Employee Education is Key to a Law Firm’s Cyber Security Strategy

By Keith S. Crumpton, vCISO/Senior Security Architect
 
Today’s threat landscape, more than ever, is beyond the technical control of the law firm.  The human element, employees, represents an organization’s greatest weakness in the information security arsenal; yet they are also a law firm’s greatest defense and most important tool against the cybercriminal.
 
Employees need to be aware of what might be used against them, so they don’t unknowingly contribute to a security incident or breach.  Employees’ performance is dependent on how well they are educated regarding the threats they may encounter and how to respond to those threats.  If the response does not fully protect the information, it’s imperative that they understand the best way to communicate the threat, without risk of reprisal, to those that can and will help.
 
Security awareness education activities and reinforcement are low-cost methods of empowering employees.  The investment is cheaper than the cost of a potential loss if an employee clicks on the wrong link, visits the wrong website or believes a spoof e-mail to be true and subsequently transfers funds to parts unknown.
 
The days of ignoring or minimizing threats are over.  More and more law firms are being targeted and security vulnerabilities exploited as cybercriminals seek to obtain the information “payload” that many law firms possess.
 
Consider the following example of a typical client engagement.  A client might engage the law firm during the home buying process.  As part of the engagement, the law firm may obtain the client’s tax returns from the last three years, a recent paystub, credit report, social security number, listing of all assets, bank accounts with account numbers and most recent balances, credit card numbers with most recent balances (in some cases the actual statements), current address, telephone numbers and other personal information.  The information represents a “data payload”.  To security professionals, a data payload is an individual’s data elements (personal information) combined in a nice, easy-to-access package.
 
The scenario above is only one example.  The concept of a data payload exists in all organizations.  It just needs to be identified and defined.  Educating your employees to know your business, the data flows and who the responsible individuals are will help employees understand their roles and responsibilities towards security activities in order to protect the law firm’s data and, ultimately, the law firm itself.
 
To ensure the most effective training for your employees, choose the most applicable educational content.  Some security education topics may not be pertinent and could therefore be a waste of the employee’s time.  Knowing your employees, and their roles and responsibilities, provides background for tailoring security awareness education to everyone.
Employee education is key to ensuring your organization’s information is protected.  Provide them the tools they need to protect it—education, processes, procedures and software, to name a few.  However, if you can only focus on one, make it education.  Without that, nothing else matters.
 
Drawing on over three decades of experience, Micro Strategies, Inc. delivers end-to-end technology solutions that drive business results.  From advisory and design to implementation and support, solutions include business process and content services, data and analytics, hybrid IT, security and managed services.  For more information, please contact Beverly A. Geiger, VP of Solutions, at [email protected].  
Share this post: