Leadership In Law Podcast

S03E148 Preparing for a Cyber Security Crisis with Josh Cook

Marilyn Jenkins Season 3 Episode 148

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 40:44

A cyber attack isn’t just an IT fire to put out. It’s a business moment that tests leadership, communication, and trust. We sit down with Josh Cook, partner at Prince Lobel and former global cyber counsel for a Fortune Global 500, to unpack how organizations of any size can move from panic to playbook, and why small firms face the highest stakes.

Josh retraces his path from securities litigation to launching a global cybersecurity legal function, centralizing fragmented responses across regions and building institutional memory where none existed. He explains why the most dangerous myth is treating breaches as “specialty” problems for vendors to fix, and shows how real resilience comes from policies you follow, role‑based playbooks people can run under pressure, and leaders who keep IT and the C‑suite speaking the same language. We explore the communication fault lines that derail response, the surprising ways attackers target smaller vendors to reach big clients, and how even a breach can become a credibility moment when you protect customers first.

We also dig into AI’s double edge. Criminals use generative tools to craft convincing lures and shortcut technical know‑how, while defenders harness anomaly detection to spot intrusions faster. Josh shares practical steps you can take now: line up your forensic and legal partners before trouble hits, build relationships with law enforcement, and run a frank tabletop to expose gaps in ownership, scripts, and escalation. 

Reach Josh here:
https://princelobel.com/professional/joshua-n-cook/
Josh's Book: https://amzn.to/48up38k

Ready to level up your law firm marketing? Book a FREE Discovery Call with Marilyn Here: https://lawmarketingzone.com/bookacall

Leadership In Law Podcast with host, Marilyn Jenkins 
Powered by Law Marketing Zone®
https://lawmarketingzone.com
A full-service Digital Marketing Agency helping clients increase Leads, Cases, and Profit by getting their digital marketing right.

Subscribe on your favorite Podcast listening platform!

Like, Share, and Review us!

#leadershipinlawpodcast #leadershipinlaw #lawmarketingzone #marilynjenkins



SPEAKER_00

Welcome to the Linux Epic Law Podcast with hosting naughty lifestyles and inspiring stories delivered straight to your e-books, your ultimate podcast for navigating the ever-changing world of Law Firmowners. In each of the stuff, we dive to one of the critical topics that matter most to you from allowing explosive growth to building a thriving team, what you with successful firm leaders and industry experts, who start approving strategies and hard logics. So whether you're a teaching leader or just starting your journey as a law firm owner. The leadership and law podcast is here to equip you with the knowledge and tools you need to build a successful and fulfilling legal practice.

SPEAKER_01

Welcome to another episode of the Leadership in Law Podcast. I'm your host, Marilyn Jenkins. Please join me in welcoming my guest, Josh Cook, to the show today. Josh is a partner at Prince Lovell's Data Privacy and Security Group. He has a tremendous experience managing complex cybersecurity, privacy, and fraud issues, including more than a decade in-house with the Forging Global 500 financial services company, where he served as the company's first global cyber council and launched its cybersecurity legal function. He has commanded dozens of critical cyber privacy and fraud incidences, guiding C-suites and boards through multiple crises. He wrote the book on how to manage a cyber attack, cyber resilience by design, an executive guide to managing a cyber attack in 2024, is frequently featured in publications and executive forums on cybersecurity, AI, and data privacy. I'm excited to have you here. Josh, welcome.

SPEAKER_03

Thank you so much, Marilyn. I'm happy to be here.

SPEAKER_01

Absolutely. Can you tell us a little bit about your leadership journey?

