How often does your firm train in cybersecurity?
How often does your firm train in cybersecurity?
If the answer is not at all, or occasionally, don’t worry; most law firms we come across are in the same boat. For the sake of this topic, let’s pretend your firm has recently gone through training
In this example, you just finished an annual cybersecurity training course (unless you didn’t have one at all), where your employees were taught how to spot and report phishing attempts and other cybersecurity best practices. It’s a little annoying, having to go over the same information every single year. Surely, you get it by now. Aside from that, you left the session feeling completely confident that you and your firm were ready for just about anything; the same as always.
That feeling lasted for about six months, until someone inevitably clicked on a phishing link.
To be fair, it was a really convincing email, but despite the cybersecurity training, someone clicked it. Your firm is now suffering the consequences of a deadly ransomware infection, now making itself at home in your system and locking everyone in your firm out unless you pay.
The worst part? This isn’t even the first time it’s happened.
Usually the trouble isn’t this massive, but you’ve had your fair share of run-ins with threat actors trying to worm their way through your client records. Why does this keep happening? All the online guides said cybersecurity training was supposed to be effective, yet here we are.
Consider this: are you going to remember every single detail of a class for an entire year, before it’s ever addressed again? Probably not. People are human, and they need to reinforce what they’ve learned with frequent, more-than annual classes.
So then, if you’re not being trained enough, how often should your firm have training seminars to improve your team’s cybersecurity awareness? It turns out: four months.
Why is four months the most effective timeline for cybersecurity training?
According to a 2020 cyberescurity study led by USENIX , users were tested on their ability to detect phishing emails, with the results paired against how often they were trained in cybersecurity. The selected users were examined in phishing identification tests at the following time increments:
- Four months
- Six months
- Eight months
- 10 months
- 12 months
The study showed that, around four months after their training, users were able to correctly identify and avoid phishing scams the most often, resulting in high scores on the exam. The results were relatively the same around six months, but not as high of a score as the four-month group. After six months, user scores took a nosedive, directly correlating with how long ago their last training session was.
So, there you have it! To be fully prepared for phishing schemes, it’s proven you need training and refreshers on security awareness every four months.
People need reminders. It’s science.
Help your firm develop a cybersecure culture
By discussing cybersecurity openly and honestly instead of dreading it, you’re fostering a cybersecure culture.
Building and maintaining a cybersecure work culture is the gold standard for security awareness training. Everyone, no matter their job title, is cognizant of their responsibility to protect sensitive data, and what heavy price comes with failing that responsibility. Organizations with a healthy, cybersecure culture are more likely to avoid phishing scams and keep their passwords secure from any outside threats.
However, there is a challenge; cybersecure cultures are rare for many law firms. According to the 2021 ABA TechReport, 25% of law firms reported experiencing a data breach at some time. The nature of the data a law firm holds is highly sensitive and allowing it to become exposed and monetized by criminals could be deadly for yourselves and your clientele.
Effective topics to cover in your cybersecurity training curriculum
You shouldn’t just be trained often but trained well.
Quality training doesn’t necessarily have to mean extremely long, boring sessions. There’s a variety of ways to enrich and mix up your cybersecurity curriculum in a way that’s still informative. Here are a few examples:
- Creating a cybersecurity policy that makes sense to everyone
- Sending out monthly self-paced educational videos
- Conducting team-based roundtable discussions about cybersecurity
- Including a cybersecurity “Tip of the Week” in company newsletters or messaging channels
- Inviting guest IT professionals to speak at a training session
- Sending out simulated phishing tests
- Hanging informational cybersecurity flyers and posters in common areas (the breakroom, the kitchen area, etc.)
- Celebrating Cybersecurity Awareness Month every October
In addition, your training should cover more than just regular email phishing! Remember: phishing is a major cybersecurity topic, but it’s not the only one worth mentioning.
Phishing by email, text & social media
SMS phishing (“smishing”) and phishing over social media are just as threatening, if not more, than regular email phishing scams. Your firm must learn to recognize phishing and smishing to avoid falling for these sinister scams.
Credential & password security
Nowadays, many organizations have migrated to storing their data and processes on cloud-based platforms, encouraging a more home-based business model in the wake of COVID-19. Although this is beneficial for many reasons, the move has also allowed a steep increase in credential theft, the number one cause of global data breaches, because it’s the most efficient way to breach SaaS cloud tools.
Because of the impact credential theft has on the technology world, it’s critical for topics, such as credential strength and security, to be addressed with your team.
Mobile device security
Mobile devices, such as phones and tablets are now used for a large part of the workload in a typical office, no matter the industry. They’re handy for many reasons, like replying to emails from anywhere, using mobile authentication apps to log in, and more. In fact, many companies greatly consider whether a software has a well-functioning mobile app before investing.
But that doesn’t mean mobile devices are immune to being compromised.
Good, thorough cybersecurity training reviews security needs for personal and mobile devices, such as resetting passcodes often and making sure software is updated whenever possible.
As a law firm, you are required to be compliant with data privacy regulations, depending on the type of client and case, such as:
Failure to be compliant will result in costly fines and penalties, but the heaviest price you’ll pay is the loss to your firm’s reputation. Cybersecurity training programs should ensure everyone is up-to-date and thoroughly trained in proper data handling and security procedures.
Need help training your team on cybersecurity?
We know… it’s a lot.
Your billable hours are already taken up by actual job duties, how could you possibly fit cybersecurity training in the mix?
Luckily, you don’t have to.
At STS, we can train your firm with our elite team of cybersecurity professionals. We offer a comprehensive, lawyer-friendly Managed IT Service Program that includes an engaging, constantly updated training program that actually has results.
We take pride in being one of the only SSAE-19 Cybersecurity certified IT partners, and we happily assess that rare expertise in providing Cybersecurity and Managed IT Services to the legal industry nationwide.
Ready to transform your law firm’s cybersecurity standing?