The importance of alert and educated end users - Your ‘Human firewall’
What are you obligated to do?
The SRA information and cybersecurity rules expect firms to have staff trained on cybercrime and information security – especially how to recognise phishing attempts.
Why do this?
In modern-day business, your cyber security should be one of your main concerns, no matter the sector that you operate in, but for law practices, this concern should be even greater. Your team undoubtedly handle sensitive data and sometimes vast sums of money, and both help to place a target on your organisation for cyber criminals.
In the vast majority of organisations, users are incredibly under-educated on the sheer importance of cyber security in the modern technological age. They haven’t a clue on how to navigate their technological landscape safely and are, in some cases, simply leaving the door open for cyber criminals to let themselves in.
The financial benefits of good cyber security cannot be understated - with a good standard of education in your organisation your team will develop a level of technical prowess which can potentially save you thousands of pounds on cyber security measures – measures that will no longer be necessary when your team are navigating the system safely. Equipping your team with the tools (both physically and mentally) to be best prepared for a cyber-attack is beneficial for all parties - not only is it in your best interests but it is in theirs too, as by protecting your business they are also simultaneously protecting their livelihoods.
Where do I start educating my employees?
Education – Step 1
You must highlight what your team are likely to face, potentially daily, as knowing what you need to defend against allows you to be prepared for it. We will list some of the most common threats now so you can get an idea of what they are capable of if your team are not ready to combat them.
- Malware – Malware can be used for no financial gain, and sometimes is simply to cause chaos but predominantly it is used to steal data. Cyber criminals can make big money on the Dark Web selling Malware, although most hackers design and create them themselves and then choose to spread it as well.
- Ransomware – Ransomware is one of the most frustrating of all the cyber threats out there as it uses your own data against you. The cyber criminal gains access to your system and then locks you out of it. Once having gained access, the criminal will demand a ransom in order to restore your access – the cyber criminal will set a time limit that the ransom must be paid in or else face the risk of them wiping the data, or worse, releasing it on the dark web. Firms – out of desperation – often pay the ransom - DO NOT under any circumstances do this, as you are still unlikely to get the data back and once having shown that you are willing to pay are likely to be commanded to pay more.
- Phishing – Phishing is a common cyber threat. The cyber criminal will use an email as a disguised vessel for their attack, going to every effort to make the email look important and official and often implying it needs urgent attention. They are clever, they use emotive language and employ various methods to force you into allowing the attack to take place. Basically, the cyber criminal wants you – in your panic – to click on an attachment sent with the email which will redirect you elsewhere, or - in the worst-case scenario - reply to them and hand over their identity.
Education – Step 2
Now that your users are familiar with some of the most common cyber threats, they need to be educated on ways that they can defend your system against them. Let’s take a look at some education you can equip your team with to assist with this.
> Malware – Most know this already, but for some of the less IT familiar they must have it instilled into them that NOBODY can be trusted online! You must force them to look at the world in a very pessimistic way – anything could be out to hurt you! Criminals use strange emails and sudden alerts (as well as fake profiles and special offers that are too good to be true) to entice your employees to open the malicious Malware files - as in the real world if something looks too good to be true or doesn’t seem quite right, there is often a reason for that.
> Ransomware – Your users must be taught to analyse email attachments or attached links before opening them. They must exercise caution when checking email attachments as they are the most common vessels for malicious software – once that email attachment is opened it is very difficult to stop the spread. Advise your teams to exercise caution when opening insecure file formats, particularly Excel spreadsheet files – they could contain a script (known as a Macro) that is programmed to corrupt your system unbeknownst to the user. This process is very similar to when checking for Phishing attacks (more on this next). As it is so easy to be caught out, your team needs to be vigilant at all times.
Most importantly, as we stated previously NEVER pay the ransom! Anyone that has access to funds must immediately be informed that your policy is to NOT pay. As we already stated, cybercriminals are clever and force a certain level of impulsiveness into your decision - do not fall for the rouse, as they are trying to take your mind off the absurd request they have made. They could take your money, know you’re capable of paying and simply demand payment again and again.
> Phishing – We often don’t combat Phishing scams as they aren’t easy to fight, so we usually teach how to spot them instead. If you receive an email that even slightly rouses suspicion, you must contact the sender via a ‘new email’ instead of clicking ‘reply’ - responding in this way will give you peace of mind that you are communicating with the trusted source. Your team must also be instructed to pick apart the emails they are sent, such as teaching them to look for grammar and spelling mistakes – most cyber criminals are churning them out at such a volume that they forget about grammar - this is a big red flag, as a trusted organisation will always check for grammar and spelling mistakes.
Education is arguably the most important factor in the cyber security of your organisation. Your workforce is the first and – by some way – the most important cyber defence you have! Education and the importance of cybersecurity, combined with the correct methods which can be used to spot it and contribute to irradicating it, is integral if you want your technological landscape to be a secure one.
Do you need to assess the threats to your practice?
Are you nervous that the cyber security of your organisation is not up to scratch? Are you actively seeking a way of tackling the threats to your organisation? Perhaps you need to prepare for an SRA ‘Stress Test’, or are considering implementing Cyber Essentials Plus? Whatever the case, we are the strategically aligned IT partner for you. We pride ourselves in being the go-to IT company you need to prepare your defences against whatever cyber criminals have up their sleeve, and, with our extensive knowledge of the legal system and the compliance obligations you as a legal practice must adhere to daily, we are perfectly positioned to be the ideal partner for you.
Please don’t hesitate to get in contact with our team to learn more about us and what we can offer you going forward.
We're Datek Solutions
Since 1998 we have been managing IT support, solutions and strategy for a range of clients. We have won awards for our excellent customer service and pride ourselves on being transparent. What you see, is what you get.
What makes us different? We don’t use a one-size fit all approach. We get to know your business and everyone in it, what it needs and how we can support you to give the best solutions at the best possible prices.
Above all this, we are committed to keeping it simple for you. If there’s a solution that your company needs, or you already have and it’s essential we support it, we make sure we know everything there is to know about it.
Contact us on 01753 540000 or email us at contactus@datek.co.uk.
