Over the past 25 years our company has seen cyber threats evolve in a nasty way.
Last year a startling 4,000 ransomware attacks occurred every day. One out of every 131 emails sent was malicious. Businesses with fewer than 1,000 employees now have a 90% likelihood of a breach costing them over $216,000.
Needless to say, firms are more concerned than ever, and are constantly on the lookout for ways to best protect their sensitive client data from being compromised. One of the key ways to do this is to implement a Security Awareness Training for your attorneys and staff.
In fact, this is becoming the norm in the legal space: according to the 2016 ILTA survey, 62% of firms have a formal security education program in place.
Why do Security Awareness Training programs matter, and how can you implement a successful one? We’ll walk you through it below.
Why do Security Awareness Training programs matter?
In today’s cybersecurity climate, the unfortunate fact is that technical controls are not enough to keep you protected.
Centralized anti-virus, and up-to-date firewall, proper patching, robust spam filtering, and other such preventative measures are critical when it comes to protecting your network, but they won’t keep your well-intentioned Firm Administrator from, say, emailing all of your W-2 forms to a criminal who is pretending to be your Managing Partner.
As we’ve said many times before, your people are your weakest link when it comes to security. It follows that, in order to properly bolster your defenses, you need to factor firm-wide education into your efforts. In fact, proper training can reduce your risk of cyberattack by 45% to 70%.
This training can be accomplished by way of a Security Awareness Training program.
How to craft a successful Security Awareness Training program for your firm
There are three core elements to a successful program:
- All-Hands Training (Yearly). Gather your team together for an hour-long session that walks them through the kinds of threats that are out there, how these threats present themselves, how to avoid them, and what to do in the event of a successful attack.
- Security Tips (Monthly). To make sure you stay up-to-date with the latest trends, and to make sure security information stays top-of-mind for your attorneys and staff, send out 1 or 2 helpful tips to your whole firm each month.
- Threat Simulations (Intermittently). To reinforce this information and to track how well the training is working, use a tool like KnowBe4’s phishing simulator to send fake scams to your team, see how they respond, and enroll them in additional training activities if they fall for it.
On top of this, make sure your leadership is on board and willing to push the initiative forward – your firm will need to embrace and encourage this program at all levels if you want it to work.
What other security measures should you take?
Even if you implement the best training program on the planet, it’s important to keep in mind that this is only one piece of your firm’s overall cybersecurity governance. Other key elements are:
- Risk Assessment. The only way to uncover your vulnerabilities is to perform regular risk assessments. The frequency of these assessments should be commensurate with your risk profile. (So, if you are subject to compliance regulations or are otherwise “high risk,” you’ll need to perform these assessments more often.)
- Risk Prioritization and Remediation. Once you’ve identified where you are weak, you need to fortify those areas. Determine which risks you are comfortable assuming, which you need to address, and when you need to address them. Then, get to work!
- Policy Creation. To make sure your entire firm is on the same page, create policy documents that spell out your stance on things like mobile device usage, employee separation, and how to respond to a security incident.
Final thought
If this all feels like too much to handle on your own, don’t worry – there are lots of companies out there who can help get your attorneys and staff up to speed and keep your training program on track.
Check with your IT team to see what elements they can handle (if any), and who they recommend you engage with for whatever is left over.
Happy training!