Cybersecurity: Safeguarding law firm data with cyber security training
By Carl Mazzanti
Cyber-criminals love law firms because they represent a treasure trove of information. That really hit home last year when an NLJ500 law firm agreed to a nearly $2 million payout to settle a class action suit stemming from a ransomware attack against the firm, which exposed sensitive health system patient information of more than 420,000 individuals.
The threat is growing, as ransomware attacks increased 13% last year and are expected to increase in 2023, according to the most recent Verizon Data Breach Investigation Report. Firms of any size, however, can take steps to protect their systems and their data. There is a natural desire to rush out to get the “next best thing” in hardware or software as a cybersecurity measure, but it is important to remember that safety initiatives start with employees, since 82% of breaches — including ones involving stolen credentials, phishing, misuse, or errors —involve the human element.
A firm’s employees may account for the biggest security liability, but they can also be a critical line of defense. Recognizing this, many cyber security services companies suggest security awareness training. Such a comprehensive approach starts with a deep analysis of a law firm’s operations, identifying people vulnerable to attacks and mapping the training they need. Next, a targeted and timely training program will be developed to improve their skills to defend against threats. As part of this program, users will find out how to respond safely to social engineering and other attacks to mitigate an organization’s risk.
A common threat
Social engineering is a favorite threat vector for hackers, who trick users into surrendering such sensitive information as usernames, passwords or financial data. This is often done through “phishing,” or sending emails or other messages that appear to be from reputable companies asking for personal information, including passwords and credit card numbers. For example, a phishing email may appear to come from a trusted financial institution and request account information to resolve an alleged problem. The email may use realistic-looking logos and names that make it appear legitimate, but if the unsuspecting user supplies the requested information, their sensitive accounts will be compromised.
An experienced managed IT services provider will instruct users to resist the temptation to click an attached file or a hyperlink unless they are expecting it. Even if an email appears to come from a trusted source, they will be advised to verify it with the source before opening the attachment.
Phishing awareness training also teaches attorneys and staff to recognize common signs of a phishing attempt, which can include spoofed hyperlinks or a suspicious sender address. Subsequent phishing simulations will reinforce the training.
Experienced cyber security organizations make it their business to stay up to date on security trends, threats, tools, and best practices. With 24-by-7 monitoring and improved security controls, a cyber security consultant can recognize and address potential threats before they become a problem. Security experts will periodically audit a firm’s cyber environment to identify vulnerabilities, with such measures as periodic security audits, as well as penetration testing. They will also help a firm to adjust security strategies as necessary to address identified weaknesses.
Cyber security and privacy laws, as well as government and other regulations, include requirements for best security practices. With an in-depth understanding of regulatory requirements, security partners can make it easier to achieve regulatory compliance, while filling a critical role in recovering systems and data in the event of a successful intrusion. And as a firm’s cyber security needs change over time, a professional provider will offer the flexibility to scale services up or down to match the need.
Carl Mazzanti is president of eMazzanti Technologies, a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].