skip to main content

TLOMA Today

November, 2024
Golden Ticket - Facility Plus - Handyman - November 1/23- October 31/24 Leaderboard
November, 2024 | Article

Message from the President

HPA-TLOMAToday-Hays-Nov2024 HalfPage
Carrano, Pat
Author Pat Carrano

Now that Thanksgiving and Halloween have come and gone and all the decorations have been tucked away for another year, we begin to prepare for our industry’s busiest time…..year end. But before we delve ourselves into that annual challenge, there are some exciting events happening in TLOMA for November. Early-bird 2025 membership renewal emails have been sent, so take this opportunity to renew your membership at 2024 rates!  

We have 2 Finance SIG’s in November. On November 7th (registration for this SIG is now closed) join Soluno, an Actionstep Company, for an insightful session where we will share the benefits, challenges, and implementation strategies for innovative technology that elevates efficiency, client satisfaction, and overall firm performance. Join us on November 19th we will have an in-person SIG at the offices of MNP LLP.  This will be an insightful event tailored for lawyers and law firms, where we will delve into critical topics such as working capital and equity targets, firm benchmarking, and partner compensation.

And finally why not close out the month with a networking event at one of Canada’s most famous landmarks. Our annual Holiday lunch will be held at the CN Tower Restaurant on November 28th. This event is designed to foster networking and socializing with your peers in a relaxed, engaging atmosphere. Whether you’re looking to catch up with old colleagues or make new connections, this lunch promises to be an enjoyable experience for all.  Space is limited so be sure to sign up early!

Pat brings 35 years of experience to Finance in the legal sector.   Originally hired in 1989 as a trust clerk/AP clerk with Blakes, Pat has seen (and survived) the Wang dummy terminal, GST/HST Implementations, Y2K, numerous new office launches (and closures), extensive computer software automation, In-house legal departments, the dreaded RFP process and most recently the Financial impact of Covid19.   He has been in the trenches and has worked in every finance department area, from AP, AR, Conflicts, Collections, Billings & Financial analysis.

Pat has spent the past 25 years in a Director/Management role, overseeing the finance department.  In May 2019, he joined Loopstra Nixon LLP as their Chief Financial Officer.  

Having been a member of TLOMA since the late 90’s, he became the 2019 Finance SIG Leader and has relinquished his post after serving 2 terms.   After spending 2023 as the Board’s Vice President, he looks forward to his upcoming role on the TLOMA board as President.   Together we can all work towards making TLOMA even stronger!

November, 2024 | Article

Why Hackers Love Law Firms

Tom-Bigos_1960x830
TLOMA - Career Board HalfPage
Tom Bigos headshot
Author Tom Bigos

I have hacked into hundreds of networks, yet I still get surprised when “The Hack" goes as smoothly, easily, and quickly as it does. Which is ironic because you would think that after doing this for the last 14 years nothing would surprise me. Yet here we are in 2024 my jaw still drops from time to time. So, sit down, grab a coffee, and reschedule your next meeting as I am going to share, why law firms can be easy targets and why Hackers love law firms. But first, I should preface that I hack into client networks with their full support and permission. I am a cybersecurity penetration tester or known to some as a White Hat Ethical Hacker. What is that you ask? White Hat Hackers do not “Hack" for ransom, they do it because it is their job and because it is fun.

The networks I have hacked have ranged from small to large. A typical small network may have 20-30 computers, while a large network could have thousands of computers. Yet, regardless of size, budgets, or market vertical I can honestly say with one hand on my heart, the vast majority were textbook hacks. You are most likely wondering, what is a textbook hack? It is one that did not require extraordinary effort to achieve. It is an attack vector that is taught to novice cybersecurity professionals to help them learn the basics. Yet even today these basic hacks are prevalent and continue to be effective despite our best efforts to educate IT professionals everywhere.

So, how do we mitigate and prevent these basic hacks?  Unfortunately, the answer is complicated with many variables. Primarily because each network is distinctive, each organization does things slightly differently, therefore the solutions may require a unique approach. However, there are patterns in the gaps that I and my team see when we are hired to breach client networks. 

Once we provide our report and recommendations, the number one gripe I hear from IT managers, especially ones that work for law firms is “I will never get budget for this. This will not be approved; I cannot even get budget to replace our ancient so and so.” I cannot tell you how often I have heard that exact statement. So please, if you are a partner or executive and want hackers to stop loving law firms, do not view information technology as a cost, it is an enabler of your business. Can you imagine running your firm without computers, smart phones, instant messaging, cloud services and having nothing but pen, paper, and ledgers? Notice I didn't say faxes, because I know the legal and medical professions are one of a few select bastions where facsimile machines are still a thing. My point being, if you want to mature your cybersecurity posture you must invest in information technology. Old, outdated technology is ripe with risks and hackers love that.

