The American Bar Association suggests that your law firm being hacked isn’t a matter of if, it’s a matter of when.  Law firms small and large are prime targets for hackers because they house valuable information and are often less secure than organizations in other industries.

The entry point for most attacks are employees, and the most common technique is a phishing attack.  Anyone can fall for a well designed phishing attack – even your partners and IT team.  We’ve heard reoccurring themes in our cybersecurity conversations with law firms, and decided to dispel the most common myths.

  1. Phishing emails are easy to identify

Sometimes they are – bad grammar, bad spelling, outrageous requests, but not always.  Many are well designed – perfectly designed to mimic a legitimate website like Amazon, your bank, or from someone in your IT department. Here’s an example – would everyone on your team identify this, or would someone hand over their firm password?

Employees need to know how to identify potential threats and mitigate risk.  

  1. The IT manager has it covered

We work with IT folk daily.  They are phenomenal at information technology and keeping your infrastructure secure.  They are also the first ones to admit that a firm’s non-technical employees don’t really get IT and it’s hard for them to train these employees.

Making employees active participants in cyber security is a collaborative effort between IT, HR, and leadership.  The CIO of Penn Highlands wrote on how he’s making employees active participants in information security.

  1. I trust my team

We trust your team too.  They are smart, and they are more than capable.  Unfortunately, so are hackers.  So much so that they can design a spearphishing campaign that uses personal information from an employee to gain their trust and create an incident.

It’s not about trust, it’s about making people aware so security is front of mind.  Not convinced? Here’s 3 reasons to teach your lawyers information security.

  1. Our lawyers are too busy

Being busy means they are a high risk to a phishing attack because they do not take the time to scrutinize a suspicious email that looks to be from a legitimate client.  The myth here is that it only takes a few seconds to scrutinize many suspicious emails and significantly reduce the risk of an attack.

While lawyers are busy, they aren’t too busy.  

We don’t have time for more training

We do not recommend just training employees on phishing scams once a year.  They’ll forget.  We know that.  

We do recommend running simulated phishing attacks to support your security training program.  If the employee identifies the phishy email it takes no more than 10 seconds out of their day.  If the employee does not identify the phishy email and clicks a link they receive a 20 second training at the point of failure.  

Free phishing simulation – Put your employees to the test

Simulating a phishing attack helps keep security risks front of mind for all employees all the time.  It also provides you with a full audit trail of testing and training employees, and provides data to identify high risk employees for additional training and support.  

Wuvavi provides an employee cybersecurity platform and access to a free phishing campaign to put your employees to the test.