Collaborate on Law Firm Invoice Template for Security with Ease Using airSlate SignNow

Law firm invoice template for Security

(soft upbeat music) - Well, welcome, everyone. Today, we're going to focus on security best practices. My name is Alexa and I'm a security engineer, as he said. My team and I are responsible for ensuring that everything that runs in the cloud is built securely and follows best practices at Clio. We build a world class observability tooling that we use as a foundation for identifying and protecting against cybersecurity attacks against Clio, as well as yourself. Our cloud infrastructure runs on Amazon AWS and I recently completed the AWS Amazon Security Engineering training. So I'm very deeply familiar with these kind of infrastructure tooling. I've been at companies like Apple and Shopify and most recently, over the last two and a half years, I've been focused on building out innovative solutions at Clio. And our team is deeply invested in understanding what type of threats there are out there for you and how we can help build tooling around those to protect you. And I understand just how deeply the stakes are for you to be able to succeed in your business. And so I'm excited to share some tips today. So I want to help tear down the stigma that building a stronger security posture makes life harder for you. It can feel like by doing less, you're making your life easier today. But today, I'm going to highlight truly bad outcomes do exist when we take what we believe to be the easier way out. So I want to empower you with resources that you need to protect not only your firm but yourself from bad actors who are actively looking to exploit businesses like yours. Internally, we've seen concerns pop up as a result of compromised email accounts, not within Clio but your actual personal email accounts or the email you use for your law firm. So I'm going to share two real world examples of where having a strong, unique password and using something called multi-factor authentication would've protected against these truly bad outcomes. And finally, we'll dig into what's really on the line when it comes to security. So I love it when I can connect with Clio customers. It's a rare opportunity for me and it's usually good day communications and knowledge sharing that I wouldn't otherwise get. Usually, if you're hearing from me, it's about to be a bad day and I'm hoping after today, it's only good days from here on out. I want to instill a sense of urgency to prioritize narrowing the gap between your technical environment and best practices that will protect your firm long term. So technology, computers, and the online world are all conduits to enable great work each day, be it finding supporting evidence in the blink of an eye, whether it's shifting towards software like Clio to help you run your firm, or just generally moving away from pen and paper as we've used for a very long time. On the other hand, there are individuals out there that do seek to exploit you. And the security world has seen an astronomical level of growth in malware attacks, phishing attacks, and many different types of attacks, as you can see by this graph. There we go. And this all happened during the pandemic as a lot of companies shifted towards the cloud. Now, statistics are great to quantify truly how scary it can be to operate in the digital world but I think a real world scenario will truly help set the scene for why using Clio with a strong password, whether it be your Clio account, as I said, or just your personal email or even your Netflix account, is no longer enough. So not too long ago, our learning systems indicated the bad actor attempting to stuff millions of credentials into our Clio login page. This is in a very short period of time, a matter of minutes, really. And our team immediately got to work, trying to understand what was happening. So all the emails we investigated were correlating back to a data breach that happened with Park Mobile. This is a popular North American parking application. The stolen data included things like customer email addresses, dates of birth, phone numbers, your home address, as well as encrypted passwords. And while this actor tried over a period of time to decrypt and break open these passwords so that they could use them in a malicious way. So the bad actor tried more than 1.3 million times to stuff these credentials into our Clio login page. And thanks to our observability tooling, we're able to block all of these attempts and not a single action was taken on a Clio account. From this attempt, we were actually able to build out an amazing solution called our Behavior Engine. And this allowed us to stop bad actors dead in their tracks. But the ultimate lesson from this is there's a reason we never use the same password across multiple different logins. If you're using this across multiple logins, you're putting yourself at risk. But by conduit, if you're using your Clio Manage account, you're putting your customers at risk too, and it's just not worth it. So now, in a perfect world, we have a variety of passwords across your accounts, specifically unique passwords. And by that, I mean it has at least eight characters. It has a special character, we all love the exclamation mark, and potentially a number as well. But what I can tell you is that a password alone on an account that offers primary access to a secondary account is no longer enough. For example, you may use Outlook or Gmail as the main primary email for your account for Clio or something, even your Netflix account. And that allows you to get reset passwords to that account, that allows you to update information through that account, the primary email as the conduit. So I had mentioned earlier how the path of least resistance isn't usually the most secure. Well, not too long ago, a lawyer's email was compromised and the hacker had discovered that they were using Clio by sleuthing around in their email. They decided to build out filters to block any form of new emails coming in from Clio in the notifications realm. So we all know we do get some notifications from time to time. So from there, they proceeded to reset the Clio login page. And this was obviously filtered out. The primary subscriber did