By now, every law firm in the country is scrambling to figure out how to protect itself from cyberattacks. The scariest part of the recent headlines is that these ransomware attacks and other cyber disasters didn’t start with direct hits on the firms’ firewalls, but through simple email phishing scams. Unwitting law firm employees see an email that looks like it’s from the firm’s managing partner and they click. Wham-o!
The solution to this high-tech problem is stunningly low-tech: awareness training.
In the article below, I outline the steps you can take to arm your firm for victory on the cyber battlefield.
Share a Recent Hacking Attempt
Start by sharing a recent hacking attempt at your firm or one of the recent headlines from another firm. (I have a ton if you need leads.) Ideally, you’d share an attempt on your firm because that brings it very close to home. (Also, it will make your IT department look like war heroes. People are completely mystified by this cyber war and how it works. Turn your geeks into the firm’s bad-asses!)
Explain to everyone that the biggest sieve in every firm is the email in-box. Some of the most epic cyberattacks broke through because some unwitting attorney or staff member clicked on a fake pizza coupon, unleashing disaster. (It sort of reminds me of the trailer from that recent Tom Cruise movie, The Mummy. “You have no idea what you’ve unleashed!”) The goal in sharing these stories is to help everyone in your firm to better understand that this isn’t something that happens to “other firms.” These attempts happen all the time even at your firm!
Create a Team Mentality
Once people understand that their firm is under attack, they are much more likely to take their role in its protection more seriously. You need to create an us-versus-them mentality at the firm and help people to understand that their vigilance is critical. In fact, this entire endeavor is not as much about the firm’s security as it is about client security. Ask everyone to imagine one of their most important clients; then ask them to imagine all of that client’s sensitive documents exposed to the world. You’re much more likely to have their attention and passion in the trenches of this battle.
Train Everyone to Be Vigilant
OK, now that everyone is ready for battle, sleeves rolled up, camo paint smeared on faces, it’s time to train them in tactical warfare. Specifically, they need to know how to recognize phishing attempts in their email boxes. For this, you probably need a security awareness training partner.
Ta Da! I happen to know one… Savvy Training & Consulting!
Savvy offers the KnowBe4 security awareness training protocol. In a nutshell, this training system helps you to take all of the steps I outline in this article plus it provides you with a powerful email simulator tool. The simulator enables you to create compelling, fake emails, push them out to your firm, track the people who are vulnerable, and educate everyone to be more astute when they click!
Here’s how it works:
- Upload your users to the system
- Launch a baseline phishing test using any number of templates
- Using the results from that phishing test, launch targeted trainings to help your employees be more discerning clickers
- Every month, send out another phishing campaign
- Track improvements down to individual users over time
This system is updated continuously with new phishing templates that you can use to phish your law firm, learning who is vulnerable to scams and who needs training.
Open Lines of Instant Communication
Presumably, once you educate people to recognize phishing attacks, they’re going to catch some perps in action. You need to establish direct reporting mechanisms that allow your warriors to share their discoveries quickly with the IT command center. Make sure everyone knows how to immediately alert the proper internal folks to scams that land in their in-box.
Share Success Stories
As people become more invested in this battle, they’ll be much more excited about the successes that you experience. Therefore, share stories of staff and attorneys who recognize cyberattack attempts and resist the temptation to click. It will not only help people to stay alert (you don’t want people to become apathetic), but it will help to maintain the team mentality.
If you’d like to see how one firm rolled out the KnowBe4 protocol, read here.
I can even provide you with a free KnowBe4 tool that will help you to determine how secure your firm is.
If you’re concerned about your click-happy law firm employees, give me a shout! Doug@SavvyTraining.com, 303-800-5408