The next one you have heard before, more than once. But please hear me out. Hackers love your God-awful passwords. I know you think no one is going to guess your current password of “Fall2024!” or “ncc1701!” or “October2024!” I hate to say it but statistically speaking you are not the only one that has used your current password. Btw, the middle password is a Star Trek reference, because who does not like Star Trek. But more importantly did you spot the trend in my passwords? A word, a number, and a special character. Hackers have been password guessing for years and are good at spotting these trends. Also, hackers use automated tools and dedicated computers to crack and guess passwords quickly. They also use exceptionally large dictionaries to help them improve their odds. So please change your passwords today! I will give you a fitting example from an assessment my team completed several weeks ago. They found an Excel spreadsheet named “Passwords.xlsx”. As you can imagine, they were overly excited, but unfortunately the author of the document took the extra step of password protecting it. So, after the initial excitement wore off my team downloaded a copy of the document to our password cracking rig. It is a computer with several computer graphics cards. Graphics cards are good and fast at calculating math. When you are cracking passwords, you are calculating mathematical hashing algorithms. Long story short, our rig using an exceptionally large dictionary cracked the password in 1 hour and 45 minutes. We opened the document to find numerous personal and business passwords. But that is not the best part. The password used to protect the Excel spreadsheet was also reused for the Windows “Domain Administrator” account password. A domain administrator is the equivalent of God in Windows centric networks and devices. My team struck gold. So here are two tips. First invest in a password manager, it will help you generate unique and strong passwords for all your online accounts and services. It will help you to never reuse the same password more than once. It will help you share passwords with others securely and make password management easy. Secondly, please use a phrase when generating passwords. For example; “My car is gold!” or “I really love Star Trek!” The spaces between each word make your password super strong, super hard to guess and more importantly super easy for you to remember. But did you notice that these passwords are long, at least 14 characters?

The next item on our list is the front door to your network, your primary business firewall. It's a critical device because all traffic coming from the public internet passes through your firewall before it reaches your computer and vice-versa. But how do you know if your firewall is any good? We know, and so do the hackers. They love it when your firewall has more holes than swiss cheese. But that is a conversation for the next issue.         

 

     

Tom is an experienced cybersecurity professional, penetration tester, and instructor with a proven track record of working with organizations across diverse sectors in Canada and the United States. His client portfolio spans law enforcement, municipal governments, public utilities, manufacturing firms, and legal services, showcasing his ability to meet the unique security needs of various industries.
IA-Actionstep-FinanceSIG-Nov7
IA-CNTower-HolidayLunch-Nov28
iCompli - Golden Ticket -Emerging Roles October 21 - 30 - leaderboard ad Leaderboard
November, 2024 | Article

Group Benefit Risk Management & Specialty Pharma

Jeff-Stinchcombe_1960x830
Stinchcombe, Jeffrey
Author Jeffrey Stinchcombe

In conversations with our TLOMA members (and others) about employee benefits, the concept of risk avoidance is always top three.  It’s true that rising drug costs are a major factor driving up benefit plan costs for employers. They can impact the overall financial sustainability of the plan, even affecting coverage for plan members. In 2023, specialty drugs accounted for 31.2% of drug cost and the number of claimants continues to increase (Telus Health 2024 Drug Data Trends & National Benchmarks report).

Traditional group benefit risk management techniques can leave firms exposed to high-cost drug claims. In fact, for the most part, Canadian firms have always been relegated to ‘1st payor’ when it comes to their employees’ drug costs.   How did that happen?   Is there an alternative to being 1st payor, without leaving employees stranded in their time of need?  What strategies should your firm consider to mitigate risk, lower your costs, continue to cover your employees and ensure cost stability over time?

Most TLOMA firms offer unlimited prescription medication coverage. Some will cover 80% of the claim, while most cover claims at 100%.   Best practice is also for the employer to cover the premium/claims (rather than have employees contribute to health and dental premiums on a monthly basis).  Typically -  built into your extended health care premiums is a risk insurance product that helps reduce exposure, called stop loss insurance; or high claims pooling. It is most often set at a per individual level and the threshold is usually $10,000 per person. This means the first $10,000 of a high-cost drug will have a direct impact on your claims renewal calculations and is the firms’ financial responsibility. The rest of the claim will move to large amount pool (LAP) and is covered by your insurer, whether you’re fully insured or ASO with Stop Loss. And the smaller the firm, the more impactful just one claim can have on renewal rates. it would be challenging to market the plan knowing insurers would be wary to take on that LAP burden.

