwise.
SPEAKER_02:Wasn't the first actual hacker that went to prison literally a socially engineering? His crime didn't take place on the computer to start with. He got the information through regular conversations.
SPEAKER_03:Yeah, I think you're talking about Kevin Mindnick, who was the grandfather of social engineering. And I actually worked on that case in my early days in the FBI when we were prosecuting him. He he was an extremely clever person in terms of how he was able to trick people into giving up credentials in terms of logging and passwords. And it was fairly simple. By today's standards, I'm not sure how effective that would be, but back then nobody knew anything about anything.
SPEAKER_01:Yeah.
SPEAKER_03:So when somebody called them and said, Hi, I'm your IT department, we just need to confirm your password and make sure you can log in. Okay, people just want to be helpful. That's you know, people generally are nice and they want to do the nice thing, and that's what but there's so many types of social engineering attacks now. There's dozens of different types of social engineering attacks, and some of them have become very sophisticated. And with the rate with the rise of AI, I think it's going to get much more difficult to uh identify and prevent social engineering attacks because one of the great things we had was that a lot of these attacks come from foreign countries, so you could see issues with writing and language and stuff like that. It wasn't English as we understand it, but today AI can fix that for them. Just run their script through ChatGPT and off you go. It makes them sound a lot more normalized.
SPEAKER_02:Yeah, that's true. There was always like a grammar or pronoun miss in the and you could tell, wait, there's something wrong with this. Absolutely. And I remember one of the first big scams that came out, the phishing scam was the PayPal one. Where you do it would send you to a form that takes everything, including your say password, CVV, everything on your credit card and pen number for your but that goes back to my earlier point.
SPEAKER_03:If you recall, that PayPal form looks so real and so authentic, and then they cyber squat the websites, so most people would never even notice that there's a different character on one spot.
SPEAKER_01:Yeah.
SPEAKER_03:Whereas a zero instead of an O or an I instead of a one.
SPEAKER_01:Yeah.
SPEAKER_03:Or whatever you have. It was it was impressive, I will say. And we dealt a lot with that. It's very different from the early days of this where people were printing stuff out on laser printers and trying to you know convince people, hey, really, this is real. And a lot of people are like, this looks raw. Now they can solve that.
SPEAKER_02:Yeah, true. Things have changed. So at your when you were at the lab, what made that lab earn the first perfect third-party audit score in the bureau's history?
SPEAKER_03:The FBI had a requirement that all our labs had to be ISO accredited, the international standard, it's kind of the gold standard of information security. And so one of the things we did is I was fortunate enough to go through the ISO training the Bureau put me through so I could understand the process better. And we did a lot of in-house auditing and a lot of we wouldn't allow people in to look at the FBI books outside people unless the FBI books were perfect. So we so we were much harder on the FBI than the auditors probably ever were because we valued our in-house process very carefully because we want to make sure that the taxpayers are getting their money's worth. And uh, we spent a lot of time and a lot of effort. There's about 425 different requirements on ISO 17025 laboratory accreditation, and we literally worked on them one by one until we were able to get them all in place. And we were the first lab in the FBI to get a perfect score on the ISO accreditation thing, and that was quite an accomplishment at the time, and we're very proud of it.
SPEAKER_02:Wow, that's exciting. Imagine it's amazing. So when you obviously, all the time that you spent, uh, what did you that experience with the FIA teach you about how cyber criminals operate, thinking about how they would come after a small business?
SPEAKER_03:That's great because when you look at somebody's computer, I did a lot of forensics work, and when you look at somebody's computer forensically, you learn a lot about a person. I'm sure if I went through your cell phone now, I could understand you a hundred times better than just talking to you right now.
SPEAKER_01:Yeah.
SPEAKER_03:Because everything you do in your life is on your phone. And back then it was more on my when I was doing forensics, it was a little bit more on the computer than it was on the phone. The transition was just starting to everybody, everybody going crazy on phones. And even it's just amazing. You go into a crowd of a thousand people, and all thousand people have a cell phone.
SPEAKER_02:It's all you see when you look around.
