No one can deny that cyberattacks are the new norm. Such risks will increasingly challenge our ability to operate our businesses. In the world of cybercrime, everyone — from individuals to nation-states — is a target. However, some targets are more alluring than others.
Legal, accounting and other professional firms are increasingly targeted by cybercriminals and hackers who are intent on accessing the vast stores of data with which they are entrusted. Indeed, hackers focus a greater percentage of their attacks on the financial services and health care industries than other areas because of the large amounts of data they hold. But attacks are not limited to such firms. According to an Osterman Research Survey Report from August 2016, nearly 80% of businesses were attacked in some way in the past year; 39% with ransomware.
As an industry, legal professionals are the trusted advisers to large and small companies and often have access to closely held secrets, intellectual property, personally identifiable information (PII) and other data relating to the private lives of others. This savory (and sometimes unsavory) information is attractive to cybercriminals. Information is a valuable asset and may be sold for astonishing financial sums (and, sometimes, astonishingly small sums — the average ransom is below $1,000 according to the same Osterman study).
Theft of information is a very significant concern for law firms of any size. They are held to strict standards and have a duty to protect the confidentiality of clients and client information. If a business has employees, technology containing sensitive information and connections to the Internet, it needs to protect the business, its clients, its employees and — one of its most valuable assets — its electronically stored information.
A law firm can have the best network engineers and technology support and the best and most securely configured security devices, but an unaware, unsuspecting and unwitting employee can provide access to a cybercriminal that allows that interloper to subvert all established security controls. Training and awareness are essential.
Law firms must be diligent about their information security — not just via protection through technology, but by training staff on what to look for and how to react to cybersecurity threats. Most security breaches arise out of human error or negligence. Educating users is one of the best defenses.
Sophisticated Attacks Vs. Educated Employees
The scenario of someone clicking on an infected link is all too common. Most people may think, “I’m too smart to click on a link that looks fake,” or “I would never fall for that email trick.” That may be true, you might not click on the link, but ask yourself if the same be said for every single person in your firm or company.
Will every single employee have your common sense when faced with the decision of believing an email? Are they armed with the understanding that they are a target? Do they know what to do after receiving a phishing email? Are they prepared to handle a phone call from somebody asking for information? Cybercriminals are getting increasingly sophisticated in their attacks, designing fake emails so they appear to be from Facebook, LinkedIn, the U.S. Postal Service and other reputable organizations. Cybercriminals use phone calls to impersonate technical support, the Internal Revenue Service (IRS), Microsoft employees and other trusted outsiders. For instance, one must beware when “Internal Revenue Service” pops up on caller ID. Hackers now fool mobile phones so that they can more effectively impersonate IRS agents when attempting to gain PII.
Because of all the pressures we have in both our personal and professional lives — looming deadlines and countless distractions — employees only give themselves a split second to decide whether to click on a link or an attachment in the email, and can find it difficult to be on constant alert. But they are the key to a security-aware culture. They have to be empowered and educated to take a moment and look at emails through an “information security lens.”
Sending the Message from Senior Management
An effective cybersecurity training and awareness program begins with management involvement. If employees don’t see the top partners in the room, they won’t take managing information seriously. If the training doesn’t come from senior management with all employees from all levels involved, employees most likely won’t change behaviors. Furthermore, enlisting the help of information security experts, engaging the technical folks as part of the training and gathering all employees at all levels go far to ensure a security-aware culture.
Social Engineering and Phishing
One of the easiest and quickest protections a business can put in place is to provide companywide awareness education to all employees.
Humans are the weakest link. It only takes one single employee one click of the mouse to download malware. Sending emails designed and created to trick unaware employees, or phishing emails, is the number one way cybercriminals gain access to information. And most of these breaches and attacks are preventable with an ongoing robust training and awareness program.
Developing a Cybersecurity Training Program
A good security program should convey management’s understanding that information has value to cybercriminals — just like it does for the firm. Employees must understand that businesses are under attack, the consequences and that everyone’s commitment is imperative.
We’ve found that real-life stories, evidence and supporting facts are the most effective way to get employees to understand the threats and to “feel it in their gut” to identify cybersecurity threats. When employees put themselves in the stories during training and realize “this can actually happen to me and our [company],” it has a most profound impact.
The IT department can provide information to employees about the number of “hits” they see regularly on a firewall, for example. Seeing a real phishing email targeted at a specific employee or colleague makes an impact. All of this evidence shows employees that the firm is actively under attack.
The most important takeaway for employees is that it is everybody’s responsibility to protect information, not just that of the IT department. All employees should adopt good security habits and behaviors.
Law firms should engage information security experts who regularly take the pulse on cybercrime and the latest trends. And employees must be empowered to ask questions and verify information, phone calls and emails, and to “not click on the link.”
Michael Kemps is the founder and president of Innovative Computing Systems, Inc. Kimberly Pease, CISSP, is co-founder and vice president of Citadel Information Group, Inc. They can be reached at firstname.lastname@example.org and email@example.com, respectively.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.