To better understand this, consider auto insurance. If a claim is submitted, the deductible is first paid, then the insurance company covers the balance. At renewal time, it is likely rates will increase due to the cost absorbed by insurer. Similarly, in a benefits environment, rates will increase annually so long as that high-cost drug is claimed until the high claiming plan member resigns, retires, or passes away.

To avoid this undesirable condition, best practice encourages the following strategies.

1. Consider changing from Per Individual to Per Certificate.

Figure 1

       $10,000
per individual
Stop Loss
$10,000
per certificate
Stop Loss 
       $10,000  $10,000
         
    Approximate dependent
conversion per family 
 "Current"  "Certificate"
 Single 30     $300,000  $300,000
 Family  70  3.00  $2,100,000  $700,000
       $2,400,000  $1,000,000
         
    Total Potential
Liability 
 $2,400,000  $1,000,000

Figure 1 shows that when your stop loss or high claims pooling is “Per individual”, this means that every insured family member has their own stop loss limit. So a family of 5 would have a 5x $10,000 limit; or $50,000. By changing your stop loss wording to “Per certificate” every plan member has a maximum employer exposure of $10,000 (for example), thereby reducing total theoretical risk to the firm, while still providing unlimited coverage to your employees.

2. The newest Stop Loss: Formulary guard (FG),

Formulary Guard is a relatively new, but proven specialty drug management program designed to move your firm from 1st Payor by first looking at 3 potential payors.  The goal is to identify alternative funding sources before the company incurs the cost, including:

  • Spousal Plans
  • Drug manufacturer-sponsored programs (Patient Assistance Programs); or
  • Provincial health programs

 

If none of the above 3 options are available, the claim reverts to the firms’ plan (as it does now).

Formulary Guard then extends full plan member support in securing alternative funding for their medication. This approach manages the impact of rising drug costs, starting with a thorough analysis of a company’s drug claim history to assess exposure to high-cost drugs.

People Corporation’s Nadia Lubsey, Operations Manager – Health Solutions, recently provided the following insight about FG.

The process: “After the claims history analysis, we communicate to all stakeholders that educate them about the FG program. Then, plan member engages with specialist to investigate alternative funding sources. Our specialists support members through the entire process, assisting with the completion and submission of required forms, coordinating with the different funders, and managing referrals.”

 Since launching FG in June 2020, we have successfully secured alternative funding for over 200 cases resulting in over $7M in cost savings to our clients.”

The traditional per individual risk insurance is archaic, especially given the rising cost of drugs and its associated risk. By employing the above best practices;  1) moving stop loss to per certificate, coupled with 2) Adding the Formulary Guard – you can protect your firms’ risk and provide effective relief against current and future drug trends. And reducing high cost drug claims means more predictable and stable renewals and an alignment of interests between your finance team, HR and your employees.

Jamil Jamal & Jeffrey Stinchcombe are Partners at People Corporation, Canada’s largest employee benefits consulting firm. 

To find out more about better risk management for your law firm, contact them at TLOMA@Peoplecorporation.com.

Jeffrey Stinchcombe is a Partner at People Corporation serving the strategic benefit needs for TLOMA members.  He can be reached at TLOMA@peoplecorporation.com  or 416-508-5449.  www.peoplecorporation.com 

 
November, 2024 | Article

Danger in your inbox: Preventing phishing attacks in law offices

50d9810c-c6da-4f55-973d-1d31ed41b22e
TLOMA - Show Me The Money HalfPage
Witkowski, Nolan
Author Nolan Witkowski

Phishing is one of the most common and dangerous threats to companies that do business online. Law offices, which handle sensitive information and large financial transactions, are prime targets for these attacks, which involve email or SMS messages impersonating a trusted person or authority. These communications usually ask the user to input or verify important credentials, which are then used to access money and/or data.

The first known phishing email targeted AOL users during the 1990s. This attack, which asked email recipients to verify their account details, tricked victims into handing over credit card numbers, passwords, and other confidential information. Over 20 years later, the Canadian branch of global law firm Dentons fell prey to a sophisticated phishing scam that saw $2.5 million in client funds transferred to a fraudster in Hong Kong.