Leaving Litigation For In‑House

Building A Global Cyber Legal Function

Creating Consistency And Strategy

SPEAKER_03

Sure. So I I started my career more than 20 years ago in litigation. And you know, I was convinced coming out of law school that I want to be a litigator and that that's really where my focus was. After being a litigator for a few years, I realized that's actually not my favorite thing to do. And so it it felt very natural. I mu most of my litigation experience was in the securities world. So it was securities litigation, defending broker dealers and going after broker dealers and investment advisors that had wronged their customers. And so it felt very natural for me to move in-house because that was a a a need at the time. And it was also just something that as I was looking around and realizing that litigation was not where I wanted to build my career anymore. You know, moving in-house was was just a completely normal and natural thing for me to do. So I moved in-house and right out of the gate, I realized that, you know, that was a that was going to be a transformative experience for my career because it was a very, very different experience from the law firm culture that I had been in for several years at that point. One of the great things about my experience in-house was that at some point I was allowed to basically define what it was I wanted to do. And so, you know, I they the company uh after a few years had actually sold the retail broker dealer that was my primary client. And, you know, our general counsel came to me and said, Look, you're you're not leaving us. So what is it that you want to do here? And what what you know, what are you gonna do when you're when you're coming in every day? And so we we talked a lot about cybersecurity and about privacy, and and those were things that I had dealt a lot with because of my retail broker dealer, and you know, the the bad guys go where the money is. So, you know, they were constantly targeting the the retail operations. And so, you know, that that really dovetailed perfectly with his vision for the company and the law department within the company going forward. You know, previously, uh up until I I took on this role as global cyber counsel, you know, cyber issues would happen all over the world. And this was a global company, so cyber issues would would come up all over the world, and the lawyers that were attached to those impacted business units would jump in, handle the cyber issue, and then when it was over, they would go back to their daily jobs. And there was really no consistency across the globe. And there was no institutional memory, certainly not within the law department, about how these things should be handled day in, day out. So that was really what I that was really the only marching orders I had were, you know, make it consistent and remember what we do every time so that we can do it, you know, again. And and other than that, you know, I was just told by the general counsel, just do the right thing. You know, it it it whatever happens, just do the right thing and I'll I'll have your back. And that was really empowering to me. So, so I dove into this global cyber council role that had never existed before at this massive international company. And the idea was, you know, figure it out, right? Like I got no real guidance other than just do the right thing. And so I I had to figure out what it meant to be a lawyer for a global company focused on cyber issues and and focused on defense of cyber issues. So, you know, I really I wrapped my arms around the entire company's global cyber footprint and said, All right, you know, we've got we've got groups in Japan and groups in Canada and groups in the US and groups, you know, in Europe that are doing similar functions but had never talked to each other and had no idea what each other was doing. So, you know, that was kind of step one was well, let's kind of take an inventory of who's doing what, how can we ensure that we're being consistent across the board, you know, when consistency made sense, right? When when it made sense to do things differently, fine, let's do things differently, but let's be deliberate about it, not just, not just haphazard. And then it it turned into, okay, you know, let's figure out how to help the C-suite understand what the issues are across the globe, and then help the individual business leaders understand what their specific issues are. And so this was a it was a multi-year project, but it it allowed me to really understand what the business does and what the business needs are. And then, you know, while all of this was happening, there were incidents, you know, on a on a regular basis. And so, you know, I became intimately involved in managing those incidents and ensuring that, you know, we are doing things consistently day in, day out, that we have a strategy as opposed to just putting out fires here and there. It was, you know, we have a strategy that we want to follow and we want to apply, and that's going to protect the business on a larger scale than just, you know, putting out a fire here and there. And so, you know, that was it was really transformative for me and my career. And I was there, it was in-house for 12 years. And and when I left that company, you know, I started, I had this vision of helping smaller companies. But what really, really opened my eyes was the understanding that, you know, when I was handling incidents at this, you know, large international company, it never once crossed my mind that any incident could put the company out of business. Like that was not ever on the table. You know, it was going to survive regardless, right? Like there was there was nothing that was going to be massive enough to put it out of business. But I learned that 60% of small businesses go out of business within six months of a cyber attack. And that that to me suggested, you know what, there's a real need outside of you know the the massive international Fortune 500 firms, it's a real need for my expertise and my experience to help these companies weather the storm and to become resilient. Because ultimately the resilience is the name of the game, right? You you're everyone is going to get hit, every company is going to get hit at some point, but you know, does it put you out of business or is it a an opportunity to grow and to become stronger? And, you know, can you actually, in some circumstances, turn it into a sales point, right? Yes, we got hit. This is how we handled it. And, you know, we're constantly keeping our customers front of mind. We want to make sure that everyone is protected, that we're doing the right thing. You know, so you can actually leverage some attacks into a marketing pitch, basically. And so that that's that's really what I try to bring to my clients is you know, not just look on the bright side, but turn it into a bright side. Like let's let's let's address this thing that most companies, you know, feel is a really terrible experience, and let's turn it around and say, all right, you know, yes, this is rough. We're gonna get through it and we're gonna become stronger afterwards.

