Protecting My Firm Against Phishing
When it comes to cyber security, everyone in the firm needs to be onboard. It’s not a responsibility that falls to one person or one department.
Prevention is sometimes better than cure, and ensuring that you have taken precautions to deter and prevent cyber criminals from infiltrating your systems, will help to keep you, your employees and clients safe.
Often referred to as the ‘Golden Triangle’, it encompasses people, processes and technology. If all three of these aspects are implemented properly, it makes it extremely difficult for cyber criminals to infiltrate your cyber infrastructure.
How can I implement the ‘Golden Triangle’?
Educating and training everyone in your firm, and embedding a positive cyber culture can take time. But once its embedded and regular training schedules are set up and implemented, everything can start to grow naturally.
Education and training
Offering cyber security training to new starters who join your firm, can be something that is easily added to your induction process. Teaching new employees about the importance of password hygiene, including creating strong complex passwords, and your policies on using portable devices both inside and outside the office will help keep reduce the risk of cyber crime to your firm. However, this training could be refreshed on older staff members and could be revisited every 12 months.
With regards to phishing emails in particular, educating employees both old and new on how to spot the signs of a phishing email, and encouraging them to report anything they deem suspicious to the relevant person in the firm.
Highlighting things such as:
- Spelling mistakes
- Grammatical errors
- Odd financial requests
- Checking the email address of the sender. Cyber criminals can copy the domain of an organisation, but not a 100% likeness. There will be small changes in the email, which at first glance may be difficult to spot, but upon further inspection may highlight a cyber criminal’s attempt
Positive cyber culture
This always takes time to grow. However, it’s imperative for people to feel confident to report cyber security issues to the correct person or department. People are only human, and mistakes can be made, after all working in a busy law firm, can mean emails are fired off fast paced, sometimes with little thought.
There has to be some clear guidelines that everyone is made aware of. Just because there is a positive ‘no blame’ culture, there can be repercussions, dependent on the severity of the cyber attack.
This is where the initial cost may be a barrier for firms. Implementing technology adds an extra layer of protection, which can work hand in hand with the training and education you give to your employees.
What technology can my firm implement?
DMARC is a protocol recommended by the National Cyber Security Centre and prevents cyber criminals from spoofing a firm’s email addresses and imitating a member of staff.
According to the Solicitors Regulation Authority (SRA), email modification fraud was responsible for 72% of all cyber crime reports they received last year.
There are organisations out there which can help law firms implement DMARC services, quickly and cost effectively. The money invested in this piece of technology, can have large savings both in the terms of financial and reputational damage further down the line.
Processes can tie the technology and people aspects of the triangle together.
Creating blanket policies which explain the procedures of reporting a suspected phishing attack or other cyber crime, and what other checks can be made to ensure cyber criminals are kept firmly in the cold.
Having these three aspects entrenched in your firm, will help to build a positive cyber culture. This can then be embraced by the whole organisation, from the most senior to the most junior colleague.
In 2019, businesses faced a cyber attack every 60 seconds. Various companies have submitted Freedom of Information (FoI) requests to various organisations regarding cyber attacks, which have revealed that companies are bombarded with phishing emails on a regular basis.
Often thousands of emails are sent over a period of time. If not acted upon, these emails are essentially harmless. But the one time someone follows the instructions in the email, or clicks on the link the criminals are in.
They often lay dormant, conducting reconnaissance work on your firm, cloning domain names, gathering information, all of which can be used to fraudulently obtain money at some point down the line.
Some of the steps outlined above, cost next to nothing, whereas others have a cost, which on paper it may be hard to justify. Especially if there are competing priorities all jostling for the same pot of money. However, as cyber security starts to garner support within the firm, it’s a priority that soon stands out before the rest.
In the ‘Cyber Security Breaches Survey in 2019 – UK Businesses and Charity Findings’ report, it was revealed that 78% of businesses now rate cyber security as a high priority. Although this statistic doesn’t solely focus on law firms – which we know are slightly further behind with regards to their cyber security – it demonstrates that more and more people are starting to ‘wake up’ and acknowledge the cyber threat.
So as the industrial pioneer, Henry Ford, said: “don’t find fault, find a remedy”, failing to prepare for a cyber attack is preparing to fail.