The Dentons phishing incident serves as a stark reminder of the danger that can lurk within an inbox. In this blog, we’ll reveal the mechanics of phishing attacks, why law firms are particularly at risk, and most importantly, how to prevent these attacks from succeeding.

What Makes Law Firms Attractive Targets?

Phishing attacks typically exploit human weaknesses, and law firms are attractive to hackers for several reasons:

  • Law offices manage confidential client data, including personal information, contracts, and financial details. This makes them a goldmine for hackers looking to sell or exploit this information.
  • Many cases involve high sums of money being transferred, often by email. Cyber criminals then send fraudulent payment instructions to misdirect funds.
  • Lawyers and administrators rely heavily on email to communicate both internally and with clients. This high level of trust in email communication increases the risk of phishing attempts going unnoticed.
  • Law professionals often deal with heavy workloads, making it easy for a phishing email to slip through the cracks, especially if it mimics the tone and urgency of a legitimate request.

 

Gone are the days when phishing attempts were riddled with grammatical errors and suspicious links. Today’s phishing emails are often carefully crafted to look like genuine communications, even mimicking the language and formatting used by clients or colleagues.

Types of Phishing Attacks

While traditional phishing emails are sent to multiple recipients, hoping that a few will take the bait, more sophisticated forms have emerged that target specific individuals or businesses. These include:

  • Spear Phishing: This attack focuses on a specific person or entity, often appearing as a trusted source. For instance, a managing partner might receive an email seemingly from a client, requesting immediate attention on a financial matter.
  • Business Email Compromise (BEC): In a BEC attack, cyber criminals infiltrate an organization’s email system, like in the Dentons case. Once inside, they monitor conversations and strike at critical moments, such as during the closing of a transaction.
  • Whaling: A subset of spear phishing, whaling targets high-level executives or senior lawyer, using the same techniques to impersonate familiar contacts and push for unauthorized actions.

How to Recognize Phishing Emails

Spotting phishing emails requires a keen eye and an understanding of what to look for. Though phishing tactics have improved, there are still common red flags that can alert you to a possible attack:

  • Unfamiliar Sender: If an email comes from a contact you don’t recognize or an email address that seems off by even a single character, be cautious.
  • Urgency: Phishing emails often press the recipient to act quickly, creating a sense of urgency that bypasses critical thinking.
  • Strange Links or Attachments: Hover over any link without clicking to see where it leads. If the URL doesn’t match the supposed sender, it’s likely a phishing attempt.
  • Suspicious Requests: Be wary of unexpected requests for money transfers or confidential information, especially if they come without prior communication or context.

Preventing Phishing Attacks in Your Law Firm

Knowing the risks is only half the battle - taking action to prevent phishing attacks is also critical Here are several steps law offices can implement to protect against these threats.

  • Employee Training: Lawyers and administrative staff alike must be trained to spot phishing emails. Regular cyber security training sessions can keep employees up to date on the latest phishing techniques.
  • Two-Factor Authentication (2FA): Using two-factor authentication (2FA) adds an additional layer of security. Even if a hacker manages to steal an employee’s password, they would still need access to a second form of identification, like a code sent to the user’s phone, to access the account. This makes it harder for cyber criminals to breach email systems.
  • Email Filtering Tools: Email security software that filters out suspicious emails before they reach employee inboxes can be a game changer. These tools can flag communications containing certain keywords or coming from unverified sources, minimizing the chances of a phishing attack landing in your inbox.
  • Verify Requests Through Another Medium: Never rely solely on email for sensitive requests, especially those involving money transfers. If a client or colleague asks for a payment or confidential information via email, confirm the request over the phone or in person. This extra step might seem tedious but could prevent a costly mistake.
  • Regular System Updates: Keeping software up to date is vital. Cyber criminals often exploit vulnerabilities in outdated software. By regularly updating your systems, you close off these vulnerabilities and make it harder for hackers to gain access.

Always Stay One Step Ahead

The Dentons phishing attack was a wake-up call for many law firms across Canada. Although cyber criminals have become more sophisticated over the years, staying vigilant and implementing preventative measures can prevent law offices from falling victim.

Remember - no firm is immune to the threat of phishing, but with proper awareness, training, and security measures, you can reduce the risks and keep your inbox - and your law office - safe from harm.

At Inderly, we provide Ontario law firms with tailored IT services to strengthen their cyber security and help deter phishing attacks through proactive measures like email filtering and staff training. For more information about how our services can transform your practice, head to our website for short informational videos

Nolan is an expert in IT for law firms. In 2024 he became CEO of IT support company Inderly, local to Hamilton and Toronto and serving law firms across Ontario.  