SPEAKER_01

I love that because I think a lot of smaller businesses feel like only the big guys will get hit. It's I'm too small.

SPEAKER_03

And I can absolutely tell you from experience, no one is too small. There are the cyber attackers out there typically go for targets of opportunity. So if they find an access point, they will exploit it, or they'll try to exploit it. And, you know, they don't know how big you are frequently until they're in your system. And so, you know, they're not there are attackers out there that are targeting the big firms that are specifically going after, you know, JP Morgan and Bank of America and and Walmart, right? Like they're there are definitely folks that are specifically targeting big firms. But a lot of the attackers out there are just targeting whoever they can target, right? So if they get access, if they get credentials, if they find an exploit that they can get in through, they're gonna do that. And then once they're in, they start digging around and figuring out, okay, you know, who is this company? Is this somebody that that we can take, you know, that we can ransom for a lot of money, or is this, you know, someone that, you know, maybe isn't gonna really go anywhere for us? But they don't know until they're in. And once they're in, it's too late for the company.

SPEAKER_01

Yeah, that's quite interesting. What do you feel like is the biggest? I mean, you've worked for Global 500, you've got for now you advise clients in crisis. What's the biggest misconception executives have about cyber incidences?

Small Business Stakes And Resilience

Anyone Can Be A Target

SPEAKER_03

I I would say the biggest misconception is that it's a specialty problem, right? And and that you need a specialty solution for it. And what I mean by that is, and this is really what what prompted me to write the book in the first place, is the idea that executives frequently during a cyber crisis, they'll step back and say, Well, this is a cyber issue, and I need my cyber lawyer, I need my forensic firm, like they're gonna handle it for me. And that really does the business a disservice because every cyber issue is fundamentally a business issue. And if the business leader is taking a step back, the business leader is depriving the team of a solution and a and a management solution that it should have, and and but it won't have if you're only relying on outside counsel or if you're only relying on your outside forensic firm. They're going to put the fire out, but they're not going to necessarily see the larger impact to the business. And and that larger impact is always there. And I'll give you an example. You know, I I dealt with an issue fairly recently where this was a large international company. They had a ransomware issue that and it was basically their data was exploited because they didn't lock it down properly. And so the the bad guys were able to get in. Now, you might look at that and say, all right, that's a ransomware issue, we're going to deal with a ransomware issue. The real issue, though, was that this the the fact that their data wasn't locked down in this one jurisdiction was very, very similar to the fact to a publicized complaint that a an internal whistleblower had made in the media in a different jurisdiction about the fact that the company didn't lock down and secure its data. So, you know, within a couple of weeks of that publication, now we have a ransomware attack, and it's it's really underlining the the same exact issue, right? The company's not securing its data properly. So they're still dealing with the fallout of the media report, and now we've got this attack. And so the issue was not so much how do we deal with a ransomware attack. The real issue for the company was how do we make sure that we don't get a lot of publicity around this ransomware attack that's just going to confirm what the media already suggests or and and suspects, you know, in in another jurisdiction. So the last thing the company needed was a an international problem when it, as far as the media was concerned, had really just been limited to this one jurisdiction, right? So that it's just an example of the ways in which cyber issues can they they're typically reflective of larger business issues. And if you're only dealing with the cyber piece, you're ignoring the bigger picture, you're ignoring the bigger business risk that needs to be addressed. And that's where the business leaders really need to be involved, especially, you know, in-house counsel, the senior business leaders, those are folks that understand the big picture. And outside council and the forensic firms, they don't, right? They they're not there day in, day out dealing with the business. And so they're brought in to handle a specific issue and they handle it well, but it's the big picture that really needs attention.

SPEAKER_01

I think an interesting part of what you bring to the table is those 12 years you spent and were given free reign, you built systems and processes, you built those communication channels so you've seen how to bring the big picture together. So instead of yeah, you might not not know all the intricacies of a new client, but you know the processes to look for.

