Earlier this year, we wrote a substantial blog article on social engineering and how it is, arguably, responsible for the majority of cybersecurity incidents. That’s despite the fact that firms may have invested heavily in the latest computer equipment both at the office and remotely on their own private cloud.
Firms may encrypt every piece of data flowing between devices connected to their internal network and private cloud. They may even have introduced multi-factor authentication and their practice or chambers may proudly display its Cyber Essential credentials on its website and its stationary.
However, it only takes a stressed, undertrained, and under pressure colleague whose knowledge on cybersecurity may not be particularly deep or current to ultimately bring down the house of cards.
Legal firms should never underestimate the human factor and the vulnerabilities that it presents to your overall organisation cyber resilience. 60% of law firms reported a cyber breach last year meaning that there’s no doubt that the human factor a very current issue for the sector. But where to begin to solve the issue?
In this article, the Sprout IT cyber resilience team discusses how your firm can reduce the threat posed to it by employees and contractors. We cover:
- why blame and recrimination is counterproductive
- the importance of devising an organisation cyber resilience training program
- involving your staff in the creation of security policies
- change internal communication systems
- reward successes
Why blame and recrimination is counterproductive
Cybersecurity is an ever evolving threat whose main strength is the ability to use familiar cues to short-circuit our staff’s decision-making processes.
The scams themselves are often expertly managed and executed by the criminals. This thoroughness means that millions of Britons, either in our capacities as consumers or representatives of our legal chambers, are caught out every year.
Although, as a leader within your organisation, you may temporarily feel a very strong retributional urge toward the colleague or colleague who has made the mistake which has put your firm at greater risk, you must resist acting on that urge.
The likelihood is that the person or people involved thought everything seemed right at the time they were hoodwinked into the course of action they took. Indeed, that was the perpetrator’s intention.
The people most likely to make mistakes within your practice or chambers are not cybersecurity experts. They are your solicitors, barrister, paralegals, clerks, conveyancers, and so on who are trying to get through their workload in the best way they know how. Cybersecurity is not a personal priority for them.
Therefore, cybersecurity within any firm must be an integral part of corporate culture. Successes and failures in protecting your company against cyberattacks must belong to everyone in the business – the person who made the mistake, you as a leader, your IT team, and so on.
While you should certainly continue to invest in your technological defences, you will find that your practice or chambers will benefit from a significant return on your investment by both training your staff in cybersecurity and by instilling a cyber-secure culture.
The importance of devising an organisation cyber resilience training program
First, it would be helpful to identify any weaknesses within your technology, specifically considering your security, patching levels, servers, hardware, software, internet connection, email, firewalls & network, password policy, backups, Wi-Fi, phones and anti-virus. We offer a full systems audit service which helps you uncover IT improvements, understand risk and improve efficiency.
Second, once your technology is as cyber resilient as possible, you should identify the particular vulnerabilities to which your practice or chambers may be exposed with specific reference to social engineering attacks.
Third, translate these findings into plain English so that your staff have the best possible chance of understanding what they should consider suspicious. In addition to training staff on what phishing emails look like, encourage them to put themselves in the mind of cyber attacker to come up with their own phishing emails.
For staff more vulnerable to CEO fraud, invoice fraud, or supply chain disruption, set out a clear set of guidelines about the behaviour you will accept from suppliers and make it easier for staff to find the payment terms agreed with each individual supplier. If a colleague is coming under what they consider to be undue pressure to make payment, encourage them to report it as soon as possible to a colleague or a leader within the firm.
Involving your staff in the creation of security policies
In classroom training and in ongoing training thereafter, ask your staff to constantly think about the ways in which they might try themselves to circumvent the company’s cybersecurity policy if they were a cybercriminal. Are your colleagues able to identify weak points in any current process which may lead to a breach?
New threats emerge all the time – different ways to manipulate staff when cybercriminals are carrying out an attack which could cause financial and reputational damage to your practice or chambers. Your staff’s additional knowledge will mean that they’re able to spot potential attacks now whereas they weren’t before.
Encourage a culture where suspected cyberattacks should be reported immediately and involve the person who identified the threat in the creation of a new security protocol to handle the newly perceived threat.
Changing internal communication systems
The average office worker receives 121 business emails a day. Of those emails, only around 16% of opened when a colleague is at their desktop – more than four in every five emails aren’t even opened. Even if you personalise the subject line of your email, open rates only increase to around 19%.
There may be an argument to switch to a secure and encrypted team messaging platform like Slack for internal communications and file transfers. As well as companies benefiting from an improved productivity rate of 32% when using the service, reliance on internal emails reduces by nearly 50% and nearly 80% of team users report an improvement in team culture.
Ongoing cybersecurity within any firm requires open channels of communication which are read by users and the latest figures suggest that Slack encourages much more interaction and teamwork that using internal email.
A shared recognition of the threats that a cybersecurity breach presents to a firm, better training staff, and a stronger team culture will successfully address many of the potential current flaws within a legal firm’s human firewall.
For every colleague who identifies a previously unknown threat and for every colleague whose actions prevent a cyberattack, their positive action should be rewarded and recognised. This positive approach to your colleagues’ contributions will likely be a lot more productive to your firm’s overall cyberresilience than any perceived blame culture which may exist at the moment.
The human factor and protecting your firm’s cyber resilience
The damage done to your firm by a successful cyberattack can only be accurately measured using one metric – the damage to the perception of your firm in the eyes of your existing and potential clients.
The cost of lost opportunities to do business with clients because they are afraid that their data is not safe with you is incalculable. One thing is for certain though – that cost of reputational damage will dwarf any ICO fines you have to pay, any compensation from legal action brought again you, and any reputation management techniques you employ to win back the narrative after the incident has passed.
In the age of GDPR and with the internet’s ability to spread bad news about businesses faster than ever before, please call Sprout IT today on 020 7036 8530 or email us to talk more about cyber security and the human factor for your solicitors’ practice or barristers’ chambers.