Here at Traveling Coaches, when we talk to law firms about information security education for their employees we tell them: Policies are just the beginning. And as we kick off National Cyber Security Awareness Month, that statement is a reminder to us all that an effective information security program that engages employees and educates and motivates them to change their behavior has many moving parts and requires planning, resources, and commitment. But where are we focusing those resources? Are we committed to all the necessary pieces of an effective program, or is there work to be done to balance our focus?
I attended ILTA’s LegalSEC event in June and was struck by the message in the terrific keynote delivered by Steve Surdu of Mandiant. In his presentation, Mr. Surdu shared what he views as the five most effective strategies for mitigating an organization’s risk of information security incidents. Three of the five strategies shared focused on people: educate your employees, shift from a posture that looks at education as a compliance measure to one that looks at education as a means of behavior change, and focus on your people and the processes they use every day to get their work done. Yet, many firms continue to focus their efforts on systems and tools and look at employee education as an annual compliance exercise.
Educating employees about information security, and the behaviors that protect our data and our clients’ data isn’t an annual event. To truly have impact, information security education must be part of our daily life in law firms. The way we talk about our work must bring an information security perspective to bear; the way we perform tasks must take risk mitigation into account. Information security is one of the most pressing challenges facing law firms today – and it isn’t going away anytime soon.
It’s common for firms to engage in intrusion prevention and detection for their systems to ensure their networks remain safe. But according to ILTA’s 2014 Technology Survey, 90% of law firms do not conduct phishing or social engineering testing with their employees -- even though we know phishing attacks have increased and become more sophisticated, and even though a recent study released by Verizon revealed that lawyers were more likely than other professionals to open phishing messages.
But even for those firms that are testing their employees, is testing alone enough? Testing employees for compliance purposes is still just compliance. What did you do with the results of those tests? Did you share the information with your employees? In light of the results, what course corrections do you need to make in your education and communication efforts? Information without action isn’t valuable.
Similarly, deploying policies is important, but it isn’t enough to protect data. Changing your password policy to require a minimum 12-character alpha/numeric standard is great…but it’s just the first step. You must then find a way to communicate the reasons behind the change as well as providing practical education for employees – information for how to create strong passphrases, or maybe how to use multi-factor authentication tools or even guidance on using a password manager. Without education, policies and tools can fall flat and behaviors go unchanged.
Change management research tells us that we have to share a message between five and seven times before it takes hold and people begin to understand that we’re asking them to change their behavior. We believe information security is an ongoing dialog. It’s critical to understand how employees use systems on a daily basis so you can spot an anomaly when one occurs. It’s hard to spot the abnormal if you don’t know what normal looks like. Talking to employees to learn more about the processes they use to perform work is a great way to begin an ongoing dialog with employees so information security becomes top of mind for them as they go about their daily work. Employees who understand the issue think about their behavior and ask questions. They work smarter.
We think National Cyber Security Awareness Month is a great time to begin – or renew – your efforts to engage employees on this subject. Each week this month we’ll be sharing a blog to help spark ideas of how you can engage the employees who can be the most effective weapon in your arsenal when it comes to information security efforts. Come back and check us out each week this month, and let us hear from you – how are you engaging employees in your firm? What creative ways are you finding to make information security an ongoing dialog in your firm rather than an annual “check the box” compliance exercise? Because policies are just the beginning…