Cyber Is A Business Issue

SPEAKER_03

Yeah, that that's exactly right. And and you know, frankly, what I saw quite a bit, and I I learned to identify, you know, the the communications gaps, right? And where it frequently happens uh uh in many companies, is a gap in communications between the senior leaders and between the IT folks. And you know, a good CISO, a a uh security officer, will understand how to speak both languages, but those folks are really rare. They're hard to find. And so you end up with IT folks that speak in terms of IT, and you end up with business folks that speak in in business terms, and they don't frequently get on the same page. And you know, what what I I've I've mediated disputes that I I genuinely was worried were gonna devolve into fisticuffs between senior leaders and and senior IT folks, because you know, the the senior IT folks are like, no, this is a security issue. We cannot get away from this. We have to address the security issue. And the business leaders are standing there like, if we don't get this back up and running right now, we are going to have severe business consequences. And you know, you you you have to be flexible, and the and the IT folks have to be flexible about the kinds of risks that they're willing to accept, right? The business is accepting the risk, and the IT folks have to have to accept risk as well. But the business people have to understand the true nature of the risks that they're accepting, right? And so that's where the communications can really become challenging, but it it's really critical. And and you I can't stress enough how important it is to keep those lines of communication open. And it can't just start during an incident, right? Those lines of communication have to be open and free-flowing all the time, or else you're you're getting into an incident expecting everyone to trust each other, and they're not going to.

SPEAKER_01

I agree. And I was in IT and have been in IT for a very long time. We won't talk about years. But it used to be IT was an island. You had the guy that walked around with the jump drive or the disc, and they were only called when there was a problem. And they just lived somewhere.

unknown

Yeah.

SPEAKER_01

So now to expect them to be talking with the C-suite and planning and all of this stuff. Yeah, I agree. That would be a bit of a unicorn, the person that would be could do both.

SPEAKER_03

Yeah, and it, you know, it's I'll I'll tell you, when I when I first got into cyber, and again, I'm I'm at this, you know, large international company, they had business units all over the place, and each business unit had their IT folks. The incident response team, though, was three people. And it was, you know, three people that were responsible for handling incidents for the entire globe. And they were literally just you know running from fire to fire. That was it, right? And by the time I left there, the incident response team had evolved into incident response, threat intelligence, you know, assessments, and it was basically at that point 50 people. And for a global company, that's really what you're looking for, right? Like you need that many people involved. One of the luxuries you have when you have a larger team like that is all of a sudden you've got people that have the capacity now to build relationships across the company when you know that that three-person incident response team never had that capacity.

SPEAKER_01

Well, I'm sure they were running constantly.

SPEAKER_03

That would that's exactly right. And and so, you know, they they couldn't build relationships, they couldn't conduct any trainings, they couldn't do any tabletop exercises because it was just, you know, fire after fire after fire. But when you when you build out that team and you have more capacity, you can really build the relationships too. And those relationships are are critical to to the resilience that you're looking to build.

SPEAKER_01

And when you talk about resilience by design, in practical terms, what does that look like? Is that systems and conversation, education?

