Your Employees are Your Highest Security Threat

by Alexa Drago on January 9, 2018

By Doug Striker,

For those who follow cybercrime (and I do), it seems like the news lately has been filled with dire warnings and events. For good or bad, the Equifax security breach positioned cyber security at the top of everyone’s minds. Many people felt, for the first time ever, “Wow, this is affecting me now!”

In some ways, the same sort of wake-up call is occurring in the law firm industry where we are seeing more and more high-profile, global firms being taken down by cybercriminals. Those of us who have worked in and serve the small- to mid-size firms find ourselves thinking, “Wow. If firms with all those resources are vulnerable, how vulnerable am I?!”

The International Legal Technology Association recently published the 5th annual Study of the Legal Industry’s Information Security Practices report and it reveals just how concerned we really are. The stated goals of the annual survey are to “answer persistent and difficult questions such as:”

  • Is my organization in step with what my peers and others are doing with respect to the use of technology and services to thwart various information security threats?
  • Is my organization adequately staffed and trained to ensure the optimal level of security to defend against a potential security breach?

Here are some of the report highlights that I found revelatory:

  • Careless Employees ranked as the highest information security threat to organizations, with over 60% of respondents identifying this as their primary concern.
  • The threats deemed most concerning encompass 1) Employee Negligence, 2) Phishing/Vishing Attacks, 3) Remote Social Engineering and 4) External Hacker.
  • Organizations are performing services to combat employee negligence, with 65% performing Information Security Training for Employees. (This is down by 23% since last year, a concerning trend with the root cause of many breaches attributed to employee actions, such as phishing scams or weak passwords.)
  • Information security training practices reflect that the majority of firms conduct training infrequently, either once, at the time an employee is hired, or annually.
  • The frequency of training is contrary to addressing the highest identified threat: employee negligence.
  • Even with the recognition of the importance of information security within law firms:

o    The majority of respondents (65%) report that they have no staff dedicated exclusively to Information Security.

  • Budget Allocation

o    Information Security (IS) budgets continue to be allocated as a part of the overall Information Technology budget.

o    72% of respondents allocate 0 – 10% of the overall IT budget towards IS.

Good News: Security Awareness Training is Affordable and Effective

Are you taking the necessary precautions today to protect your firm from the next cyberattack? Criminals are becoming more sophisticated every day, constantly seeking ways to hack your network. No matter how many firewalls you’ve built, your biggest threat will always be that giant open door into your firm called “Email.” You need to teach your employees to recognize suspicious email so that they can be your first line of defense, instead of your weakest link.

For example, the KnowBe4 security awareness program was created by Kevin Mitnick, infamous hacker and now world-renowned security expert. The KnowBe4 platform starts with an education program that teaches your attorneys and staff how to recognize suspicious emails. Then, you can create simulated phishing emails that you send throughout your law firm. From the results, you know the types of emails that your employees need help recognizing as suspicious and the people who need extra training.

Here’s how it works:

  • Upload your users to the KnowBe4 system
  • Launch a baseline phishing test using any number of templates
  • Using the results from that phishing test, launch targeted trainings to help your employees be more discerning clickers
  • Every month or quarter, send out another phishing campaign
  • Track improvements down to individual users over time

This system is updated continuously with new phishing templates that you can use to phish your law firm, learning who is vulnerable to scams and who needs training.

Are you worried that you might click on a phishing scam? Do some quick research into “security awareness training,” and you’ll find many resources to help.


Doug Striker is Chief Executive Officer (CEO) of Savvy Training & Consulting, a provider of legal software training solutions. As a former Chief Operating Officer of a prominent law firm, he specializes in helping firms acquire the software platforms they need, training staff for maximum workflow efficiency, and enhancing continuity and bottom-line results. 


Comments on this entry are closed.

Previous post:

Next post: