While a recent study by BitSight finds the legal industry ranked second best in cybersecurity, the key reality is their rating value would earn them a solid “D” in grade school … not a good grade! The industry may be ranked second best, but the competition is not very strong! Additionally, in spite of continued investments in cybersecurity defenses, their score dropped 2 points from the previous study. With legal firms viewed as high-value targets, it is imperative that they improve their cybersecurity rating.
By the nature of their business, legal firms often have critical information about multiple client companies – information dealing with employees, strategic business plans, financial data, mergers and acquisition plans, and pending lawsuits. Misuse of this data could be devastating to the client companies as well as the law firm itself. One recent headline cites a single hacker as successfully hacking two US law firms, while attempting to hit seven, and making $4 Million from insider trading based on emails alone.
Some steps that have been recommended to improve cybersecurity in the legal industry have a common theme which we see across other industries as well. Training employees on “safe computing standards” is not enough. Training needs to move to the point of actually changing behavior, not just increasing awareness. Consider these recommendations, and think about your employees and your training methods.
- Keep Up with Regulators. Regulatory bodies across industry segments are not sitting still. They continue to raise the bar on cybersecurity requirements. Your staff needs to be kept informed, and your policies need to be updated. An annual refresher or update of security standards may leave your staff in the dark too long!
- Emergency Response Procedure Tests. Even if you have a plan documented for dealing with a cyber attack, is it regularly tested? It is estimated that only 70% of law firms have such plans, and of them, less than half actually execute fire drills. Don’t expect your employees to flawlessly execute a seldom seen procedure under the high-pressure stress of a cyber attack! Practice!
- Phishing / Whaling Prevention. Studies by AT&T and Verizon both show that Phishing and Whaling (Phishing targeted at the C-Suite and other high-value targets) continues to be a significant problem. Modern training techniques can help here by using qualitative methods to drive behavior changes, not just raising awareness at a point-in-time like a traditional annual review might accomplish.
- Alert vs. Fatigue. A new reality known as cyber fatigue is beginning to emerge. People have seen so much of the same information over and over, and so much false information via social media, that we sometimes just yawn and ignore a warning. This can be devastating! You need to keep staff engaged and alert to cybersecurity issues without the fatigue by using training techniques that give them new skills, not just awareness.
An engaged and aware staff is the starting point. But it is not enough. We see over and over that an underlying key in the cybersecurity fight is people, and traditional training approaches are leaving gaps. Companies need to explore modern training techniques designed to provide measurable results and produce long-term behavior changes in employees. Your company either has been, or will be, targeted for attack. If you are fortunate enough to be in the “will be” column, take the necessary steps now to keep your data and your reputation safe.