When not leading the Inderly team, Nolan can usually be found writing and shooting independent films, playing D&D, or enjoying Toronto’s best theatre productions and concerts. 

November, 2024 | Movers and Shakers
Iron Mountain - Thank you HalfPage
Movers and Shakers

New Members

Nicole Cristello Hearty

HR Manager

Cozen O'Connor

Tania Gort

Office Manager

MacDonald & Partners LLP

Helen Paciocco

Office Manager

de Vries Litigation LLP

Nour Salman

Office Manager

TM LLP

Careers Icon
Forums Icon
Resources and Education Icon
Sessions & Events Icon

Supporting Firms

  • logo_sokllp
  • logo_chaitons
  • member_torkin_manes
  • Deloitte Tax Law
  • logo_goodmans
  • logo_sotos
  • member_blg
  • logo_guberman
  • Piasetzki
  • dickinsonwright
  • Loopstra Nixon logo 140w greyscale
  • logo_keyser
  • Waddell Phillips
  • Reybroek140x60 resized
  • logo_shibley
  • logo_pmlaw
  • Haber Lawyers 14feb19
  • Levitt LLP Logo
  • Daoust_Vukovich
  • Cumming & Partners
  • Grosman, Gale 2nov17
  • Tupman + Bloom 3mar20
  • logo_oatley
  • logo_gardiner_roberts
  • Dentons
  • Dueck-Sauer-Jutzi-Noll
  • Cavalluzzo LLP_Logo
  • hummingbird
  • logo_Osler_hoskin
  • LLF_LAWYERS
  • fogler-rubinoff
  • logo_bennet_jones
  • Riches McKenzie 11oct17
  • MacDonald & Partners logo
  • logo_zuber
  • logo_smith_valeriote
  • Beard Winter Logo black white - New
  • Davies Howe
  • logo_barriston
  • rogers partners
  • logo_sullivan_festeryga
  • heuristica
  • logo_mcleish_orlando
  • Goldblatt
  • Henien Hutchison LLP
  • CLYDE + Co 2aug17
  • logo_harris-sheaffer
  • Kormans Logo
  • Chappell Partners Logo
  • Minken Employment Lawyers logo 14aug17
  • Mills + Mills
  • logo_macdonald_sager
  • Lenczner Slaght resized
  • logo_wildeboer
  • logo_lerners
  • logo_dale_and_lessmann
  • aviva_lawyers
  • logo_robins
  • MONTEITH RITSMA PHILLIPS PROFESSIONAL CORPORATION - greyscale
  • BakerMcKenzie
  • logo_giesbrecht
  • logo_goodmans
  • Giffen Lawyers
  • RossMcBride
  • logo_torys
  • Marks + Clerk 18may18
  • Rayman Beitchman LLP 2mar18
  • Laxton Glass
  • Matthews Dinsdale 1feb19
  • Stockwoods Logo
  • O'Sullivan
  • Simpson Wigle greyscale 26jul17
  • member_hicks_morley
  • logo_cassels
  • logo_bennet_jones
  • logo_kronis
  • logo_hull_hull
  • Fox Vanounou Porcelli 29aug19
  • logo_bereskin_parr
  • GMA Full Name Logo
  • logo_ridout
  • Blouin Dunn
  • logo_norton
  • logo_benson
  • WARDs Legal - grayscale
  • LeClair Logo
  • logo_willms_shier
  • Green + Spiegel logo 31jul17
  • logo_madorin
  • Nelligan 14aug17
  • balesBeall
  • Reves Richarz LLP
  • O'Connor MacLeod Hanna LLP
  • Koskie Minsky
  • logo_bernardi_llp_5405 (greyscale)
  • logo_dw
  • logo_hsh
  • logo_ricketts_harris
  • Rueters LLP 5mar18
  • member_minden_gross
  • McTague Logo
  • logo_sherrard
  • member_weirfoulds
  • Walker Head Lawyers 27sept19 - greyscale.
  • MillerThomson
  • dutton_brock
  • BlaneyMcMurtry
  • logo_dlapiper
  • logo_wilson_vukelich
  • Gillian Hnatiw 2
  • AUM Law Logo 22nov18
  • GWLG_GRAYSCALE
  • Harris Law Logo
  • logo_chappell_partners
  • Crawford Chondon & Partners LLP 24feb20
  • SparkLaw
  • HRG.logo
  • member_tgf

TLOMA Logo

© 2014 TLOMA. All Rights Reserved. 
Privacy Policy