New Law Journal article entitled, ‘Building a cyber defence strategy for your firm’.
Firms large and small continue to debate how to improve their cyber security awareness. Some through their GDPR compliance are making good progress, but few seem able or willing to grapple with the number one cause of cyber crime; human error.
As office technology becomes the driving force behind firms of all sizes, the need to protect it from cyber attack grows. The thought of a data loss incident, phishing fraud or ransomware is unthinkable, each with the potential to do untolled damage to client relations, and levy heavy fines.
Whilst some say they understand the risks, most find it almost impossible to decide what to do, often because of the impenetrable language used by security software vendors to describe their services, not to mention all the acronyms!
The human factor
The need for strong firewalls, anti-malware software and operating system patching is now understood; the big issue continues to be the human factor. It is estimated that less than 1% of attacks are now targeted at IT system vulnerabilities, with staff curiosity and trusting nature the cyber criminal’s weapon of choice.
Phishing fraud remains the number one threat to firms with some of the biggest frauds succeeding with no more than a simple email instruction; without any attachments or embedded links. All you need to do it seems is write a convincing email. Add to this the growing content published on social media accounts by private individuals and firms, it is relatively easy to piece together profiles through which to steal personal data, passwords, identities, Cloud system logins and bank details.
Cyber security awareness
Cyber crime is never the result of something that could not be prevented. Whilst firms put in the necessary guards on their IT systems, software and cloud servers, the desire for effective cyber security awareness training for their employees keeps growing. Many training programmes are off site, infrequent, complicated, difficult to run and generally ineffective. Firms are desperately seeking something different that will actually help stop a cyber attack.
The emergence of online, at your desk style training is seen as one credible solution. Many of these training programmes are designed as a series of short sessions of interesting and varied tasks for each employee to learn with each set their own particular level of training according to their risk profile. Those on reception desk duties are likely to be a far lower risk than, say, the accounts department. By applying training that is relevant, varied and interesting, employees remain engaged and keen to learn.
Lessons are deliberately designed to be very short; from 1 to 5 minutes, covering such topics as email, mobile devices, passwords and accounts, PC security, protecting confidential data, social networks and messengers and Web browsing. Using the experiences of some of the biggest brands in cyber security, each training module is designed to adopt repeat and reinforce learning techniques based on the theory that the more often you are subjected to the same information the more likely you are to remember.
Cyber defence strategy
Defending firms against these threats requires a smart mix of IT hard and software, management commitment, staff training, ‘Cyber Essentials’ type system controls, and insurance. It is worth noting that the Law Society has now incorporated Cyber Essentials certification as a requirement for firms signed up to their Lexcel Standard. A cyber defence package like this makes firms a far harder target for cyber criminals.
If what some commentators are predicting will be a huge growth in cyber litigation, firms will need to start practicing their own good cyber security awareness when pursuing such cases.
For further information about designing a cyber defence strategy
Phone: 01342 301325