Our friends at KnowBe4 put out an annual report that I just love. It’s called the Phishing by Industry Benchmarking Report and the 2021 version recently came out with big revelations for 19 different industries. Of course, I’m most curious to learn the answer to this question: How vulnerable are law firms to cyberattacks? The answer is: “more vulnerable than they should be.” Since October (just around the corner!) is Cybersecurity Awareness Month, I thought I’d share some of the report’s most important findings for law firms.

Key Takeaway from the Report: Educate Your Humans!

2020 gave cybercriminals renewed motivation to ramp up their nefarious efforts. Phishing incidents nearly doubled in frequency from 2019 to 2020, from 114,702 incidents in 2019, to 241,324 incidents in 2020, according to the U.S. Federal Bureau of Investigation (FBI). 

Now, let’s be clear: Firewalls do not stop phishing.

The idea that technology can prevent all cyber-related incidents has never been further from the truth because cybercriminals know the easiest way in is through your humans. Many organizations fall into the trap of trying to use technology as the only means of defending their networks. They ignore or dismiss the power of human awareness and intervention… at their own peril.

How Vulnerable are Law Firms to Phishing Attacks?

In order to understand this question: “How vulnerable are law firms to cyber attack?” you need to understand something called the “phish-prone percentage” (PPP). To calculate a PPP for each industry, KnowBe4 measured the number of employees who clicked a simulated phishing email link or opened an infected attachment during a testing campaign. Here are the results from the legal industry.

There were three phases of testing:

1. No security awareness training by firm size:
   1. 1-249 employees were 27.8% phish prone
   1. 250-999 were 28.8% phish prone
   1. 1000+ were 23.5% phish prone
2. 90 days of security awareness training by firm size:
   1. 1-249 employees were 15% phish prone
   1. 250-999 were 15% phish prone
   1. 1000+ were 12.2% phish prone
3. One year of security awareness training by firm size:
   1. 1-249 employees were 3.8% phish prone
   1. 250-999 were 5.3% phish prone
   1. 1000+ were 8.6% phish prone

In a nutshell, those firms with zero security awareness training could count on 23% to nearly 30% of their employees clicking on criminal links and attachments, exposing the firm to ransomware and other attacks. The firms with the best odds at fighting cybercrime were the ones that maintained a year of ongoing, consistent security awareness training for law firms.

Free Tool: Find Out How Vulnerable Your Law Firm is to Phishing Attacks

Would you like to find out what percentage of your employees are phish-prone? Savvy and KnowBe4 offer you a free tool that will give you the data you need.

Here’s how it works:

• Follow this link to run the test today or contact Savvy for a demo and more information.
• Immediately start your test for up to 100 users.
• Select from 20+ languages and customize the phishing test template based on your culture.
• Choose the landing page your users see after they click.
• Show users which red flags they missed.
• Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management.
• See how your organization compares to others in your industry

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Would you like to phish your firm and find out how vulnerable you really are? Click this link to run the test today or contact Savvy for a demo and more information.