SPEAKER_03:They may not always have a computer, but they'll always have a cell phone. And cell phone forensics is a whole set of different challenges that we the FBI was dealing with. But going back to your original question, it's just you learn a lot about people, and they're now the one thing I will say in all in defense of the FBI and such is that cybercrime is always evolving. And the problem that law enforcement has is that we have to unfortunately be much more reactive than we are proactive, and that's real negative because we're always responding to problems instead of foreseeing problems and solving problems. And that's just because the sheer volume of problems out there, we there's just not enough staffing, a lot, not enough money, and not enough personnel to get into a proactive mindframe. Although I think that's what everybody would prefer. I know in the FBI we were always trying to get ahead of the game, but it's not easy. Like even with the firm I'm at now, Freeman Mathis and Gary, we spend a lot of time trying to foresee what the issues might be in terms of cybercrime, cyber attacks, and stuff. We do a lot of legal writing, right? And I think that's a big deal in that regard.
SPEAKER_02:Yeah, I think it's with everything changing so quickly, like you said, with AI helping them get even better, now you've got to think in that mind, and it would be hard to get out in front of that.
SPEAKER_03:It does, it is, it's very hard, and but it's necessary, and you have to never quit trying. Yeah. Because the FBI had a great expression the only safe network is the network with no users. So as long as there are people on the network, there's risk. And even on the private side or in the government side, it's all about gap analysis, risk analysis, and how do you identify the risk and minimize the risk?
SPEAKER_02:I remember years ago on networks, it was like it was considered safe if they had no internet access.
SPEAKER_03:True. And that's if you're not on the internet, you're safe. I would agree with that. But that's not always makes you certain machines, even in the government, are hooked up to the internet. Like, how do they get that? You gotta ask yourself, because why would they have that machine on the internet? But when you're dealing with as many people and as many computers and cell phones that are out there, there's always going to be a gap, or there's always gonna be some risk.
SPEAKER_02:Exactly.
SPEAKER_03:And the threat actors and exploit it.
SPEAKER_02:Yeah, again, really creative. So if a company were to suffer a breach, what would you say were the first three steps that they should take, like in the first hour? What's the first thing they should be doing?
SPEAKER_03:Contain their network, take the affected machines offline as quickly as they can to prevent any lateral movement or spread by the threat actors throughout the network. Contact their insurance company and try and get a lawyer involved, a cyber breach coach involved as quickly as possible to put an attorney-client privilege over any potential investigation, and then reach out, get a good forensics firm, and do an investigation to make sure that the threat's been contained, remediated, and the data's been restored. And if there's any notifications have to be done, you comply with your legal obligations.
SPEAKER_02:And any of that before, even like a if a ransomware comes in, you just stop the phones and just call your insurance.
SPEAKER_03:Well, if you get hit by a ransomware attack, you're gonna know it.
SPEAKER_02:Yeah.
SPEAKER_03:Because your machines aren't gonna work, you're you're gonna get ransom notes, you're gonna see encryption. Yeah, at that point, you want to shut your network down, take stuff offline if you can, prevent the lateral spread of the encryption software or the threat actors themselves going through the network. The problem is most threat actors are in a network probably three to four months before they actually launch an attack, doing reconnaissance, trying to understand how the network works, laterally moving around, establishing their credential, doing what they can to make sure that the attack itself goes smoothly. So, really, it's all about moving efficiently, effectively, and working well with your IT team. It'd be great for companies to have an incident response plan in place, a disaster recovery plan in place, a business continuity plan in place, because that's what's going to help you and then practice those plans. It's not enough to have them, but once a year at least pull them out and do an exercise, do a tabletop. Be prepared so when the real thing happens, you're not trying to open up the book and say, What do I do? What do I do? What do I do?
SPEAKER_02:Right. Like Fire Drill. Should all be prepared.
SPEAKER_03:Yeah, be prepared.
SPEAKER_02:Now, are you do you find that are businesses doing appropriate backups of their data on a regular basis?
SPEAKER_03:It's certainly better than it used to be. Doing cloud backups. In the old days, people used to restore backups to tape and they would leave the tapes at their office, and then that's bad.
SPEAKER_01:Yeah.
