People empower

What’s the biggest cyber risk for a law firm today? We may be tempted to think it is an advanced persistent threat (APT) from shadowy criminal organisations in far-flung nations, but the answer is likely to be less exotic, and closer to home – maybe sitting at a desk nearby. Ethical hackers will tell you the easiest way to compromise an organisation is probably to get a member of staff to do it, unwittingly, using social engineering.

As firms focus more on software and hardware technology defences, the attackers are increasingly targeting their efforts at the ‘warmware’ – the people. Why spend weeks covertly hacking into a system when someone will let you in?

As firms focus more on software and hardware technology defences, the attackers are increasingly targeting their efforts at the ‘warmware’ – the people. Why spend weeks covertly hacking into a system when someone will let you in?

Email phishing is arguably the main method of attack on any business today. By tricking an email recipient into clicking a link, the attacker can direct them to a website to download malware or harvest their login credentials. Gone are the days when phishing emails were easily spotted due to poor grammar and dodgy images. Now they are sophisticated, copying the branding and language of your bank, PayPal, Netflix, or whoever they are pretending to be.

It’s no wonder they’re hard to spot. But it’s not just how they look that deceives us – phishing emails also bypass our logical thinking by appealing to emotions and traits like fear, greed, curiosity, and even helpfulness. By adding a note of urgency, they trigger an emotional response so we click before we think. Phishing also takes advantage of people being busy, which is why most bank transfer fraud is committed on a Friday afternoon, when the pressure is on (and the error won’t be discovered until Monday morning).

This year there have already been reports of major IT system vulnerabilities, and the need for security patching has become front-page news. However, to exploit most of these vulnerabilities the attacker first needs to get into your organisation and gain access to systems, and the easiest way to do that is phishing.

But rather than see people as the ‘weakest link’, as is often said, we must enable them to be our first line of defence. This is no easy task, as it requires training, raising awareness and changing behaviour, all of which takes time and repetition. We therefore not only need to train our people about security, but also to train our security teams about people, their vulnerabilities, and how to get the best from them.

There is no security patch for people, and telling colleagues what to do (or not do) is of limited effectiveness. But by showing them what could happen, and how to avoid it – through repeated phishing simulations, campaigns and training  – we can equip them to become the firm’s strongest possible defence.

This article originates from Briefing June 2018: Near pressure