Translating Between IT And Leadership

SPEAKER_03

Yeah, it's so the there's I I'll I'll preface this by saying I don't have an IT background. I don't have a technical background at all. In my experience, the failure points in what what gives rise to cyber incidents, it's usually not the the technology, you know, it's usually the people that do something, you know, completely natural for a human to do, but it's the wrong thing to do. You know, for example, you know, clicking a link in an email, or you know, it it's you know, letting your curiosity get the better of you. You know, those are things that humans do, and the bad guys exploit that human nature. So that's that's really where I focus. But resilience is having the systems in place, having the policies and the protocols in place and the playbooks, but very importantly, having the people in place that understand what they're supposed to do when things go wrong. And I can't tell you how many times I've done a tabletop exercise where you know we're going around the room and it's like, all right, you know, if this happens and I get a leader standing up saying, All right, we've got a program, we've got a policy, we're we're gonna do it, you know, X, Y, and Z. And then I say, Well, who's actually doing the work? Right. So, oh, well, Tom's doing the work. Okay. Does Tom, Tom's not in the room. Does Tom know that this is his responsibility? Right. And almost universally, it's like, well, I mean, you know, it's his job. Like, we'll we'll tell him, you know, this is what you're supposed to do. Right. You know, it's it's like, okay, you know, it's one thing to go through this exercise on, you know, within the IT team, right? Where everyone knows, okay, you know, this this is how, you know, we've shut down systems, this is how we we have to, you know, handle a uh a DDoS attack, right? And it's another thing to do it on the executive level, where you know, the the executives think, all right, we have policies about this stuff, and we've got people that do it, so we're good to go. You have to meld the two of them and and really put them in the room at the same time and say, all right, you know, okay, the CEO said we need to take this action, who's doing it, right? And then you look at the person that's that's actually doing it. So do you actually know how to do this, right? Yes. Okay, great. Then we're good to go, right? But frequently it's well, who's doing it? I don't know. I don't know who's doing it. We have a policy that this is what we're supposed to do, but I don't know who's actually responsible, right? And that's where the rubber meets the road. And that's that's really what that that's the point of preparedness is to to go through it and make sure that you understand, you know, who's what what's supposed to happen, but very importantly, who's doing it. And that that who piece is often overlooked.

SPEAKER_01

Yeah, I think having the policy because we're supposed to have one, is not as important as having a person assigned to do it. Exactly. So that when you're thinking about the essential elements, what are the essential elements that every company should have in place before an incident occurs?

Scaling Incident Response And Relationships

SPEAKER_03

Yeah, I mean you it it it really boils down to policies, playbooks, and people. Right? So you you need the policies in place, but as you said, you know, having a policy that just sits on a shelf does nothing for anybody. In fact, it's frequently worse to have a policy and not follow it than to not have a policy at all. Right? Because if you're not following it, you know, after the fact the regulators are going to come in and say, Why didn't you do any of the things that you said you were going to do, right? And that that becomes a much worse scenario for a company. But so you have the policies, and then you've got you need to develop playbooks which are much more detailed and specific for a particular role within the company, right? So, you know, as the head of IT, your playbook for this particular type of incident is to do X, Y, and Z. As the head of marketing for this, or the head of you know public relations, your playbook says something completely different, even though it's the same kind of scenario. Scenario, right? But you need those playbooks to walk the individual roles through what they're supposed to do when something bad happens. And those those playbooks can include, like for public relations, a script for a holding statement, right? And it's it's just generic, you know, yes, we're aware of the incident, we're looking into it. You know, if you have any further questions, contact whoever, right? But that that is stuff that you can do in advance, and you don't want to have to do for the first time when you're under fire, right? And and it's that's really what it boils down to is you know resilience is built on preparedness. You know, and the the example I give all the time is you know, you can walk into an exam and maybe you do great, right? You you didn't study, you did great, fantastic. Congratulations. I wouldn't try that a second time, right? If if you want to do well on an exam, you have to study, you have to put the work in, you have to prepare for it. You know, maybe you get through without any preparation whatsoever, but why not stack the deck in your favor, right? Like why not increase your chances of getting through and and uh and becoming stronger on the other side of it. And so, you know, it really is about preparing and and being ready. And the way you do that is, you know, line up your resources in advance. So, you know, if you have a forensic firm that you want to work with, talk to them before you have an incident, right? Understand who they are and and you know, sign a contract before you ever have an incident. Because I've been at public conferences where I've I've heard vendors stand up and say, hey, you know, I see dollar signs when I get a call from a client that I've never heard from. Like that I've I didn't know who they were. They call me out of the blue, they're calling me out of the blue during an incident. Bam, dollar signs. I know this is going to be a great engagement for me. That it's it's a stunning admission, but it's absolutely true, right?

SPEAKER_02

Yeah, yeah.

