All
too
often
at
Legalweek
and
other
legal
tech
conferences,
I
am
inundated
with
meetings
with
vendors
who
want
to
tout
their
shiny
new
AI
product
or
enhancement.
Often
these
shiny
new
tools
are
neither
shiny
nor
new.
So,
it’s
a
treat
when
I
get
to
talk
to
someone
about
substantive
issues
and
what’s
going
on
in
the
real
world.
And
right
now,
one
of
the
biggest
things
going
on
that’s
not
talked
about
much
is
cybersecurity,
its
risks,
and
accelerating
frequency
of
attacks.
So
my
recent
conversation
with
Michel
Sahyoun,
the
Chief
Solutions
Architect
of
NopalCyber,
was
a
welcome
chance
to
learn.
NopalCyber
is
a
cybersecurity
consulting
firm
that
Sahyoun
heads.
I
also
spoke
with
him
at
a
recent
ILTA
conference
and
found
him
not
only
knowledgeable
but
also
capable
of
explaining
things
in
a
way
I
can
understand.
From
experience,
I
know
the
latter
is
a
skill
in
short
supply
in
the
cyber
world.
I
got
a
chance
to
chat
with
him
at
Legalweek
and
catch
up
on
ongoing
cyber
threats
in
the
age
of
AI.
AI
Risks
If
we
didn’t
have
enough
cybersecurity
issues
and
bad
guys
lurking,
AI
brings
a
whole
new
dimension
to
the
risks.
Add
to
this
the
complacency
and
disinterest
of
many
business
leaders,
particularly
(as
I
well
know)
those
in
law
firms,
and
you
have
a
perfect
storm
brewing.
Like
I
have
discussed,
Sahyoun
too
has
noted
the
widespread
use
of
GenAI
for
all
sorts
of
things.
This
of
course
creates
a
discovery
trail,
but
it
also
creates
cyber
breach
risk.
Often
people
get
in
a
rush
to
get
deliverables
from
AI
tools
and
cut
corners.
They
don’t
take
the
necessary
steps
to
adequately
protect
confidential
and
private
data.
A
far
bigger
threat
though,
says
Sahyoun,
is
how
good
and
fast
AI
tools
can
create
a
breach.
According
to
Sahyoun,
the
average
time
to
exploit
a
breach
is
now
only
29
minutes.
Reacting
at
that
speed,
particularly
while
trying
to
run
a
business,
is
difficult.
Moreover,
AI
bots
can
automatically
launch
repeated
automated
attacks
to
probe
for
and
exploit
vulnerabilities.
This,
combined
with
automation,
have
increased
the
numbers
of
attacks
to
“crazy”
levels,
notes
Sahyoun.
The
attacks
can
also
target
certain
kinds
of
information
once
they
are
ingrained.
AI
tools
can
be
used
to
pull
out
such
things
as
bank
account
numbers,
social
security
numbers,
passwords,
and
the
like.
No
more
time-consuming
searching
—
time
that
the
exposed
party
historically
had
to
remediate
and
cut
off
the
breach.
AI
tools
can
also
infiltrate
an
entity’s
own
AI
system,
exposing
even
more.
Sahyoun
also
believes
that
one
protection
on
which
many
rely,
cyber
insurance,
is
getting
much
more
expensive.
Moreover,
carriers
are
looking
carefully
at
what
insureds
say
in
their
applications
and
reviews
versus
what
they
are
actually
doing.
If
there
is
discrepancy,
insurers
then
use
that
to
deny
claims.
So,
what
many
believe
is
a
safe
harbor
may
not
be.
Sahyoun
is
seeing
overreliance
on
what
internal
IT
teams
are
saying
when
that
advice
isn’t
exactly
right.
Says
Sahyoun,
“there
is
little
oversight
between
risk
and
technology.”
Entities
may
have
certain
software
protections
but
if
they
aren’t
implemented
correctly,
they
not
only
fail
to
protect,
but
they
also
can
nullify
insurance
coverage.
Sahyoun
reiterated
for
me
that
entities
often
think
that
because
they
have
backup
systems,
they
are
safe.
But
as
I
have
also
written,
failure
to
read
the
fine
print
of
software
protection
platforms
results
in
a
bitter
surprise
when
a
breach
happens
and
there
is
in
fact
no
backup
provided.
Finally,
he
says,
too
many
entities
are
driven
by
compliance
standards
to
overly
focus
on
data
leak
protections
but
ignore
the
ever-expanding
potential
for
attacks.
Some
Protections
To
combat
this
and
deliver
at
speed,
NopalCyber
keeps
track
of
known
and
potential
vulnerabilities
identified
by
government
agencies.
Once
it’s
disclosed,
NopalCyber
will
give
notice
to
its
clients
of
the
vulnerability
and
the
need
to
be
on
the
lookout
and
immediately
capture
it.
NopalCyber
will
also
provide
responding
software
from
its
inventory,
if
there
is
some,
that
enables
prompt
capture
or,
if
needed,
remediation.
Sahyoun
and
his
company
has
also
been
working
with
their
clients
to
respond
much
faster
to
attacks
given
the
abilities
and
speed
of
AI
tools
to
initiate
and
exploit
vulnerabilities.
On
the
proactive
side,
NopalCyber
provides
continuous
white
hat
attacking
to
expose
weakness
in
client
systems.
This
will
expose
the
potential
for
known
attacks
that
are
in
existence
but
can
also
demonstrate
misconfiguration
and
attack
paths
so
they
can
be
shut
down
before
something
happens.
Why
Am
I
Telling
You
All
This?
So,
why
am
I
devoting
space
to
cybersecurity
and
Sahyoun
in
particular?
It’s
because
I
continue
to
believe
that
law
firms
are
particularly
exposed.
Law
firms
have
all
sorts
of
valuable
information
that
belong
to
clients
or
even
other
parties.
The
bad
guys
know
this.
They
know
how
embarrassing
it
will
be
for
firms
to
report
a
breach
to
clients.
Not
to
mention
the
fact
that
such
an
event
is
a
good
way
for
a
client
relationship
to
be
abruptly
terminated.
And
law
firms
may
have
made
certain
security
representations
to
clients
that
they
unknowingly
can’t
meet.
Complacency
and
disinterest
are
particularly
acute
among
law
firms.
All
too
often
law
firm
leaders
rely
on
IT
who
don’t
speak
the
same
“language.”
The
leaders
don’t
understand
what
IT
is
saying
but
figure
they
must
know
what
they
are
talking
about.
They
then
conclude
with
little
additional
investigation
that
they
are
protected
by
software,
backup,
and
insurance.
All
too
often,
none
of
the
three
hold
up.
And
to
be
honest,
law
firm
leaders
are
not
that
interested
to
begin
with.
Cybersecurity
is
nothing
more
than
a
cost
and
not
a
revenue-producing
one,
at
that.
So,
lawyers
ignore
or
don’t
apply
the
same
investigatory
zeal
to
their
own
security
as
they
do
to
their
clients.
In
the
age
of
GenAI,
that’s
a
huge
mistake
waiting
to
happen.
So,
investigate
and
ask
questions.
Talk
to
people
like
Sahyoun.
Before
it’s
too
late.
Stephen
Embry
is
a
lawyer,
speaker,
blogger,
and
writer.
He
publishes TechLaw
Crossroads,
a
blog
devoted
to
the
examination
of
the
tension
between
technology,
the
law,
and
the
practice
of
law.