Data security is very much in the news at present – if only because of the focus that has been brought to bear upon it by the General Data Protection Regulation and by recent high-profile malware and ransomware attacks such as WannaCry and Petya.
Inevitably the advice from the cybersecurity sector is to put in place firewalls and software solutions to prevent attacks from taking place. Whilst there can be no doubt that hardware and software solutions must form an important part of any firm’s cybersecurity plan – and not having something of that sort in place is the IT equivalent of leaving your front door open when you go out – they are not the only answer. A substantial number of security incidents are in fact caused by people – either partners and staff who have not been made aware of what to look out for, or who simply do not think about the consequences of their actions, or disenchanted employees and former staff who simply want to cause as much trouble as they can.
It is essential, therefore, that all firms approach cybersecurity from two directions – not just from the technology direction but equally as importantly from the staff training and awareness direction.
Nowhere is this more the case than in relation to phishing attacks.
Phishing attacks have become one of the main methods by which cybercriminals gain access to data about individuals and organisations and the sensitivity of much of the data held by solicitors has resulted in them becoming a prime target. Just as the number of attacks has grown, so too has the sophistication of the methods used by the attackers and it is, unfortunately, becoming increasingly easy for those in the workplace to be fooled by ever more convincing attempts to gain information. It is estimate that over 90% of data breaches start with a phishing attack. Whether it be a fraudulent email messages designed to impersonate a legitimate person or organisation and trick the recipient into downloading harmful attachments or a fraudulent message designed to persuade users to divulge sensitive information, such as passwords, bank account numbers, and credit card details. The more reliant we become on electronic communication in all its many forms, the more susceptible we become vulnerable to phishing attacks. With email an essential part of everyday communications for most firms, it is likely to be the most common method through which cybercriminals will attempt to gain access to sensitive information.
Simply telling staff not to be fooled by phishing attacks is not going to be enough. Firms need to demonstrate what a phishing email can look like, how to spot those that are phishing attacks and what to do and not do when one is received. What is more, the creating of awareness is an ongoing activity rather than a one-off event. New staff need to have it pointed out to them and existing staff need to be reminded from time to time and need to be brought up to date on the new threats that exist.
Firms also need to make sure that staff think pro-actively about cyber and data security. Everyone within the firm needs to think about sharing in some way threats that they encounter so that others are not caught by them. This can be either through the medium of a message to colleagues in smaller firms (but NOT sending a copy of the suspicious email) or by alerting the IT department or managers in larger firms so that they can update a firm notice board or send round regular official updates. Firms may also want to think about having a section of the firm’s intranet devoted to cyber and data security or possibly using a service such as Slack (https://slack.com/) as a place where staff can post relevant information.
To help firms to raise staff awareness of the issues Infolegal will, over the course of the coming months, be producing a number of guides and brief training courses covering a number of cyber and data issues and will be offering members the opportunity to access and download templates for policies and procedures designed to address the problem.