Resilience By Design: Policies And People

SPEAKER_03

But you do not want to be in that position as a client, as a business that that needs help, you don't want to be doing that. Another another quick example is law enforcement. There's it, if you want to engage the FBI, like if you have a ransomware attack or if you've and the victim of of you know a business email compromise and and an email thread hijack and and you know your invoices have been redirected and payments have been redirected to to bad actors. If you try to call the FBI out of the blue, unless you are in the middle of a bank robbery, you're never going to reach a human being at the FBI. It's you know, leave a message, we'll get back to you when you know when we have resources to get back to you, right? Yeah. And it is the same thing if you're a victim of a cybercrime and you go to ic3.gov and you fill out the crime complaint form, you know, that's all great and you should do that, but they're not going to respond anytime soon. Right. And so the way you get responses from law enforcement is to build a relationship with them before you ever have an incident. Right. And so it's things like that that really get you far down the path towards resilience. And it just takes a little bit of effort before anything goes wrong.

SPEAKER_01

Yeah. So bottom line, get your book so we can do that and get be resilient.

SPEAKER_03

That's that's exactly right.

SPEAKER_01

With AI accelerating both innovation and threats, what new cyber risk should organizations be preparing for right now?

SPEAKER_03

Yeah, that's an excellent question. And you know, AI has really democratized cybercrime, unfortunately. You know, you you can't necessarily do it with Copilot or Chat GPT because they do have some guardrails, but you can actually get around the guardrails too in some really bizarre ways. But it's not hard at all to find an AI product out there that will give you a kit for how to commit cybercrime, right? So, you know, how do I find an exploit for X Company? What's the most likely avenue of attack that's going to be successful? How can I monetize this? You know, where can I find a ransomware kit and how do I deploy it? Right. And AI will walk you through that entire process. So the barrier to entry into cybercrime these days is not how much technical skill do you have. It's are you willing to commit a crime? That's really it. And so, you know, you see a lot the attacks are still sophisticated, but the attackers are maybe not as sophisticated as they used to be. So, you know, they don't have to be as sophisticated, they don't have to have a lot of experience of hands-on keyboard, you know, exploiting vulnerabilities within a system. They can just rely on AI to fill a lot of those knowledge gaps that they might have, right?

SPEAKER_02

Yeah.

Playbooks And Real Roles

SPEAKER_03

So that it creates a real challenge, particularly for smaller companies that don't have the resources to continually fight that sort of thing. But, you know, while the AI has been used by the bad actors, it's also being used by the defenders out there, right? So the there's there's a lot of firms that are really doing some magical things with AI to identify evidence of of intrusions, you know, because uh the one of the things that AI does really well is find patterns amid chaos, right? So you can you can feed it an extraordinary amount of data and it will find patterns in there that a human would never find. So one of the I I've was working with a company recently that is is doing just that. They are ingesting truly massive quantities of data, and and their their AI has is designed to identify anomalies. So, you know, they basically can say, all right, this user is acting a little weird. You know, is this a legitimate user or not? Right. And so they can actually then say, all right, let's let's focus in on this particular user, let's understand, you know, the behavior, let's look back at what they've done over the past 24 hours, over the past 72 hours, and see if we can identify, you know, is this an actual account holder or is this someone that's just getting in with the account holder's credentials and acting differently and maybe exploiting a vulnerability? So, you know, it the the AI is making everything faster, it's making everything harder to some extent, but it's also it's making some of the defense easier, but it it it is a real challenge for a business to understand, you know, how is this working and is this worth my time and effort to uh sink money into this, or is this just a waste of time? And that can be a real challenge for companies.

SPEAKER_01

Yeah, I think right now there's a lot of confusion with it, but it is it's kind of like it back in the day when people were writing bad actors or writing viruses, they found tools to help them do that. And I think AI is gonna be obviously bad actors are gonna find a way of finding ways to exploit different things with AI and try to make money off of it. If a shortcut can be made, someone will find it.

SPEAKER_03

Yeah, the the bad actors out there, a lot of them are really good at what they do. And you know, it I can't help thinking that if they devoted that much energy towards a legitimate enterprise, they would build a great company, right? Like they would build a great business, but you know, they've decided that playing within the rules is not you know what what they want to do. And so, you know, they they build these criminal enterprises that that are are really would be the the envy of any normal business, right? They they've got customer service, they've got you know, folks working phone banks, you know, there's there's ransomware attackers out there that they deploy the ransom note and it says, you know, call this number for customer service. You call the number, it's a legit customer service line. And the person, you know, is saying, All right, thank you for calling. We're gonna help you get through this. You know, you just need to pay, you know, Bitcoin, you know, you need to pay a ransom, deposit Bitcoin into this wallet, and we'll give you the keys and and uh you know to decrypt your data and you'll be on your way. And you know, but it it's a it's an actual customer service line that is.

