Law Firm Cybersecurity Awareness: Training for Employees Has Never Been More Critical

One of the most overlooked aspects of cybersecurity is training for law firm employees.
The post Law Firm Cybersecurity Awareness: Training for Employees Has Never Been More Critical appeared first on Articles, Tips and Tech for Law Firms and Lawyers.

Employees are a factor in more than 80% of successful cyberattacks. That means it’s critical to implement law firm cybersecurity awareness training for your employees.

With the continuing rise in cybersecurity attacks, it is more critical than ever to implement effective risk mitigation strategies to enhance your firm’s security posture and protect confidential data — and that is impossible to do without educating your employees. Employees are a factor in more than 80% of successful cyberattacks. Yet still, one of the most overlooked aspects of law firm cybersecurity is training for employees.

What Is Cybersecurity Awareness Training?

What’s involved in cybersecurity training? A typical one-hour presentation covers several areas. It includes recommendations for safe-computing behavior; education on spam, phishing and targeted malware attacks; and information on what users can do to protect themselves and their law firm as well as abide by their ethical duties. Training should always incorporate good stories along the way to make the lessons stick, too.

Employee training is especially important considering the dangers that lurk in today’s remote and hybrid work environments. It may even be required by your law firm’s cyberinsurance carrier.

Who Should Do the Training?

Certainly not law firm owners, even if they think they know something about cybersecurity. The biggest hammer is a consulting firm that clearly knows the issues and strategies it’s talking about and can easily answer questions. They will bring immediate credibility because of their credentials.

If you are an Am Law 200 firm, you are likely going to hire one of the big guns with a hefty price tag. But if you are a smaller firm, there are plenty of smaller companies that do cybersecurity training. You want a company that has a specialty in training — including samples of current, real-world phishing emails and tests to give your employees to demonstrate they are aware of security risks. (Is an employee who repeatedly fails such tests really an employee you want handling sensitive data?)

Online training has been a choice for law firms since COVID-19. The good news there is that remote cybersecurity awareness training is less expensive. As an example, our training is $500 for a one-hour session. For something so valuable to your law firm, that’s an easy pill to swallow. The clear downside is that those who view the training remotely might not pay full attention. Some firms make it mandatory to be physically present in a firm conference room, which alleviates that problem.

As for how often to conduct training, cyberinsurance companies now ask if you provide annual cybersecurity training for employees.

More on What and When

Make sure your trainers can discuss and demonstrate sample phishing emails and tests. Another essential message of training: If an employee knows that another employee engages in nonsecure computer behavior, they should inform a supervisor. “See something? Say something” is the mantra!

Time of day? Training is best done in the morning when folks are most alert. Spring for breakfast, and keep the coffee coming. Cybersecurity can be mind-numbing if not done right.

And absolutely make the training mandatory. Take attendance.

“Don’t Be Mad at Your Employer!”

Employees dislike many aspects of information security. A good trainer will have your back and explain to employees exactly why your security policies are needed and why they must be enforced. They’ll talk about how the firm may protect its data through application whitelisting, logging of certain events, and installing software or hardware that “reports” when certain files (or a certain number of files) are accessed.

Explaining the importance of strong passwords is also a must. Training, though, needs to convey that what constitutes strong passwords is changing. The National Institute of Standards and Technology has finally recommended that we change our notion of “strong passwords.” (And trust us, you are in for a big change by the start of 2025.) The rules keep changing, don’t they? But that, too, is why you train on a regular basis.

And trainers need to preach the value of encrypted password managers — darn near a necessity if you are going to follow the cardinal rule of not reusing passwords everywhere, which often leads to one breach compromising your security in many places rather than just one.

Social Engineering

People who are experts at penetrating businesses through social engineering say it generally takes them less than an hour to get into your network. As humans, we are so anxious to be helpful. Your employees need to know that Microsoft Tech Support will never call and ask for access to their machine (yes, we’ve seen lawyers duped). They also need to understand that someone who calls and says they are from your IT company and need log-in credentials to fix a problem may not really be from your IT company, even if they know the company name.

Phishing

As we said before, phishing is the easiest way to get into law firms. Even good defensive software doesn’t catch everything — and there are plenty of zero-day (that is, no known defense) exploits sold on the Dark Web every day.

The worst threat comes from targeted phishing attacks, where the hackers are specifically targeting your law firm. Law firms are at a disadvantage here because so much legal data is public. An attacker may know what cases you are involved with, who the attorneys are, which courts cases are in and more. And they can spoof the email address of an attorney or a court — how many lawyers can resist opening something that appears to come from a court?

Law firms are also at a disadvantage because they are “honeypots” — they hold the data of so many clients. Hackers may do a little research on the firm’s website or on an attorney’s LinkedIn page, where they find personal information that they can insert into a targeting phishing email or text.

Trainers will get them to PAUSE, THINK, INSPECT and REPORT before clicking on any suspicious attachments or links in an email or text.

There are obvious phishing clues to pass on to employees:

You don’t know the sender.
You do know the sender, but if you look closely, the address is one letter off (this one happens a lot).
Nothing in the note seems personal to you.
You weren’t expecting the email.
Reference is made to a bank/product/service you don’t use.
Words are misspelled.
The grammar is poor.
The email/text doesn’t address you by name.
The message asks for personal information.
There is an attachment that seems suspicious in conjunction with other factors or a link to a website (and no, hovering over the link doesn’t necessarily ensure you will go to the address shown — drive-by malware infections from visiting malicious sites are quite common).

These days, trainers must talk about artificial intelligence and how good it is at making phishing emails that succeed, in part because there are no misspellings or grammar mistakes. As though we needed another challenge!

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.

John W. Simek is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm.

Michael C. Maschke is the chief executive officer at Sensei Enterprises. He is an EnCase Certified Examiner (EnCE), a Certified Computer Examiner (CCE #744), an AccessData Certified Examiner (ACE), and a CISSP as well as a CEH. He is a frequent speaker on IT, cybersecurity and digital forensics and he has co-authored 14 books published by the ABA.

Read more from the Sensei team:

Beware of Ethical Perils When Using Generative AI
What the Heck Is a SIEM? Here’s Your Primer
OpenAI’s Prompt Guide for ChatGPT

Image © iStockPhoto.com.