SPEAKER_03:Because if the tape backup is attached to the network, it can get encrypted as well, or the tapes can be destroyed by a fire, or the tapes can be stolen. Or if you have an insider threat, the tapes of the threat actors might have somebody on the inside who will take out the backup tapes. Now, obviously, doing cloud backups and verifying them every day, doing appropriate backups and having daily backups every day is going to help you a lot because in a lot of cases that will prevent the need for it'll prevent the need for going in and trying to figure out if you have your backups in place and stuff like that. You can just there won't be a need for decryption keys from the for enranchore attacks if you have stable backup. Now, I would warn people if you have a backup, be warned that they've already infiltrated your system once using that same configuration. So you're gonna really really be forced to if you restore using that back to that same configuration the threat actors had used before. Make sure you immediately do what you got to do to try and find any gaps and lock them down.
SPEAKER_02:Find the door there. Okay.
SPEAKER_03:Right. There's a million companies here that will help you with this, or use your IT folks if you have them and figure out what went wrong and uh take the machines offline if you have to until you figure out where the gap is.
SPEAKER_02:Great advice. Great advice. What mistake do you what mistakes do you think organizations repeatedly make during incident responses that end up making things worse?
SPEAKER_03:They bury their head in the sand metaphorically. They don't believe what's happening to them. They drag their feed, they talk among themselves. Speed is everything in a cyber incident. That's why there's companies available 24-second, 24-7, there's cyber attorneys that are available 24-7. It's I think companies just don't want to believe it's happening to them. Or they or they go in there and they try and self-fix without really understanding what they're doing and they make things worse. Because they cover maybe new parts of the network that they hadn't exposed before to the threat actors. There's a hundred things that can go wrong, and very few that can go right if you unless you really that goes back to my original idea of having an incident response plan and not only having one but practicing it.
SPEAKER_02:Yeah, that's absolutely great advice. And again, when you were talking about that once a thinking ransomware, once it actually happens, the assumption is these people have been in your system for the last, say, two to three months, potentially. So restoring a backup is not the answer without fixing the open doors.
SPEAKER_03:That's exactly right. And that that is that takes speed and knowledge and having a good security team and a good IT team and a necessary hiring contractors to come in and do a penetration test, for example. Have white hackers come in and find your gaps, and then you can close them. There is a lot you can do. It's called cyber hygiene. And I I do a lot of work for clients on that. There's a lot of work you can do. It's kind of like I know it's not covered by insurance, so you're paying out of pocket for some of the stuff, but it's a lot cheaper than dealing with a cyber incident. So spend a little bit now and change your oil before you wait for your engine light to come on, and then you got real problems.
SPEAKER_02:I love that. Now, say you do something like that. And would you suggest doing that, the cyber hygiene, like anytime you make an update to your system? And I don't mean a software update, but say you adding new equipment or something like that. Is that something that should be routinely done?
SPEAKER_03:You should have routine practices within your IT department on patch management and change manager controls. But cyber hygiene is not like they have to be an everyday thing. It's like you go through, you should always practice cyber hygiene. I don't want to misunder misrepresent that. But in terms of hiring us or hiring a vendor that could help you, you look at some of these cybersecurity frameworks that exist now to help defend networks like ISO 27001 or NIST 853 or even a SOC 2, where you go in and you put these cybersecurity frameworks in place to provide a greater level of information security management to your systems.
SPEAKER_02:Okay. And how do civil liabilities like lawsuits, regulatory penalties, reputational damage intersect with potential criminal exposure?
SPEAKER_03:Criminal exposure really is not something we handle on the civil side. We obviously report cyber incidents to law enforcement on almost every instance, and that includes the FBI through the IC3 website. We work with the FBI, provide indicators of compromise and other things that the client will allow us to share in order to help the FBI's investigations. But a criminal investigation is very different because it's a different standard of guilt. And the biggest problem, I'll be perfectly honest with you, on the criminal side, is most of the threat actors don't resign in the US. Because a lot of them reside in Europe, Asia, Eastern Europe, what have you. And it's much more difficult to get them sometimes because you really need the cooperation of these other countries. And some countries cooperate well, and some countries not so much.
SPEAKER_02:Agreed. Yeah, I think we see a lot of those in the news that they're not that they are overseas, and that would be harder to organize. So, in your experience, what's the one thing that companies could do today that would drastically reduce their cyber risk for tomorrow?
SPEAKER_03:I know this is gonna sound late lame, but employee training. Like I said, the only safe network is a network with no users. If you're gonna have users on your network, users need to understand and hopefully identify potential social engineering attacks or other types of attacks that fishing attacks or we tell people constantly don't click on links for people you don't know, but people do.
