By Doug Striker, CEO, Savvy Training & Consulting
Sometimes I think about the mind of a cybercriminal and I imagine that they’ve got to be among the most cynical, twisted people on our planet. So many of the techniques that they invent to hack into our computers derive from a sense of disdain and arrogance. Simply put: they think we’re all idiots. I mean, if you invent a fake email that tells people they just won the lottery and they click on it “to find out how much they won,” why wouldn’t you become cynical and arrogant? People behave like idiots!
Of course, most phishing campaigns are way more sophisticated than, “You won the lottery.” Cybercriminals steal our bank’s logo and send us alerts that tell us our account has been hacked. Or they offer pizza coupons from a local delivery spot and we click for the deal. (Hopefully you are no longer clicking the emails from the Nigerian Prince!)
These types of scam emails are called “phishing” scams because the hacker is phishing for access to your sensitive information, such as social security number, bank account passwords and credit card information. When you click the link, either the email downloads malware onto your computer, or it takes you to a criminal web page that looks and acts like a legitimate bank or pizza or lottery website but isn’t.
When you get right down to it, phishing is a scam that targets human nature. Most people are trusting and optimistic by nature! “Oh! I get a free pizza! Yay!” The only way to fight phishing is to educate yourself about the many forms that phishing takes so that you can recognize the scam emails when they hit your in-box… not after you’ve clicked the nasty link.
Every individual I know should better understand phishing scams. But the issue becomes even more critical for law firms, where individuals (who act on human nature), may click on a scam email and unwittingly expose the entire firm (and all of its clients) to an attack.
Law firms have become a plum target for cybercriminals. Why? Because, like banks, law firms store vast amounts of sensitive information on their clients, who range from individuals (sometimes famous, infamous or wealthy) to corporations (also famous, infamous and wealthy). With the key to the law firm’s sensitive client information, cybercriminals can bring an entire firm and all of its clients to their knees.
A year-long Google study recently found that phishing poses the biggest threat to online security. And, according to a recent report from IT security provider LogicForce, hacking attempts were made on over 200 U.S. law firms between 2016 and 2017, 40% of which didn’t even know that they had been breached.
What Can You Do?
Are you taking the necessary precautions today to protect your firm from the next cyberattack? No matter how many firewalls you’ve built, your biggest threat will always be that giant open door into your firm called “Email.” You need to teach your employees to recognize suspicious email so that they can be your first line of defense, instead of your weakest link.
The KnowBe4 security awareness program was created by Kevin Mitnick, infamous hacker and now world-renowned security expert. The KnowBe4 platform starts with an education program that teaches your attorneys and staff how to recognize suspicious emails. Then, you can create simulated phishing emails that you send throughout your law firm. From the results, you know the types of emails that your employees need help recognizing as suspicious and the people who need extra training.
People are less likely to click on a fake email after experiencing one simulation in which they fail. (ie. If they click on a fake phishing scam and discover that they were suckered, they are 20% less likely to do it again.) And that’s after just one simulation! Imagine if you had an ongoing phishing simulation/training program to help your employees keep their guard up!
Here’s how it works:
- You become a KnowBe4 client
- Upload your users to the system
- Launch a baseline phishing test using any number of templates
- Using the results from that phishing test, launch targeted trainings to help your employees be more discerning clickers
- Every month or quarter, send out another phishing campaign
- Track improvements down to individual users over time
This system is updated continuously with new phishing templates that you can use to phish your law firm, learning who is vulnerable to scams and who needs training.
The KnowBe4 system is simple and yet incredibly effective in helping you to build your first line of defense against cyber attackers who know that the weakest chink in your law firm security system is your employees!
Doug Striker is Chief Executive Officer (CEO) of Savvy Training & Consulting, a provider of legal software training solutions. As a former Chief Operating Officer of a prominent law firm, he specializes in helping firms acquire the software platforms they need, training staff for maximum workflow efficiency, and enhancing continuity and bottom-line results.