Prepare and Beware
Why your law firm employees need security training.
By Sharon D. Nelson and John W. Simek
Sadly, your greatest asset—your employees—is also the greatest threat
to your cybersecurity. We know this because we regularly see data
breaches and ransomware infections caused by click-happy staffers. You
also have rogue employees determined to use their own devices and go
where they want on the internet, irrespective of firm policies.
Let’s look at a few statistics. A 2015 Computing Technology Industry Association online survey of 1,200 full-time employees found that 45 percent of the respondents had never had any cybersecurity training from employers, 63 percent used work mobile devices for personal activities, and 94 percent used mobile business devices to connect to public Wi-Fi networks. That same year, an Association of Corporate Counsel survey of over 1,000 general counsels found that only one-in-three tracked attendance at mandatory cybersecurity training, only 19 percent gave a test, and only 17 percent had “simulated security events.” That needs to change.
Who should run the
The best option is a third-party consulting firm that clearly knows what it’s talking about and can answer a fusillade of questions, which generally comes fast and furious during training sessions. If you are an Am Law 200 firm, you are likely going to hire one of the big guns with a hefty price tag. If you are a smaller office, there are likewise plenty of smaller companies that do cybersecurity training. You want one that offers specialized training with sample phishing emails, which is the No. 1 way law firms are breached, and tests to give your employees to demonstrate they are aware of security risks.
It sounds silly, but make training fun. Encourage interactivity—make sure you ask the outside company how it trains. You want to hear about sample phishing emails, post training testing, and on-the-fly interactive responses on evidence of phishing emails.
Best time of day? The morning, when folks are most alert. Spring for breakfast and keep the coffee coming. Cybersecurity can be mind numbing if not done right. Make it mandatory. And make sure employees know that roll will be called. You should train at least annually. Threats and defenses to them change. Both technology and security policies change. You should assess these developments and your security policies on a regular basis to stay ahead of the curve.
Trainers should explain to your employees why your security policies are needed and why they must be enforced. They should talk about the dangers of employees using their own devices, networks, and clouds and explain why such things may be forbidden or tightly managed. A good training session will include the importance of strong and long passwords, encouraging the use of two-factor authentication where available, and will preach the value of encrypted password managers—close to a necessity if you are going to follow the cardinal rule of not reusing passwords everywhere, which often leads to one breach compromising your security.
Trainers should be talking about physical security too—not leaving files in stacks on desks, being aware of strangers in the office, etc.
Every training session should include encryption. Not the math, which employees don’t need to understand, but the critical need to use it for protecting confidential data. They should learn about encryption on all of their devices and emails. There was a time when the process was costly and cumbersome, but those days are long gone. More and more ethicists are stating that lawyers should use encryption “where appropriate,” which is pretty much anywhere data that ethically must be protected exists.
People who are experts at penetrating businesses through social engineering say it generally takes them less than an hour to get into networks. Your employees need to know that Microsoft technical support will never call and ask for access to their machine. They also need to understand that someone who calls and says they are from your information technology support company and need login credentials to fix a problem may not really be from your IT company, even if they know the company name.
Phishing is the easiest way into law firms. The worst threat comes from targeted phishing attacks in which the hackers are specifically focusing on a law firm. You’re at a disadvantage here—so much legal data is public. A hacker may know what cases you are involved with, who the attorneys are, which courts cases are in, etc., and they can spoof the email address of an attorney or a court.
If employees end up with malware, they may not know it. But some possible signs might include sudden slowness of devices, strange messages appearing on the screen, the inability to open a file, machine crashes, running out of hard drive space, a high volume of machine activity, suddenly having a new browser home page or tool bar the employee didn’t install, or new programs appearing that start automatically.
Ransomware is an international epidemic—click on a link in the email or an attachment and the malware is downloaded invisibly irrespective of what you see on the screen. Then it encrypts the firm’s data, file by file. If the backup is connected to the network at the time, it will encrypt that too. Employees really need to understand how dangerous ransomware can be, how prevalent it is, how the ransom to get your data back is getting more and more expensive—and that you are out of business until you slog through trying to figure out how to get sufficient funds in bitcoin, the currency hackers generally want as payment. Then there is a delay after receiving the decryption key in restoring the files—assuming you do in fact get one.
Clearly, there is a wealth of threats that employees need training on—more than can be addressed in a single article. But hopefully, you now have a sense of how critical it is that you train your law firm employees on cybersecurity.TBJ
SHARON D. NELSON and JOHN W. SIMEK are the president and vice president of Sensei Enterprises Inc., a legal technology, information security, and digital forensics firm based in Fairfax, Virginia.