SPEAKER_01:Yeah.
SPEAKER_03:Because people are basically good and trusting, and they're trying to do the right thing and trying to be good employees, and sometimes it Blow up in your face. So at a minimum, you should be doing an annual cybersecurity training. Even better scenario is once a quarter, even if it's not very long. It's something that constantly refreshes people's idea. I know people hate cyber training, everybody hates cyber training, but it really is critical to act as a bulwark against cyber threats and cyber threat actors.
SPEAKER_02:And I think making your employees aware of what the say newest or most recent type threat is out there so that they can watch for it. It's just feeding it in and making it a normal thing to don't click on this link. Look at who it came from. Is it real?
SPEAKER_03:When somebody says, please, please, can you buy me some gift cards? I'll pay you back. This is your boss. Go and another really important tip and trick is when you get those emails where somebody asks you to call them to verify, independently look up the number. Don't rely on the numbers that are on the email because if that's a threat actor, they will more likely than not set up a phone bank.
SPEAKER_01:Yeah.
SPEAKER_03:So if you call they're gonna have somebody answer pretending it to be like a help desk or what have you, or if you're not sure, I mean if you get a call from your boss andor an email from your boss asking you to change baking wiring instructions, call the boss's office using your internal network phone system documentation. Don't rely on what's on the paperwork. I know it seems obvious, but you'd be surprised how many people fall for that because you're busy, you're in a hurry, you're trying to get you to want to make your boss happy, you want to get that money out. But um, more times than not, it's usually bad news.
SPEAKER_02:Agreed. And I just I think last week or two weeks ago, I got a call from quote unquote Microsoft Secure support that wanted me to go to my Windows PC and do all of this stuff. I'm like, no, Microsoft never calls for support. Never open, I haven't opened a ticket. Why would you be calling me? Just call them out on it. But being a little bit more aware, I think, is what's very important to not just add business, but personally be aware of these threats.
SPEAKER_03:No, absolutely. When the IRS calls you demanding money or jail, that's not real. The IRS doesn't do that. When law enforcement calls you and says, hey, we're if you don't turn yourself, if you don't pay us this money, we're gonna come arrest you. That's not real. It's hard, and life is a lot harder because you don't know what to trust or not. But I would always err on the side of not trusting but verifying before I did anything where I gave up any kind of personal information. Because once they have your birth, your social security number, or your computer login information, they're gonna take advantage of you and exploit you.
SPEAKER_02:Great advice. Absolutely great advice. Jason, this has been excellent advice. Thank you so much for your time. I know my listeners are probably gonna want to reach out to you. Where can they connect with you?
SPEAKER_03:You can they can go to fmglaw.com. My name's Jason Weiss, W-E-I-S-S, or it's Jason.weiss at FMG Law, or they can hit me up on LinkedIn. I'm the only Jason G. Weiss on the block.
SPEAKER_02:All right, excellent. I'll make sure that those links are in the show notes. And again, thank you so much for your time today. I really appreciate you taking the time to be on the show.
SPEAKER_03:Oh, my pleasure. Thank you so much.
SPEAKER_02:Thanks for joining me today for this episode. As we wrap up, I'd love for you to do two things. First, subscribe to this podcast so you don't miss an episode. And if you find value here, I'd love it if you would rate it and review it. That really does make a difference in helping other people to discover this podcast. Second, you can connect with me on LinkedIn to keep up with what I'm currently learning and thinking about. And if you're ready to take the next step with a digital strategist to help you grow your law firm, I'd be honored to help you. Just go to LawmarketingZone.com to book a call with me. Stay tuned for our next episode next week. Until then, as always, thanks for listening to Leadership in Law Podcast, and be sure to subscribe wherever you listen to podcasts so you don't miss the next episode.
SPEAKER_00:Thanks for joining us on another episode of the Leadership in Law Podcast. Remember, you're not alone on this journey. There's a whole community of law firm owners out there facing similar challenges and striving for the same success. Head over to our website at LawMarketingZone.com. From there, connect with other listeners, access valuable resources, and stay up to date on the latest episodes. Don't forget to subscribe and leave us to review on your favorite podcast platform. Until next time, keep leading with vision and keep growing your firm.
