Few things are worse than having your confidential documents and data stolen and held for ransom. Ransomware is a common threat in today’s “arms race” between hackers and the IT security community. And it has penetrated the defenses of some of the largest law firms in the world, some that are not so big, and some that are as small as they come.
In most cases, ransomware is activated through an email attachment or link. Someone at the targeted firm or organization receives an email and is persuaded to open the attached file or follow a link. It’s seemingly a very easy thing to avoid: Don’t open attachments or click links in emails from unknown senders.
But it’s not so simple. The emails delivering malicious software have become very sophisticated. They will often be formatted to include the logo, images and type styles of a familiar company. The sender’s address may be similar to that of someone in your organization. Often the link or attached document is edited to seem authentic. If you or your staff aren’t ready for these tricks, you can be fooled.
There are several types of security defenses you can put in place to guard your network and data against ransomware and other threats. But there is one defense that focuses on the human side of this vulnerability, teaching us all to be harder targets in this battle of wits: security awareness training (SAT).
What Is Security Awareness Training?
SAT is any training program designed to teach people to recognize all manner of security exploits that might be attempted by nefarious agents. This includes email, electronic, phone and in-person types of attacks or cons. The training can be classroom-based, but it is usually delivered via an online seminar.
The goal is to increase awareness of security threats and methods and change behaviors so that each person is an active part of your security plan. Training should provide everyone who takes the classes with the skills needed to spot and avoid the most common and effective types of threats. In addition, training should make your firm’s security practices and policies clear.
What Does SAT Provide?
SAT has been around for a while, but as threats increase — along with rules and regulations dealing with privacy and security — so does the demand for training. Many different SAT providers exist. How they deliver their services will vary, but the essence of the programs should follow this rough outline.
Up-to-date classes. Any good SAT program will have classes that teach about the latest types of attacks, showing you the most recent methods hackers are using and testing you on them. Pay close attention to when courses and materials were last updated. You can also read providers’ news and blog feeds to see how often they are posting about recent developments.
Automation. Many providers will send simulated email attacks after security training has taken place. Your team will receive authentic-looking “threat” emails and the program will record which people were fooled and report back. You can then follow up with additional training and resources to improve security awareness.
Materials. These can come in many forms but are most often going to be well-produced video seminars, slideshows with audio instruction, and interactive learning programs.
Reports. A good SAT provider will produce reports detailing who has been engaging with the training materials and how each user has performed throughout the simulation program.
What Are the Benefits?
Continuity. Preventing one exploit per year could save thousands of dollars in lost productivity, lost business, and legal costs. Most providers recommend monthly training sessions, but at minimum annual training (including training for all new hires).
Insurance cost savings. Commercial liability and cyberinsurance policies often cost less when an active and credible SAT program is in place. In the case of cyberinsurance or privacy breach policies, you may be required to have the training in place to qualify for a plan.
Compliance. Having an ongoing SAT program in place helps organizations stay compliant with standards such as FISMA, PCI, HIPAA and Sarbanes-Oxley.
Team confidence. It’s a more difficult benefit to measure but there is some evidence that an educated, security-savvy team performs better and has more confidence when fulfilling its duties.
How to Get Started with Security Awareness Training
SAT programs are easy to set up and usually require a phone call or email and less than an hour to initiate. We work with KnowBe4, both for our own security awareness needs and when setting up our clients with an SAT program. Starting a program is just a matter of deciding how many people you would like to train and the type of training you’d like to focus on at the outset.
In a recent two-year study of “pentesting,” or penetration testing, Positive Technologies imitated hacker techniques and sent suspicious emails to test subjects, 17 percent of which would have led to the compromise of the individual’s workstation and possibly the entire corporate structure. According to their report, 27 percent of recipients clicked on the questionable links. Make sure you and your team are in the 73 percent who do not click.
Per Casey is President and CEO of Tenrec, Inc., a website management agency. In his role leading the company, he helps law firms and other business entities develop, launch and maintain successful websites and web applications. Per has advised on and overseen hundreds of website and technology projects for law firms of all sizes.
Illustration ©iStockPhoto.com
More Security Tips on Attorney at Work
- Five Cybersecurity Tips by Sharon Nelson and John Simek
- Gotcha: Legal Tech Horror Stories from the Experts
- Ransomware: Backing Up from Trouble by Mark Bassingthwaighte
Subscribe to Attorney at Work
Get really good ideas every day: Subscribe to the Daily Dispatch and Weekly Wrap (it’s free). Follow us on Twitter @attnyatwork.