What law firms need to know about cyber security
Despite the current wave of cyber attacks targeting businesses, governments, and individuals, there remains an alarming lack of awareness among employees of the risks they face, writes Mark Lukie.
The State of Cyber Resilience in Australia 2022 survey of Australian workers has found the majority do not understand the threats that can exist within emails and could unwittingly cause significant damage and losses to their organisation. The survey results are based on responses from more than 500 staff in Australian organisations of at least 50 employees.
The results are a wake-up call for partners and senior managers and show there is a pressing need for more cyber security awareness training. All staff need to understand the dangers that can be contained within emails and the steps that should be taken to minimise risks.
The need for training has been made even more acute with the shift to hybrid working patterns in the wake of the COVID-19 pandemic. When working from home, staff are no longer protected by corporate firewalls and other measures and are thus more susceptible to attacks.
Concerningly, more than half (51 per cent) of survey respondents admitted they had suffered a cyber security breach during the past 12 months, with a further 16 per cent saying this had occurred within the past year.
What lawyers need to know about phishing
Of the attacks that can be mounted via email, phishing remains the most dominant type experienced by Australian legal firms. The increasing sophistication of cyber criminals means phishing emails can be very difficult to distinguish from legitimate messages.
Some can entice users to click on links and divulge personal information. Others come with attachments containing malicious code. Once opened, this code can rapidly infest the user’s device and then spread to wider corporate systems.
Of the survey respondents who admitted to have clicked on a malicious link within an email, almost half (48 per cent) said they realised their mistake when they found themselves redirected to a suspicious website or service that requested details from them.
More encouragingly, 41 per cent said the link was flagged as malicious by their organisation’s IT systems, while a further 21 per cent said a red flag was raised by their web browser. Less than a quarter (20 per cent) said they became aware only after their device had become infected by malware or ransomware.
Future-proof your firm with improved user training
When mapping out their staff training schedules for the coming year, the survey highlights the need for law firms to allocate more time and resources to cyber security awareness.
The survey found 92 per cent of employees believe cyber security is either very or extremely important; however, more than one in three (37 per cent) said they had not received training in any aspect of the topic.
Of those that had received training, 42 per cent said it had been focused on phishing attacks, while email security was nominated by 40 per cent of respondents. This was followed by malware (29 per cent) and ransomware (23 per cent).
Asked to reveal the number of hours they had spent in cyber security awareness training during the past year, 43 per cent admitted it had either been none at all or less than one hour. A further 32 per cent of respondents said they had received between one and three hours, with just 9 per cent receiving four and five hours.
When it comes to sharing the results of cyber security awareness training with other staff, 43 per cent of those surveyed said this did occur. A further 34 per cent said this didn’t happen, while 23 per cent were unsure.
Experience shows that sharing results can be a good way to reinforce employee awareness and understanding of the scale of the shared security challenge faced by everyone. It also reinforces the message that an organisation is taking the challenge seriously and undertaking steps to ensure that overall security standards are being raised.
By increasing the focus on cyber security training, management teams can ensure their organisations are better placed to avoid potentially damaging attacks. The result will be greater awareness among staff and a more secure workplace.
Cyber security — an essential part of practice management for all law firm employees
Interestingly, the survey also revealed that senior managers are more likely to cause security issues than junior members of staff. This is because a higher proportion of managers admitted they circumvent security controls as part of their day-to-day activity.
When asked whether they use unauthorised third-party software or cloud services, more than half (52 per cent) of senior managers confirmed this was the case compared with an average of 44 per cent across all survey respondents.
The gap was even more stark when it came to carrying out computer system updates, where 63 per cent of senior managers admitted they had done this. This compared to 32 per cent of all respondents.
These results are particularly surprising considering the fact that the survey found 66 per cent of senior staff considered they were “extremely” aware of the importance of cyber security compared with the survey average of 53 per cent. It’s clear that more managers need to lead by example.
Clearly, the risk of legal firms falling victim to a cyber attack is going to remain very significant. Management teams, therefore, need to put in place all the elements required to ensure comprehensive protection is achieved.
Mark Lukie is the director of solution architects in the Asia-Pacific region for Barracuda.