Nearly all successful cyber breaches have one thing in common – people taking an action that jeopardizes the security of the organization. The most successful exploit in a cybercriminal’s toolkit is manipulating untrained and unaware people into giving them sensitive information or access that is then used to carry out harmful attacks such as ransomware or data theft.
Cybercriminals are continuously testing a variety of scams every day to trick people into taking harmful actions. These scams are sophisticated and not always easy to spot, especially for someone who doesn’t know what to be on the lookout for.
Long gone are the days that a generous Nigerian prince is the biggest scam risk. The threat landscape has evolved and members of your firm need continuing cybersecurity education to play an active role in your firm’s security stance.
A security awareness training program helps protect your firm and its members by helping them avoid falling victim to current phishing campaigns, social engineering techniques and tactics, and other threats.
Technology Cannot Protect Everything – Your Employees Are A Line of Defense
Even the most sophisticated cybersecurity software can’t prevent every threat. Lawyers and staff members at a law firm handle sensitive information and communications daily – a security tool won’t stop them from willingly handing over that information if they choose. Cybercriminals know this, and they know that it is much easier to exploit a person to get that information or access than it is to exploit a machine.
Attempts at exploiting people into taking a potentially harmful action or handing over confidential information is considered social engineering. We’re exposed to these frequently, many times unknowingly, in our personal and professional lives.
Not Everyone is a Nigerian Prince – These Scams are Designed
No doubt you have encountered social engineering attempts in the past. Some are so obvious that they elicit the thought “well this is clearly a scam.” Hopefully you have a similar thought when offered a lucrative foreign money exchange offer – as long as you act quick!
What many people don’t realize is those scams are designed to be obvious to most people. If you and I really thought we had the potential to receive free money, we’d vet that opportunity thoroughly before handing over bank information. This design filters us out because we’re too time consuming and won’t follow through, leaving only the most vulnerable population to fall victim.
Scams that we encounter are designed to target us. They’re well thought out, tested and refined, and target our weaknesses as a professional within an organization.
If I believe the managing partner is demanding I do something, I’ll probably do it. If I believe opposing counsel emailed me a file, I’ll probably open it. If I believe my colleague sent me a link, I’ll probably click on it. If I don’t have proper training to be able to distinguish truthful sources from imposters, I’m a risk to my law firm.
Social Engineering: Phishing and Other Tactics
The best way to protect your law firm against social engineering and other attacks is to educate your members on cybersecurity best practices, how to recognize the signs that someone is attempting to manipulate them, and show them what it looks like through continuous training.
The most common tactic of cybercriminals to steal information and breach an organization is phishing. Phishing is targeting a person or people by sending emails, phone calls, or text messages to lure them into handing over sensitive information. The cybercriminal is posing as a representative of a trusted or reputable organization, and requests personally identifiable information, bank details, login credentials, or that you take an action.
Sometimes the scam is designed to directly collect sensitive information. Other times it is designed to get the victim to click on a link, download a file, or open an attachment that includes malicious code that infects the victim’s device. The scams usually involve a sense of urgency with the scammer impersonating someone of authority or relation.
There are many types of phishing attempts to be on the lookout for, and each type is rapidly evolving with the cybersecurity landscape.
- Email Phishing. The email has been spoofed to appear to be coming from a reputable source and includes infected links or attachments.
- Spear Phishing. This is a more targeted approach of email phishing, where the email includes information unique to the recipient to make it appear more trustworthy.
- CEO Fraud. These phishing attempts impersonate a CEO or a leader within the organization through email and make a request or demand to the recipient to take an action.
- Vishing. Vishing, or “voice phishing”, comes in the form of a phone call. These typically create a false sense of urgency to get the victim to act without much consideration.
- Smishing. Smishing, or “SMS phishing,” is through text message with the goal of getting the victim to click on an infected link.
- Other more specific types of phishing.
Security Awareness Training is Essential
Members of your law firm play an active role in your cybersecurity posture – as a defender or as a risk. They are the ones being exposed to threats, and they have the capability to bypass many cybersecurity technologies through their actions. Security Awareness Training helps mold the people in your firm into a strong line of defense against inevitable and continuous threats.
Cybersecurity training is not a one-time event that is taught during onboarding. Even if a person could retain the amount of knowledge needed to defend themselves, social engineering and other types of threats are constantly evolving. People learn best during real life scenerios, not during a passive lesson.
An effective cybersecurity training program includes the following:
- Simulated attempts at social engineering through email and other methods that mimic an actual attempt. Results are compiled to track the readiness of the firm as a whole.
- A policy on what a person should do in the event of a cybersecurity incident.
- Continuously educating firm members on the signs, and red flags, to be aware of.
- Examples of current cybercriminal tactics so members will know what to look for and how to identify them.
- Testing to determine what users have learned from the training and ways that it can be improved.
As a cloud hosting platform for law firms, we are entrusted to create a productive and safe environment for law firms and every one of their members. We strongly advocate for the implementation of cybersecurity training and awareness programs because of their high impact on the security posture of law firms. Reach out today to learn more about how to educate and train your firm to defend against the current cybersecurity threat landscape.