Most law firm employees are onboarded with their individual role in an organisation’s cyber defences, so why aren’t more being offered regular formal training, asks Murray Mills.
User awareness and vigilance have always been a critical element to the effectiveness of a cyber-security strategy within law firms.
It is often said that cyber security is everyone’s problem, and the statistics show this is still the case.
The Office of the Australian Information Commissioner (OAIC) recently found that 57 per cent of cyber incidents are caused by either phishing or password compromises, proving the end user is the biggest threat vector that bad actors will seek to take advantage of.
Countering this threat requires education – in the form of cyber-security awareness and training.
This is not just the problem of users but also of the law firms they work for.
A government-run survey last year found one in five Australian small-to-medium businesses – of up to 199 employees – did not know the term “phishing”, and didn’t know where to begin to fix their security knowledge and implementation gaps.
As KPMG noted recently, “there is a requirement for continuous education for all senior business leaders… to understand the extent and nature of the evolving cyber threat faced by their organisation in order to make informed decisions about effective protections and responses”.
In our experience, security awareness training is often haphazard or ineffective.
It may be embedded in a user acceptance policy, unengaging, or conducted at a point in time without regular reinforcement. It may or may not even be mandatory to complete.
Case in point, recent research found only 43 per cent of respondents in A/NZ had received any formal cyber-security awareness training in the past year. The same research, however, found 86 per cent of employees “expressed a personal sense of responsibility to ensure they are not exposing their organisation to cyber threats”.
The training gap here needs to narrow substantially, and meet employees’ elevated thinking and shared sense of responsibility around cyber risks.
High levels of receptiveness to training opportunities present a solid opportunity to refresh education and training programs, and in doing so, to bolster the role that people play in the organisation’s security defences.
This clearly is not the right way to approach cyber security; as the Australian Securities and Investments Commission (ASIC) said, “No business is too small for a cyber security strategy”.
What good looks like
Law firms need to offer the right kind of education to employees at onboarding and then at least quarterly, make completion of it mandatory, and regularly run tests to check that the training sticks.
This may involve running phishing simulations, where any tricked users are directed to a training course refresher.
From our own experience, we have a library of hundreds of cyber-security awareness training courses and we also monitor and report on how people perform and comply with internal security training requirements that we help oversee.
None of this needs to be overly intensive. Instead, it’s about making people in your firm aware of a concept and its risks, and then confident enough to report anything suspicious that they come across. After all, organisational resilience at all levels is the best investment and defence that a law firm can adopt to keep its business safe.
Murray Mills is the manager of cyber security at Tecala.