The Importance of Raising Awareness of Cyber Risks Within Law Firms
In our latest blog, we explain the importance of raising the profile of cyber threats within legal organisations, and how this can be best achieved through a clear and concise awareness roadmap.
The need for effective team working is nothing new, but in the domain of cyber security, this is now becoming increasingly essential. Why? Because only when staff work closely together will companies, including law firms (which are especially vulnerable) be able to get a grip and take control of the daily threat of serious cyber breaches. This article will focus specifically on the importance of raising the profile of cyber threats within legal organisations, and how this can be best achieved through a clear and concise awareness roadmap.
Cyber-attacks on law firms are on the rise
In May 2019, it was reported that magic circle global law firm, Linklaters, had been targeted by cyber criminals three times in just four months. In these cases, fraudsters, using ‘phishing’ tactics, sent emails to employees using email addresses which looked very similar to @linklaters.com, requesting that bank account details be updated for the transfer of funds. The fraudsters posed as Linklaters’ project managers and used sophisticated social engineering to avoid raising suspicion. In response to the matter, Linklaters states, “We wish to inform the public that Linklaters LLP has no involvement with these emails. Members of the public are advised not to respond to any request to provide personal or confidential information in these scam emails.”
Unfortunately, this method of impersonation of legitimate organisations is all too easy to replicate, and increasingly lucrative, hence it is likely this will continue to be a mainstay method of cybercriminals for many years to come. A corporate example of this would be the British Airways data breach facilitated by poor cyber security. This data breach was the result of traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers and as a consequence British Airways is facing a record breaking £183m GDPR fine. It is for this reason that effective cyber security awareness within firms is so vital.
Step 1: Establish a cyber security task force
Before embarking on a programme of cybercrime awareness, it is essential to create the necessary people structures within your law firm whose role it will be to coordinate all cyber security efforts. Depending on the size of your firm, these don’t necessarily need to be dedicated full-time to cyber security, but they do need to have the time and capacity to fulfil this role fully and effectively. It is recommended that a clear structure be created with role definitions, scope, a dedicated budget, and a clear set of objectives. This role should also be written into the employment contract of the staff involved.
Step 2: Understand your cyber risk landscape
Empower your cyber task force them with the resources and knowledge to understand the threats, weaknesses, vulnerabilities, processes, and procedures which need to be communicated to the whole organisation.
If you don’t have in-house technical cyber security skills, consider contracting external expertise with the capability of auditing your law firm, including undertaking mapping of your vulnerabilities, and recommendation of best practices to ensure your overall cyber security.
Step 3: Consider everyone who needs to be aware of cyber risks
Once you understand how staff can play a role in ensuring the cyber security of your firm, including ensuring ongoing vigilance and response, you will be in a position to create a cyber risk awareness programme. Depending on the scale of your operation, you may need to coordinate efforts across regions, countries and legal departments. It is also important to consider how to include contractors, temporary staff, part-time workers, remote staff, third-party partners, and also clients. A programme which creates a unified culture of cyber risk awareness is essential, and this, therefore, cannot omit anyone whose actions may inadvertently lead to a catastrophic cyber breach.
Step 4: Create a rolling programme of training for all staff
Starting from the staff induction, cyber risk awareness training should be provided and refreshed periodically for all members of staff. The training should be tailored to the role of each person rather than providing a generic set of content. This is highly beneficial as it will help narrow the training needed and, therefore, improve the chances of knowledge retention. Consideration should also be given to how training is provided in different languages, for differing learning styles, and for individuals who may have specific impairments.
Training should be mandatory and, as such, it will be necessary to provide your HR and management teams with the resources and systems needed to monitor the completion and ongoing training needs of all staff.
In our experience, cyber risk training should be provided little and often, as opposed to in large quantities with large gaps between learning opportunities.
Step 5: Other methods of improving cyber risk awareness
While training is essential to raising awareness and reinforcing best practice for cyber security, other methods can be considered to further push home the message of the need for constant vigilance. Make sure that team leaders, partners, and other managers are continuously asking about and reminding their teams about the risks, processes, and procedures involved in cyber security. Place reminder notices around the workplace, including on screensavers. Task your cyber security team with spending time with all members of staff on a rolling basis to gauge their awareness, undertake compliance audits, answer any questions, and handle any issues which arise. By constantly reinforcing best practice and the need for vigilance, cyber risk awareness will become embedded and second nature.
Final words
When setting up the necessary structures within your firm to ensure cyber risk awareness, it is also important to ensure staff are engaged and truly behind the initiative. This requires that line managers and senior management show real enthusiasm and lead by example. Show staff the realities of cyber breaches and the impact this can have on their firm and their clients. And by establishing a robust reputation for being cyber secure, clients will gain confidence that their matters will be in the safest possible hands.
Lineal is a global leader in cyber security. To find out more on how Lineal Cyber can assist you with your Cyber needs, please call us on +44 (0)20 7940 4799 or email info@lineal.com.