Not a day goes by without another cyber breach or phishing attack hitting the news. Recently we’ve seen breaches impact corporations, individuals and UK law firms:
- £11 million of client money was stolen due to cyber crime in 2016-17
- The amount stolen from law firms through phishing in the first quarter of 2017 was 300% higher than the previous year
- The Solicitors Regulation Authority publicised 110 phishing scams against law firms in 2018, while noting that “there are likely to be many more that go unreported”
As the number of cyber-attacks within the legal sector increase, so does the potential negative impact to every one of us.
If we are to reduce the frequency and volume of cyber breaches and the impact they have, then we’re going to need to do more to tackle the human aspect of cyber security.
The causes of these incidents may all be different, however, analysis shows that human actions are overwhelmingly at the heart of the vulnerabilities, and that attackers are activity seeking to exploit our human weaknesses to compromise target systems. Often this is through an employee being tricked using social engineering. For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.
The act of phishing is to try and illicit a response from a person or group of people via mediums such as:
- Text (also known as ‘smishing’)
- Phone calls / voicemails (also known as ‘vishing’)
- Social media or,
- a combination of some or all the above.
The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others either consciously or unconsciously.
Some examples of the techniques include:
- An urgent request for client information or significant funds
- Instruction from someone in authority, such as a Partner
- Appealing to your compassion
If the subject matter is compelling enough, it can be hard to resist the urge to carry out the attacker’s request.
Susceptible as we may be to our emotional responses, all is not lost. We are adept at assessing and understanding potential threats or risks. However, how people perceive threats can be subjective based on their personal circumstances and the relevancy of a threat to them. If we don’t appreciate the likelihood of a threat happening, then we’re less likely to tailor our behaviour.
This is one of the challenges for tacking threats such as phishing; we don’t see a simple everyday task such as opening and responding to emails as being a threat.
To address this, there needs to be a greater understanding of what the threat is, how it could affect us or the firm, how we can help to stop it, and most importantly; to feel like we have an active part to play. It’s this feeling of responsibility i.e. an emotional response that is the key to staff being an active part of your cyber defences rather than a part of the vulnerability.
Once you have that basic principle instilled, how do you ensure you have the right awareness programme in place to affect real changes to your staff’s behaviours? There are some basic principles that can be used to help in this regard.
- Whatever learning you provide needs to be measurable so you can identify what works and what doesn’t. Be willing to take on feedback from your staff and change your approach accordingly.
- This is also where ethical phishing campaigns – if tailored to suit your firm – and carried out correctly can have a huge benefit.
- By sending staff an initial ethical phishing email to attain a baseline at the outset, you can then follow up regularly with both ‘all staff’ campaigns and specific teams (spear Phishing) or individuals (Whaling) based on the risks you face. This will provide you with insights in to how well your training is performing.
Regular and concise
- Delivering a 1 hour session once a year won’t have a positive impact or change behaviours for the better. The awareness learning content should be delivered in short modules of ideally 1-2 minutes but less than 10 minutes.
- Small nuggets of information that people can consume frequently without it affecting their productivity but will allow them to retain the key messages from.
Adaptive, personalised and appropriate
- The content should use understandable language and be relevant to the audience. Staff won’t engage in the learning if they don’t understand the concept or the scenarios it’s portraying and if it isn’t relevant to them or their role.
- The learning should be tailored based on staff role, knowledge and skill levels. Consider short quizzes prior to assigning learning content for staff to complete. This will enable you and the staff to see if they already have the requisite knowledge in one area and allow them to focus their learning on areas in which they are less proficient.
Utilise different learning formats
- Different people learn in different ways and at different speeds. This needs to be allowed for with different content types and delivery methods to provide accelerated learning
- Consider content such as videos, animations, games, simulations blended with traditional e-learning.
- Blend electronic learning with physical delivery mediums and communications such as lunch and learns, posters and other rich graphical content identifying the highest risks and threats. Specific breakout sessions with guest speakers work well too. The subject areas here can cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.
Try to make it engaging, competitive and enjoyable
- This is where the real behaviour changes can happen because if people enjoy something, they’re much more likely to remember it.
- Consider using incentives and rewards. This can be anything from utilising point systems and leader boards to encourage competition, to providing a sense of achievement or status. Recognition via benefits can be used too such as small pay awards for those with the budget, although non-financial incentives such additional annual leave or specific mentions on their annual appraisals can work just as well.
A good approach is to start out in a single risk area such as phishing – which is currently the most significant threat to law firms– and grow it over time to include other areas such as password security, social media, information handling and other relevant subjects.
Ultimately, your staff can be one of your strongest defences against cyber-attacks however, for you to make the most of this potential, you staff will need to:
- Feel it’s their responsibility to understand the threats and protect the firm
- Feel confident they’ve had the necessary training to know what to look for in a potential attack
- Be vigilant in spotting attempted attacks
- Be diligent in reporting anything suspicious.
Technology and perimeter controls will always be the first line of defence and are incredibly valuable in protecting your organisation but there will be times when the attackers get through. Then your staff are your last line of defence. Only once you have a cyber aware workforce with security culture embedded within your organisation, can you be confident in your ability to be resilient to the cyber threats you face.
BLOCKPHISH provides law firms with the ability to improve their resilience against phishing attacks. We deliver simulated phishing emails and awareness learning to your staff, specifically tailored to emulate real-world cyber threats. BLOCKPHISH aims to improve recognition and understanding of these threats, and reduce the possibility that a phishing email will compromise your security or lead to a sophisticated cyber-attack.
We provide a vast and broad cyber consulting capability to ensure your firm receives the guidance and expertise it requires to strengthen its defences against cyber-attacks.
- Support the creation and realisation of an appropriate cyber strategy from managed Security Operations Centres (SOCs) to the delivery of manged ethical phishing campaigns.
- We will help you to understand the cyber risks your firm faces and identify, establish and operate a robust and pragmatic governance and management system to address those risks
- Assess your people, process and technology solutions and deliver a remediation and improvement plan to mitigate any vulnerabilities
- Provide first responder capability in the event of a cyber incident to the stem the impact of an attack, restore services or data quickly and prevent repeat occurrences.
- Embed cyber aware behaviours within your firms culture to reduce your vulnerability to cyber-attacks.
- Deliver cyber simulations and incident and crisis simulations for key staff to ensure your firm is best prepared to respond effectively in the event of a cyber breach
- Provide training and professional development for your security professionals
- Assess and support you in your journey to comply with the EU’s General Data Protection Regulation (GDPR) and ensure you avoid the high penalties (4% of global revenues) for non-compliance
- Our Certified consultants deliver assessment services including Cyber Security Risk Assessment, Cyber Security Strategy & Architecture, Cyber Essentials, PCI DSS, ISO27001, UK DPA and other internationally recognised standards