Login
5 tactics for Australian law firms to repel cyber criminals
Law firms are entrusted with extremely sensitive information and often transact large amounts of money on behalf of clients. That makes them a prime target for cyber attack. Stolen data can be used to embarrass clients, create false identities and steal funds, writes Michael McKinnon.
Michael McKinnon
While technology can be helpful for detecting and combating online criminals, a well-trained workforce that is aware of the risks and can recognise threats is a crucial line of defence.
A cyber security-aware workforce can protect you and your clients. Here are five tips to help create a great security awareness program.
1. Support people under pressure
There are moments when staff are under extreme pressure. There may be a looming deadline, court appearance or an urgent client matter.
At those moments, staff can miss the telltale signs of a phishing or ransomware attack giving criminals an opportunity to pounce. These are times when extra support and stronger controls around critical data are important. Having monitoring systems in place to track when confidential data is accessed, copied and shared will help support teams when they are under pressure.
2. Target training to your risks
Law firms can fall prey to attacks that use email to steal username and passwords or infect systems with ransomware.
Some thieves may try to steal files and data from servers or online file shares. Or there may even be attempts to fool people with financial authority to pay fake invoices or transfer funds to fake client accounts.
Your security training should pay attention to the risks most likely to occur, rather than being a general overview that lacks specificity to your unique circumstances.
3. Make doing the right thing easy
Instead of looking for staff that “always” click the suspicious link or open the risky attachment, make it easy to report potential threats and risks.
Create an incentive scheme for employees and make it easy to report potential problems before they escalate. Adding a button to email software can make it easy to send a potentially risky email to your security team for assessment.
If someone reports a potential incident that saves the company from downtime, data loss or embarrassment, make sure they are rewarded.
4. Security training doesn’t have to be boring
With so many people working from home you can make security training a family activity where partners and children can be engaged.
Using social media as your case study, instead of reeling off the usual “passwords are important” speech, show people how to create strong passwords, use password managers and multi-factor authentication to secure their personal information. Then link how doing the same things at work is important. Interesting education that makes the lessons personal is more likely to be meaningful.
5. Make security commonplace
Most security teams focus on threat mitigation and management. But the most successful security teams have changed from threat managers telling people how everything they do is a risk, to trusted advisers that help people find safer ways to do their work.
Look for opportunities to answer questions and provide advice. As well as formal processes like training, informal “water-cooler discussions” and “lunch and learn” sessions are important.
Law firms will know whether their security awareness training is successful by checking that users are using strong passwords; downtime is reduced, and support teams aren’t responding to as many security incidents.
With the legal profession facing a complex threat landscape, the right training and staff support can ensure your defences are strong and you can mitigate issues before they become costly problems or full-scale attacks that might compromise your clients’ security and your company’s reputation.
Michael McKinnon is chief information officer at Pure Security.
