When it comes to learning about cyber security, the first thing you notice is that there are a lot of threats out there. Sometimes the tools you use will be to blame. Other times (some might even say most times) it is down to human error. In other words, it’s you.
In fact, of the almost 200 law firm IT managers interviewed by the International Legal Technology Association (ILTA) for their annual law firm cyber security report, 61% said that it was human errors, such as clicking on bad links, which pose the greatest risk to firms.
Source: International Legal Technology Association, “2016 Study of the Legal Industry’s Information Security Practices”
Despite this, many law firms — especially small and medium organizations — don’t have any information security training program. That’s potentially leaving the door open for a negligent, or ill-informed, employee to do something that opens the door to a cyber attack.
Cyber security training needn’t be complicated or expensive. Here are five quick ways you can educate your colleagues about cyber threats and how to mitigate the risk of them.
#1. Utilize online training resources
Lawyers and other legal professionals need to develop skills to protect their clients and themselves from cyber attack. That likely means spending a little time learning about what cyber threats exist, how to correctly spot them, and what to do when if you think you’ve identified one.
This type of training needn’t be expensive. For example, the U.S. Small Business Administration — a government body — has produced a free, 30-minute online training session. Microsoft, too, has created a free training webinar suitable for all employees. Consider asking all of your staff to take a course such as this, as a minimum.
It’s worth designating one member of staff to take some more in depth training and to be the cyber security lead at your firm. This person should receive more detailed, legal-specific training and generally seek to be the primary point of contact for cyber security questions. The ABA has a wealth of resources for their members, including an excellent handbook.
#2. Include every single person in your organization
Include everyone in your training requirement, including senior management. Too often firms focus their training only on junior employees. However, executives and managers are often the main targets, especially for spear phishing (highly targeted and specific fraudulent email).
Make no exceptions and publicly promote the participation of everyone in the firm, especially senior employees. Joanna Belbey, a tech advisor to law firms, says “Like anything else, to effect change in the organization, you need buy-in from the senior executives.”
It is recommended that businesses require employees to attend a cyber security training, and afterward sign a statement agreeing to follow the policies–with understood penalties for failing to adhere to them.
#3. Regularly talk about cyber security threats
It’s important to talk to everyone at your firm about cyber security regularly. Asking everyone to take a one-off training and then not mentioning the issue again won’t be sufficient if employees put it in the back of their minds. It isn’t enough to require an annual review and the signing of an “I have read and understood” document.
At regular intervals, e.g. in staff newsletters or at staff meetings, have a regular section to discuss cyber threats. Explain the potential impact a cyber incident might have on your firm’s operations and its reputation.
Consider discussing a particular type of risk (such as phishing emails, the use of unsecured networks, the downloading of unauthorized software, and so on) at each month’s meeting. The Norton Security Learning Center has details of the 11 most common threats to get you started.
#4. Tell your colleagues they should never rush to send sensitive information
Recently, some big companies and law firms have been attacked spear phishing attacks — emails that appear to be from a known person asking for sensitive information, but are, in fact, fraudulent. Often, these emails will be sent to junior employees and made to appear as they’re from the CEO or managing partner.
In addition to raising awareness of this risk, it’s best practice to instill a culture of caution when it comes to sharing sensitive information. Let all employees know that they should never rush into sending such data and should treat such requests with some skepticism. Some companies even ask that employees receiving such requests get a second opinion from a colleague before proceeding.
#5. Teach people to avoid risky behavior
Phishing emails are the most common, and the most effective, form of cyber attack. However, legal professionals who must travel regularly outside the office (to court, to see clients, etc.) are also vulnerable to other risky behavior. Given the potential abundance of sensitive material on a lawyer’s laptop, the following three risks are especially important to keep in mind.
First, make sure everyone is aware that public wifi networks (e.g. in coffee shops) are inherently insecure. Experts advise avoiding using it. If you must, definitely don’t access any cloud-based services containing sensitive information or make any financial transactions.
Second, be very wary of plugging in a USB drive that you’re not completely sure is clean (generally, that means only ever using one you bought yourself or have been supplied by your IT department). It’s not uncommon for these drives to covertly upload malware that could put you at risk.
Finally, teach people to be careful when browsing the internet. It’s best to have entirely separate devices for work matters and personal matters. If that’s not the case, be very careful what sites you access on your work computer. Avoid file sharing websites, strange looking shopping sites, and the more obviously unsavory websites.
Read more about protecting your law firm from cyber threats:
- Why all law firms need to worry about cyber security
- 5 steps to getting serious about law firm cyber security