SPEAKER_01

Right.

Prepare Vendors And Law Enforcement

SPEAKER_03

Right, right, absolutely. You know, and and and they they tend to be very nice from the get-go, you know. It's it's yeah, I'm sorry, your data's locked up. Here's what you need to do to unlock it, right? And it's it's it's a really it it's surreal sometimes dealing with these folks.

SPEAKER_01

Wow, that is fascinating. Um, if the company wants to strengthen its cyber resilience this year, right now, what is the single most impactful step you think they should take?

SPEAKER_03

Yeah, I would say, you know, if you want to strengthen your resilience your resilience, step one is understanding what you do now, right? If you had an incident right now, what would happen? How would you handle it? And then and then you just have to do a gap analysis of all right, just an honest assessment. Did we do that well or did we not do that well? And and that that honesty is really critical because a lot of companies will go through you know that assessment and say, you know, yep, we did everything great. We're we, you know, we've got the policies in place. No one's ever read the policies, but we have them, right? And you know, we know what to do, so we're all fine. And you know, where it really falls apart is if you take an honest lens at it, you know, it's okay. If this were to happen, would we actually follow the playbook that we have? Do we have the people, do they know do they understand what they're supposed to do? And if you're answering it honestly, you know, a lot of times the answer is no, right? And and that's that's it's kind of an across the board answer, right? Like it it big companies, small companies, mid-size, a lot of them, the answer is no.

SPEAKER_01

Steps that are missed, there's steps that weren't written down, yeah.

SPEAKER_03

Exactly. And and you're not doing yourself any favors if you just gloss over that stuff. You really have to look at where you're falling short and say, all right, you know, we're gonna devote time and resources to making sure that we're fixing that. Because it it and it it's a little cliche at this point, but it is not a question of whether, it's a question of when. You will get hit by a cyber attack. It's going to happen. And the real question is, are you gonna be ready for it or not? So you can you can devote the resources to it now, or you can devote a lot more resources to it later. And and that's really the equation that it boils down to. You know, it's an ounce of prevention and a pound of cure.

SPEAKER_01

I love that. Great advice. Now, I know Josh, that some of our listeners will want to reach out to you, maybe connect with you, learn more about you. We're the best place for that to happen.

AI’s Double‑Edged Cyber Impact

SPEAKER_03

Yeah, so I'm I am active on LinkedIn. You know, anyone who wants to connect with me can certainly find me there, and I'm happy to uh to connect. You can also find me through my law firm, Prince Lobel Tie. And I am a partner in the data privacy and security practice group. So, you know, you can certainly reach me there or through LinkedIn, either way. And I do, you know, I try to I try to put out videos and commentary and things like that, particularly through LinkedIn, but I you know, I'll do it through whatever channel I can find. Because I it frankly, the the information that I want people to get out or to understand is important. And I think it it's important to me that you know every business out there, and frankly, every individual out there understands what the risks are to them. And yeah. I have had like my daughter's in high school, and she got an email talking about you know that the school district had partnered with the federal government and they were offering internships. And you know, you get this this four-hour week internship for$200. And when she told me about this, I was like, fifty dollars an hour sounds pretty rich for the federal government to be offering to a high school kid, right?

SPEAKER_02

Yeah.

