Given the large-scale cyber-attack on NHS systems a few weeks back and the ongoing impact of the ransomware which has since spread globally, firm leaders are now beginning to understand that it only takes one click to take down a whole business. Here Matt Rhodes, Quiss Commercial Services Manager, points out for Lawyer Monthly what individuals should be looking out for and how to best safeguard against attacks/infections.
The recent mass ransomware attacks attracted a huge amount of publicity and brought chaos to the large number of organisations across the world, with some choosing to pay to regain control of their data.
It is believed the WannaCry virus was spread without personal interaction via the typical toxic email attachment, attacking vulnerabilities in public systems, which once compromised were used to infect other systems.
However, it could just as easily have followed a phishing attack and serves as a warning for organisations to take cyber threats seriously in the future; 1 in 10 individuals are likely to fall victim and cause untold damage to the organisations for which they work.
More than 90% of hacking attacks follow a phishing or spear-phishing email that unwittingly delivers access to protected systems. Cyber-criminals recognise the weakest points in any organisation’s security are the employees, who can easily be targeted with sophisticated email attacks.
And the criminals only need to be lucky once.
Get phishing and find the weak spots
Cyber-criminals prey on complacency. Every law firm ensures its fee-earners and support staff have undertaken the cyber-security training and knows what to look out for. They may even get refreshers and regular security updates.
But despite the warnings, people quickly forget and the business has no way of knowing how each employee will react to a real phishing attack, which may target different people at different times, with different approaches. Until now.
There are now services that subject employees to regular phishing attacks, designed to look like the real thing and test an individual’s reactions.
The regularly updated service replicates the favourite attack methods of the real criminals, although these ‘spoof’ phishing attacks will only result in a word of warning from managers and highlight the need for more training.
Working closely with the client, the service provider will create credible emails tailored to the organisation, which appear to come from likely contacts, using similar email addresses and subject matters – the attack reflects the emails used by real criminals.
Just like the real thing, specific groups or individuals within a law firm can be targeted at different times, with different emails, some with fake toxic attachments.
Phishing tackled this way does not test physical security, a firewall, or system security. It tests a firm’s security culture and helps highlight those employees who don’t realise the important role they play in keeping the firm and its clients safe.
Simple reporting helps target weak defences
The results of the tests give an instant snapshot of who responded to the simulated attack and what action they took.
The comprehensive reports identify areas for improvement, which can help address issues in the cyber-security training offered at induction. Reports help highlight which individuals need some additional support to help them be better prepared for the growing cyber threat.
It is likely that the first tests undertaken without the knowledge of employees will deliver a failure rate around 33%, which is really quite worrying. After subsequent staff reminders, ongoing training, and the spreading knowledge that employees are being deliberately phished as part of the firm’s security response, the failure rate will be closer to 5%.
A failure rate of 0% is rarely, if ever achieved. We are dealing with humans; even the best trained can be distracted, tired or bored and make a mistake.
Defeating criminals requires more education
The service to target employees will highlight the need for further education and training, most of which is likely to be available from the same service provider, as part of a proactive offering to tackle phishing.
It’s only when employees are faced with ‘real’ phishing attack that the firm will find out who reacts and what they do – at every level throughout the firm, from boardroom to post room.
When those that are caught by the phishing are shown the potential impact of their actions, they better understand the importance of increased vigilance; not just at work, but when working remotely or at home, which all helps re-enforce the security message.
Training helps defend against cyber-criminals, with regular sessions on security best practice, covering topics like creating strong passwords and how to protect data on the move.
Phishing employees is a modern solution for a modern security threat. It will help identify employees who are more susceptible to phishing attacks or who do not care and continually fail tests. Either way, a firm can concentrate its training budget on the individuals that need support or take steps to ensure those that do not care are unable to jeopardise the firm’s future.
Phishing employees needs to be part of every firm’s security culture. If it is not then there should be no surprise when the criminals find the weak spots and wreak havoc, from which a firm might not recover, with irreparable reputational damage.