A cybercriminal doesn’t look at businesses by industry or the size of your business; they are looking for vulnerabilities. But, as a law firm, you will regularly process large financial payments and handle sensitive customer data, which can make you more of an appealing target.
The Solicitors Regulation Authority (SRA) published the following report in 2020, Cyber Security – A thematic review. One of the focus areas in the report was cyber security training and how having a basic knowledge of cyber security and mitigation against cyber-attacks are linked.
Cyber security is not just a responsibility of your IT department; everyone within a law firm must have a general level of knowledge about the topic. With the scams in cyber and technology evolving daily, training staff regularly is one-way law firms can mitigate the risk of cyber-attacks.
The Solicitors Regulation Authority; Cyber Security - A Thematic Review
20% of firms had never provided specific cybersecurity training to their staff, with the majority never keeping records of who had received training
Whilst 93% of firms had a firewall in place, more than half of firms allowed external data sticks to be freely used and plugged into their machines
Despite 73% of firms reporting any recent incidents to the SRA, seven reports were not made, despite clear and significant breaches
"Cyber security is an issue for any process which is wholly or partially reliant on technology, including those facilitated online, via email or through the use of any computer or device. However, ultimately it is a broader risk than the use and maintenance of technology alone. Firms need to have suitable knowledge and oversight to ensure they maintain a strategic approach to technology and security across the whole firm." Quoted from the SRA Thematic Review 2020
Different employee roles present different risks
Different employee roles present different risks; the SRA report asked senior figures and fee earners for their understanding of some common cybersecurity terms. Of the senior figures, over 50% of those asked said they understood the following terms Phishing, Ransomware and Malware. However, of the fee earners, 55% said they didn’t understand the term ransomware or virus.
Uneducated employees can be a bigger risk for legal firms; one firm revealed that around £150,000 of billable time was lost due to a ransomware attack initiated accidentally by a fee earner, which is unsurprising when the understanding of ransomware is so low.
Despite this, the report’s findings on when specific cyber training was last provided, revealed that just 26 firms had provided training in 2019, and 20% of firms had never provided specific cyber security training for staff.
With 27 cyber-attacks resulting in firms losing office or client money, all but one firm introduced mitigation that they believed would prevent a similar event. With 62% of the cyber-attacks, the cost of the mitigation was less than the initial loss incurred by the firm highlighting the need for cyber security to be a regulatory requirement.
Suppose your firm has yet to implement a Cyber Incident Plan. In that case, we recommend you download our pack containing documents to help support your business plan and response to a cyber incident. These documents are designed to complement any existing plans or assist you in creating one.
Enquire about Security Awareness Training today
Here at the North West Cyber Resilience Centre, we offer Security Awareness Training that introduces cyber security, why it’s difficult, the latest threats and who it can affect. Our security experts can deliver the training virtually or at your offices. Each module is delivered to suit the knowledge levels of those attending the training, with the content broken down for all knowledge levels.
The training is designed to transfer the behaviours to personal and business activities. Suppose a cyber-attack has happened to your business previously. In that case, we can help further educate your team to understand better how to protect your organisation and minimise the risk of this happening again.
Security Awareness Training features prevention techniques and includes managing the situation if you do suffer an attack. Training can also be bundled with a Simulated Phishing Exercise, which helps raise your staff's awareness of phishing emails and guards your business against the growing trend of social-engineering threats. Training your employees about what a phishing attack looks like makes them more likely to identify and report scams.
If you feel our Security Awareness Training or Simulated Phishing Exercise could benefit your legal firm or a business within your supply chain, get in touch, and we can discuss how we can support you today.