SPEAKER_03

And so I was like, well, you know, maybe this is not as legitimate, you know, it came from a legitimate source, but you know, this doesn't sound right. And so I I looked looked into it, and they were asking for, you know, your name, your address, whether you had your own bank account and the name of your bank. And, you know, so that immediately I was like, this is not yeah, this is not real. This is, you know, so I I told her this, you know, sorry, it it sounds great, but it's not great, and let's not let's not do that. And then we found out that the the teacher, one of the teachers, their email was compromised and and used for this for this phishing campaign. And a lot of students actually fell for it, right? And that's that's really what bothers me the most is that these attackers were targeting teenagers. And they're they're targeting teenagers that are just starting to you know become independent, they're getting their own bank accounts, and now all of a sudden those bank accounts are being exploited and and and funds are being stolen. And that that really bothers me. And it it bothers me just as much that you know, these small businesses, you know, solo firms and and you know, individuals that are just trying to put a business together, they're struggling because there are bad actors out there that are constantly targeting them. And it it is it's so frustrating for me as a as a practitioner to look around and say, it is so hard to get a business off the ground as is. Yes, you don't need someone making it even harder. You know, so I just I I want I want that message to get out there as broadly as possible that there are very simple things that you can do, whether you're a small business owner, whether you're an executive at a large enterprise, or whether you're just an individual trying to protect yourself. There are some really simple things you can do to make it that much harder to be a target.

SPEAKER_01

Yeah, because they're gonna go for the easy ones. But I agree. Every single day I get emails and I'm we've trained the staff and everything, and clearly this is what to look for to know it's fake.

Criminal Enterprises Run Like Businesses

SPEAKER_03

Yeah, yeah. No, absolutely. Yeah. Absolutely. Have got a client, a small nonprofit, they are, you know, fewer than 10 employees, and they were the target of a very sophisticated attack. And basically their clients were very big companies. And so as the vendor for very big companies, they became a target. And the bad guys did the recon that they needed to do to understand who within this very small nonprofit was responsible for processing invoices and and making sure payments were happening. They targeted this small company with a massive spam campaign that kept IT busy, that kept their IT vendor busy. And then at the same time, they deployed a spear phishing email to the one person at that company that they needed to exploit. And they they got that person to click through and they gained access to that person's email. Once they had access to the email, they they hijacked email threads, they redirected invoices, and it was just a massive problem for this very small nonprofit that had clients that were much larger and and wealthier, and and you know, they were processing money for them. But it was a very sophisticated attack. They they set up spoof domains and they kept everyone in the dark throughout this whole process, you know, and and then when it came to light, it's like, well, what should you have done differently to protect yourself? It's like, well, maybe there are a couple of things, but really, you know, it's just vigilance. You you know, you you have to maintain that level of vigilance constantly because it, you know, you everyone will let their guard down at some point. And when you do, bad things happen.

SPEAKER_01

Yeah. Just be absolutely I like that, be vigilant because these phishing emails are getting better and better. It's crazy.

SPEAKER_03

Yeah, and and they work. And you know, as silly as each one of them might look individually, you know, it costs next to nothing for the bad guys to send out, you know, a hundred million phishing emails. Right. And if if one percent work, well, that's a that's a million, right? And so if they get access to a million people's accounts, imagine the damage they can do. You know, so even if it's a fraction of a percent, it's still a massive quantity of victims that that you're talking about.

SPEAKER_01

I agree. Josh, this has been eye-opening, I'm and so informative. I really appreciate your time here. And thank you so much for being here.

SPEAKER_03

No, it's it's my pleasure, and thank you, Marilyn, so much for for having me on the show. I appreciate it.

First Step: Honest Gap Assessment

SPEAKER_01

Thanks for joining me today for this episode. As we wrap up, I'd love for you to do two things. First, subscribe to this podcast so you don't miss an episode. And if you find value here, I'd love it if you would rate it and review it. That really does make a difference in helping other people to discover this podcast. Second, you can connect with me on LinkedIn to keep up with what I'm currently learning and thinking about. And if you're ready to take the next step with a digital strategist to help you grow your law firm, I'd be honored to help you. Just go to Law MarketingZone.com to book a call with me. Stay tuned for our next episode next week. Until then, as always, thanks for listening to Leadership in Law Podcast, and be sure to subscribe wherever you listen to podcasts so you don't miss the next episode.

SPEAKER_00

Thanks for joining us on another episode of the Leadership in Law Podcast. Remember, you're not alone on this journey. There's a whole community of law firm owners out there facing similar challenges and striving for the same success. Head over to our website at lawmarketing.com. From there, connect with other websites, access valuable resources, and stay up to date on the latest episode. Don't forget to subscribe and leave us to review on your favorite podcast platform. Until next time, keep working with Victor and keep growing your firm.

Head Shot

Marilyn Jenkins

Host