For several years now, my colleagues and I have been traveling and consulting with Law Firms around this globe of ours to assist them in effectively implementing a Security Awareness Program that targets and addresses the People side of security. It has become a well-documented fact that people are the primary target of those that want to gain access to the information that we in law firms have the privilege to handle. People are our greatest asset and our biggest vector of risk, regardless of their role or station in the firm.
We help strategize from the top down how to immerse the firm in constant dialog around our individual and personal responsibilities to be informed of the risk in a world where law firms are an increasing target. Sometimes those threats come from the outside. Other times the risk is simply in our understanding of the proper way to safeguard that with which we have been entrusted. It takes planning, commitment, and a "village style" approach to keep the message front of mind and part of the regular discourse in our daily activities at law firms.
The Burning Question…
But does it work? Does it really make a difference? Can a heightened awareness of security issues actually change a person's behavior and help protect the firm? I'm here to tell you YES! And it's a story that is close to home for me. Very close. It is about my wife and how she made a difference at her firm.
How the Story began…
First, let me set the stage. My wife is a real gift to me. As I have been researching, studying, consulting, and digging into the topic of security awareness in law firms, my wife has been along for the ride. When she would ask me about my day, she listened (patiently I might add) as I recounted story after story of issues, threats, risks, and the many ways that people have been the target or the cause of serious security issues in firms. My wife's firm does not have a Security Awareness program in place, but she certainly has a heightened security awareness because of all of the conversations we've had. Now, how did that make a difference?
My wife came into her office one afternoon after being out at meetings all morning and found something strange. She noticed peculiar additional files associated with other files in her firm's network share. This was not normal. She immediately called to ask if this is something they should be concerned about. The answer was a resounding YES! Her firm had been hit with a particular type of malware called RANSOMWARE and it was making its way through all of the files on this file server encrypting each one …folder by folder …file by file. Her call alerted the right people who stopped the attack.
More to the story…
The ransomware entered her firm via one person's actions when following a link in an email earlier that day. It had navigated from that one machine to other servers and was doing it's evil work. It would have gotten to the main production servers had my wife not made that call.
The person who introduced the infection in the firm thought something was weird and tried to address it on their own. Finally, they didn't think much of it and left early for the day with the machine still on. IF they knew the risks and what steps to follow, this might have been isolated to only one machine and not placed the firm in harm's way.
Oh there's more! Others in the firm noticed something strange but did and said nothing. Why? Because it did not directly impact what they were doing at the time (so they thought) and they believed it was someone else's responsibility to deal with it.
One person, my wife, with a heightened sense of security awareness, placed a call because she noticed something strange and saved the firm from significant loss and cost. Did she know what it was? No. Did she understand what Ransomware is and what it does? No. But she knew something was off and made a huge difference at this organization.
Moral of the story:
Security is EVERYONE'S job AND Security Awareness can make a difference! One person with an awareness of security concerns made a big impact on her firm's bottom line and client needs. I'm quite proud of her for that. Keeping security topics in front of people so that it is a regular part of the conversation and part of the culture of your firm really can change a person's behavior. Does everyone need to be a security expert? No. Does the program need to be so invasive that it takes away from people's ability to get their work done? No. BUT it does need to be there and it can make a difference.
NOTE: You'll be happy to know that my wife's firm has now received Security Awareness consulting and is making security awareness a part of the norm now.
Let's make National Cyber Security Awareness Month the norm every month. As my colleague, Julia Montgomery, stated in her blog last week about an effective information security program, "(it) has many moving parts and requires planning, resources, and commitment." She also stated quite powerfully in that same blog, "Information without action isn’t valuable." Let us help you get your program started or reinvigorated and effective.
One person can make a difference! You are that one person!