not see this happening. So they proceeded to update the trust account for this Manage account, which meant any new bills that were sent paid were all deposited into that bad actor's email or bank account. So the good news about this, even though it is a very terrifying story, is we were able to come together as a team, work with our payments team, as well as pull all of the logging from our observability tooling and support that Clio customer to regain all of the funds that they lost. But how do we make sure that something like this doesn't happen to you? So it's a little thing I like to call multi-factor authentication. It's said in our community that there are three pillars of multi-factor authentication. One is something you know, the second is something you have, and the third is something you inherently are. The best example of this is a password, a key, and something biometric like a fingerprint. These three classic factors have some pretty different properties though. Something you know can be copied without your knowledge but not physically lost or found. Something you have can't be easily copied without your knowledge, and it takes a physical theft to get it. And something you are is supposed to be hard to forge but it may be easy to get, realistically. Two-factor authentication uses two of these factors. The idea is that it should be harder to steal two than one. For example, if you have a lock on your house and it has the passcode, but you also have a key, theoretically, someone could steal your key but they would still need the code. And someone could get the key or get the code but they would still need the key. So this takes two different types of attacks. So this can be done in a multitude of different ways. One good example that some of you may have seen and if not, our product lab will be happy to show you, is using the Clio app to get a push notification that says are you really who you say you are? Do you want to go ahead and log in? And I find this to be necessary or a bare minimum for accounts that give primary access like an email or a Clio account where you know that the data that you're trying to protect is extremely important. And having these enabled at bare minimum protects against takeover accounts, anything like that that you've heard me say because there's that second factor. How do I say I am who I say I am? And if we don't want them to log in, we're simply saying no, you do not have permission to enter my account. So I put together a cheat sheet, you can go ahead and scan it now. I'm going to bring it up again at the end. And my hope is you can share it amongst your peers and firm. It includes a promotional code for something we're going to go into a little bit later. Having the tools to improve your personal security posture can only benefit you and your clients. So let's take a look. The first thing I would ask is that you get a password manager. I've been really happy to see some of you at the conference do have it already. This will save you so many headaches. I have been guilty of forgetting passwords many a time and I can tell you I, in the moment, believe that I would remember it. So these managers always require some form of multi-factor, whether it's two-factors or three is going to be up to you due to the nature of what's being stored. And I cannot recommend this approach enough. Clio uses a password manager called 1Password, as you'll see if you did scan the QR code, but there are a multitude available. So again, you're going to hear this word over from me a few times today, enabling multi-factor authentication on all the services for yourself and your employees. Trusting that a password is enough is just no longer enough. By turning this on, you're empowering yourself to be accountable for who can access your accounts. And this is my favorite one. Please stop sharing your credentials with your team members. Having shared logins, sharing passwords over Teams, Slack, through email is turning up the risk that just really isn't necessary. Utilizing things like password managers actually allows you to share passwords securely through a link that's encrypted. And these are all buzzwords that you'll find in that QR code. So catering your endpoint protection solution to the size of your firm is paramount. What's effective for a solo or small firm does not scale to larger firms. And it's important that choosing the right level of security for your physical hardware, even though it can feel daunting. And in many cases, it almost feels like a money grab but the end result could be so much more catastrophic. Deploying an advanced endpoint protection solution allows your firm to stay up to date with new vulnerabilities as they come out to the day while allowing you just focus on what it is you're trying to do, which is the law. So my goal today wasn't to scare you. I may have a little bit, but reflecting on where you currently are from a security posture perspective and where you ultimately should be or where you want to be is important. Reputation is deeply important to the success of a business and Clio knows that all too well. We work extremely hard to build trust, and once you lose it, I think we can all agree it's difficult to get it back. The same goes for you with your clients. Clio Payments has been life-changing for many of its Clio users. And experiencing a financial loss due to an insecure password on an email just doesn't feel worth it anymore. Recently, we completed our SOC 2 certification for anyone that likes those compliance buzzwords. And so the depth of investment in building out a world class security program at Clio can give you assurances on our side. I'm part of that team, so I do guarantee. (chuckles) But how you handle your client data and what happens if a bad actor does access your computer, your email, your phone could have severe regulatory implications for you as well. And I want to protect you against that by showing you these tools. We care deeply about taking a holistic approach to security and I'm more than happy to chat with you after this session. And we also have Gavin, our senior application security manager as well with us here today. So thank you so much. Enjoy the closing keynote, and I appreciate your time. (soft upbeat music)