We have often been there, casually checking e-mail, sipping on a hot cup of coffee or tea, and suddenly, a Nigerian Prince needs your help to finance his trip to the United States, which can only be achieved with your banking information. Or maybe John Smith, the “new IT guy,” calls and says he really needs your personal passwords to update your workstation. You could get an e-mail version of the same conversation, requesting your passwords or asking you to click the link, or informing you that there’s been a security threat and you need to verify with your information. All seemingly harmless and easy additions to the work day.
This is how viruses, hackers, and malicious programs easily infiltrate and destroy your computers and servers, violate privacy, and make for one big mess. We all know not to do these things. We all know not to click the link, provide our password, and give that helpless prince our personal or company information. We all raise our hands to say that we understand the importance of security and understand how detrimental viruses and system hacks can be. But do we really? Just how dangerous is clicking on that link? How important is best practice security training?
Think of it this way: if your laptop tells you that it is running low on battery, you don’t just sit there, thinking maybe, just maybe, the battery will last. You run as fast as you can to grab the charger. Your credit card bill is due, you pay it to avoid the late charge. If you leave your house, you lock the door so your home isn’t burgled. Why then, is the basic principle of security proactivity, training, so disregarded in the business world by those that have the most to lose?
Law firms, with their constant influx of sensitive material, stand to lose not only days or even weeks of productivity – which can result in thousands of dollars lost in time alone – but they also face the risk of losing their clients. Security auditing has become a popular, if not standard practice of clients before entrusting their sensitive data to the law firm. What happens then, if your firm has not taken proper action to protect itself against cyber-attacks? Loss of business is what happens.
Douglas Brush, the Director of the Information Security & Governance consulting practice at Kraft Kennedy, outlined the threats law firms face when it comes to technological security in a recent article in Peer to Peer magazine entitled “The Data Breaches are Coming”:
“In the past, when people thought about their computers and networks getting attacked, they often pictured characters from TV shows with dark sunglasses, wearing all black and boasting to their friends about their exploits. But in the modern threat landscape, attackers are typically motivated by financial or political concerns rather than by bragging rights. Attacks can come from inside or outside your walls, and you need to know the types of threats you will likely face.”
Brush spoke of the necessity of security training, which he believes is essential for proactive defense against cyber-attacks. The largest asset a firm has is the people it employs. Ironically, the largest threat to a firm, in terms of security, is also often those same people.
“People are going to click on things, and you can’t train a computer to make a judgement call in terms of whether or not it should open the link,” Brush said.
Hackers are now using psychological means that make getting their link clicked even easier. Social media platforms and sites are now almost a necessity in business. The downside is that hackers now have it easy when researching potential vulnerabilities. Social engineering – the practice that encompasses the Nigerian princes, shady email links, and Joe Smith calling for you password –is strengthened by the presence of personal information on the web. Social engineering is the terrifying technique in which hackers utilize information found on social media sites, such as education, friends, where you do your baking, etc., and pretend to be a trusted source. They do this in order to install malware, or malicious software, into your systems and networks. Brush speaks to the importance of understanding fully which personal details are placed on the Internet about a firm and its employees so the firm can understand what might be used against it.
Brush preaches the idea of “thinking before clicking.” If something about a link seems off, it probably is. It might seem futile to spend time instructing employees these simple practices that we all say we already know. While it may seem like a waste of money, Brush emphasizes the utility of proactivity , as opposed to reactivity. The vast majority of end users, in reality, don’t realize that simply clicking a link from what seems like a credible source, could be devastating technologically and economically to our companies. Law firms in particular, where partners charge an hourly rate, face not only the cleanup costs after a virus has taken over or a breach is found in the system, but also the cost of lost billable hours due to that cleanup process.
Security training is important not only because it provides firms with defense systems and instruction on how to handle an attack, but also implements offensive techniques firms can use to educate their employees, so that when a hacker tries to be tricky, that person will think before they click. Brush and the Information & Security Governance team at Kraft Kennedy offer security training, lasting no longer than 45 minutes, that is useful when it comes to teaching and instructing best security practices, rather than reacting when the entire system comes down. In this training, Brush speaks to the importance of defining policy when it comes to use of websites, Cloud software, and e-mail that is permissible while in the office.
“You can’t get mad at someone who didn’t know,” Brush said. “Each person needs to know the different risks. You can’t eliminate risk, you can only reduce it to a manageable level.”
Why are we willing to forgo security for the sake of dollars and cents? Instead of assuming we “know” what best security practices are, why don’t we take the proper initiative and learn how to think before we click, learn what the threats are and what they look like? Law firms, and any other business, better themselves by taking the proper steps to gain knowledge about security and its threats, and lose only when they choose to remain blissfully ignorant.