55% of workers cannot recall ever receiving specific cybersecurity training that their company provided them with, according to research from Accenture reported in Computer Business Review.
This surprising statistic are set against a backdrop of a 19% annual rise in crime taking the cost of cybercrime to UK plc up to £6.4m.
The same survey found that 70% of people who have received training felt that “it improved their ability to recognise and react to threats”.
Many business leaders believe that cybersecurity is about technology, firewalls, and encryption. They’re right but you also most certainly need to make the same investment in your human defences. We’ve helped many solicitors’ practices and barristers’ chambers to become cybersecure in the past few years and here’s why we pay just as much attention to your people as to our technical recommendations.
Staff see things that computers and artificial intelligence can’t see (yet)
Your firm is at the centre of a network of people – you, your staff, your clients, your suppliers, and more. For everybody in your network who’s not your employee, they will have a connection to one or more people in your firm.
Your staff will be used to the way that clients, suppliers, and colleagues at other firms address them. Everyone puts their own personal imprint into the way they communicate by email or by phone. And as human beings, we’re configured to sense when something is not right.
Take email, for example. In Mimecast’s Email Security Risk Assessment, 11 million out of 45 million emails were wrongly “passed” by company email security systems. It’s great that 34 million of them were stopped but 11 million is still a very high number. The fraudsters only need to be right once for you to suffer a significant data loss – you need to be right all the time.
And it’s your staff who are the key to this. Orlando Scott-Cowley, technology marketing director of Mimecast, in an op-ed piece for SC Magazine, correctly stated that “there's no single technology solution that will address today's most urgent security woes. Instead, companies must ensure that they're not just investing in technology, but also nurturing a security-conscious workplace culture – a ‘human firewall’.
“...A human firewall seeks to stop humans from being the weak point in organizational security, by upgrading users to think securely.”
Help your staff see things that they don’t see now
If you don’t “upgrade your human firewall”, you risk severely denting the effectiveness of any cybersecurity policy you implement, greatly reducing any return on the investment you make and additional value you derive.
CompTIA’s International Trends in Cybersecurity demonstrated that human error was behind 52% of data breaches in 2015. No-one ever thinks that they will personally be targeted, despite the rise of spear phishing and other scams using social engineering based upon the information we freely give away to the world on our LinkedIn and Facebook pages.
Cybercriminals see people as the weakest link in a business. “Most tend not to think bad things of other people, resulting in a ‘nothing will happen to me’ mindset”, so says Stephen Burke, founder & CEO of Cyber Risk Aware writing for InfoSecurity Magazine.
Three step approach
To build yourself the most efficient, most vigilant human firewall possible, take these three steps.
1. Train them on what the threat is, the consequences of a successful attack, and how to spot an issue before it becomes a problem
Most of your staff would not willingly do anything to put their job or the future of the firm at risk. Most incidents will occur out of curiosity married to a lack of understanding, and, to paraphrase Stephen Burke, a feeling that this happens to other people.
Train staff about the different ways the firm and its clients can be injured by a cybersecurity breach. Show them the signs to look out for and what to do when something does not seem right. Give them examples of what happened at other legal firms which did not take the threat seriously enough to engage their staff to help.
2. Continuous training and engagement
Keep in touch regularly with staff about issues related to cybersecurity. You may wish to quiz staff from time to time on their knowledge, searching for any gaps individually or collectively that you can provide extra training on. If there has been news of a cybersecurity breach at another legal firm, be sure to let them know to demonstrate that the threat is real and ongoing.
3. Reward your staff
Everyone likes to be appreciated so if a user stops an attack by identifying a phishing email or another scam, praise them and demonstrate to them how much their vigilance is appreciated.
The legal sector IT specialists
We work with solicitors’ practices and barristers’ chambers to provide bespoke, high-quality IT support, cloud, and consultancy services for the legal industry. Send us an email here and we’ll be sure to get back to you.
Learn more about our cyber security course and other services we provide in our cyber resilience solution.