A Q&A with Sarah Sargent and Zach Willenbrink of Godfrey & Kahn
Involving a Breach Coach law firm is imperative for comprehensive cyber incident response preparation. However, contracting with a national firm is not the answer for every company.
In this interview, Sarah Sargent and Zach Willenbrink of Godfrey & Kahn describe their 2023 cybersecurity trends and predictions, as well as how their local proximity helps them to better serve regional clients in the Midwest. Godfrey & Kahn is a NetDiligence-authorized Breach Coach law firm.
From your perspective, what are the current cybersecurity trends or threats that organizations should look out for or be aware of?
The biggest 2023 cybersecurity trends involve attackers exploiting employee complacency. Or, perhaps the better word is “exhaustion.” As individuals continue to be inundated with phishing attacks, as attack methods continue to evolve, and as businesses keep increasing the number of directives about what to avoid, employees may be reaching a saturation point. The mind can take in only so much information before reverting to instinct.
For example, we have seen a number of incidents where employees have approved MFA sign-ins for threat actors. MFA is great, but all it takes is one wrong click on “approve” to reduce its efficacy to zero. It’s important to remember this type of thing when designing your IT cybersecurity controls. What will actually work for your employees?
Tell us a little bit about your practice. What is Godfrey & Kahn known for?
Godfrey & Kahn is a full-service business law firm based in Wisconsin. Traditionally, we’ve been a corporate-heavy firm—lots of M&A work and corporate counseling. Of course, you can’t do that work now without a strong privacy and security team. So, over the last several years, G&K has focused on building out that practice area.
Our client base tends to range from midsize to large businesses, with a strong presence in the Midwest. It includes publicly traded and global companies. We assist clients in all industries, including manufacturing, financial services, technology and software providers, and insurers.
Given our Midwest location, we offer very competitive rates, a client-first approach, and a better understanding of business dynamics in the Midwest. We, as a cybersecurity team, lean into this structure, which really benefits our breach work. The incident response environment is, of course, rate conscious. Our relatively low overhead means that we’re able to offer attractive rates. But that doesn’t come at the expense of service or expertise.
Before we ever started taking on breach-response matters from insurers, we were cutting our teeth developing security and IR programs with our sophisticated client base and serving as Breach Coach for many of them. Offering Breach Coach services to clients without an existing relationship to the firm, either through insurers or by direct engagement, came after that when our practice was already fully in swing. Since then, we are proud to be a go-to for clients who are based nearby and need a firm that’s going to understand their business and support them through a breach—some of the most difficult days their business will ever experience.
What are some of the benefits of hiring a regionally experienced law firm like yours when handling a data breach or cybersecurity matter?
There are a couple of very practical benefits that immediately come to mind. One is that when we work with our Midwestern clients, we’re in their time zone and just a drive away.
The time zone thing seems small, but it makes a difference. It means there’s one less variable to coordinate when frantically scheduling meetings in the first few days of an incident response. We’re generally better synced with our clients’ schedules, not having to account for the lunch-hour happening an hour “early” (on the East Coast) or the day starting two hours “late” (out West).
Our physical proximity to clients can, if nothing else, give them a better sense of security. Suffering a cyber attack is often the worst day our clients experience in their business. It’s remarkably stressful, with minute-by-minute developments. Meanwhile, as a Breach Coach, we’re introducing them to whole teams of new people. It’s overwhelming and can feel like at any moment the wheels are about to come off. We’ve noticed that just knowing that we can jump in a car and be onsite in a few hours tends to calm our clients’ jangled nerves—even if they never have to ask us to do it. We’re like a security blanket.
Aside from that, there is often a sense of regionalism in the Midwest. We understand the culture of Midwest companies, including their concerns, risk tolerances, and pain points. Many Midwest-based businesses whose leaders and employees live here just feel more comfortable working with lawyers who live here, too. In the end, we’re probably handling incidents in practically the same way as attorneys located on the coasts. But, because we share a geography with the businesses we work with, there’s less of a sense of “this is just a big-city lawyer the insurer told me to work with.” It’s often subliminal, but I think we carry a bit more inherent credibility for businesses in our region.
What advice do you have for business owners and senior managers who want to update their cybersecurity strategy for cyber threats in 2023?
Don’t forget your supply chain—your vendors, contractors, and any other third parties you work with, plus anybody they’re working with.
More frequent outsourcing of tech and data functions means there are more vectors for a breach. Your data doesn’t need to be safe just with you. It needs to be safe with all the contracting partners who have a copy, too, and anyone they may be relying on.
As you’re contracting with your backup host or the manufacturer that’s using your trade-secret CAD drawings, remember to build in terms that require them to meet minimum security thresholds, tell you when a breach occurs, and perhaps let you audit their security on occasion.
To learn more about Sarah Sargent, visit this page. To learn more about Zachary Willenbrink, visit this page.
To learn more about Mark Greisiger, visit this page.
Click here to learn more about Godfrey & Kahn and other NetDiligence Breach Coach firms.