One Law Firm’s Results After Security Training

by Alexa Drago on September 7, 2017

By Doug Striker

I’m writing this story about a law firm that recently launched security awareness training. I’m changing the names of the people and the firm to protect them from cyberattacks.

Benjamin Stevenson, Director of Information Technology with Joseph & Joseph, has noticed a trend: current and prospective clients are increasingly asking for proof of law firms’ security training and other prevention measures.

“One prospective client’s RFP recently asked about participation rates among our attorneys and staff in our security training program,” says Stevenson. “They wanted to know how many people – what percentage – were actively taking our security awareness courses.”

These client inquiries please Stevenson, who is constantly working to keep the firm safe from phishing scams, malware and ransomware.

“Client demands will drive a culture shift at the firm and they give me ammo when I go chasing people who don’t complete the courses by the deadline,” says Stevenson. “Our firm’s success in recruiting and keeping clients hinges on our ability to assure them that their sensitive materials are safe with us.”

Luckily, Joseph & Joseph was ahead of this client-driven curve. Nearly two years ago, Stevenson began seeking a partner who could provide effective, ongoing security awareness training. Ultimately, he chose KnowBe4.

KnowBe4 operates a popular integrated Security Awareness Training and Simulated Phishing platform. The system includes a series of trainings which are randomly followed by simulated phishing emails. The phishing templates are updated every day based on trends that KnowBe4 sees occurring in the real world. Clients use these templates to phish their own firm, learning who is vulnerable to scams and who needs training.

In August 2016, Stevenson launched KnowBe4 firm-wide by taking the following steps:

  • Introductory meetings: Stevenson visited all of the firm’s offices and held required meetings (people could attend in person or view a recording later) in which he explained the program and why it was critical to firm success. He gave examples of security breaches at other firms and even some internal issues that they had already faced. He also explained the cost of security failures to the firm’s bottom line. Then he explained how KnowBe4 would work.
  • Training modules: Then, Stevenson launched the KnowBe4 training modules. Each participant was required to watch the 45-minute training, and then had a timeframe within which they had to watch several additional 15- to 20-minute videos.
  • Phishing campaign: After the deadline had passed, Stevenson launched the phishing simulation campaign using templates provided by KnowBe4.

“I received lots of positive feedback on the training and the program itself,” says Stevenson. “It’s about as painless as online training can be.”

He also says it’s been effective at raising awareness around the firm.

“A lot of people were surprised; they didn’t know what they didn’t know!” he says. “The simulations opened lot of eyes. I was pleased at the number of people who reported suspected phishing. We had a 20% fail rate and now I know how to re-focus my training efforts for the next campaign.”

(Update: Benjamin recently ran another campaign and achieved a 4% fail rate. Vast improvement. I will continue to update this story as the firm continues its trainings.)

Benjamin also said that people are reporting more suspicious emails to him, helping to avoid potentially harmful and expensive security breaches.

“Just last week, I had someone report a phishing attempt to me,” he recalls. “It looked like a Dropbox email from a client but, because he knew what to look for in the email itself, he thought it looked suspicious. He forwarded it to me and then called the client. Turns out the client’s account had been compromised and he didn’t send that email to us. We averted a security crisis.”

The KnowBe4 program also includes marketing collateral, such as posters, for firms to use internally to keep security awareness at the top of people’s minds.

Stevenson says the security trainings will be offered on an ongoing basis and he plans to launch simulator phishing campaigns twice a year.

Do you think everyone in your firm knows how to recognize malicious emails? If not, then you have a security issue. Consider security awareness training to strengthen your firm’s front-line of defense: your employees.

 

Doug Striker is Chief Executive Officer (CEO) of Savvy Training & Consulting, a provider of legal software training solutions. As a former Chief Operating Officer of a prominent law firm, he specializes in helping firms acquire the software platforms they need, training staff for maximum workflow efficiency, and enhancing continuity and bottom-line results. 

 

Comments on this entry are closed.

Previous post:

Next post: