SC Insights | Four reasons why it’s essential to take a people focused view of cyber risk in today’s legal landscape: part ii

Leaders rated the level of cyber threat against their organisations as an average 7 (1 being ‘negligible’, 10 ‘extremely high’) in the Legal IT Landscapes 2021 poll on information security.

In part two of this series, we focus on law firms’ people and how the human factor influences a firm’s cyber risk level.

LawCare recently released Life in the Law – a new body of research into wellbeing in the profession, conducted from October 2020 – January 2021, reporting major causes for concern relating to cases of burnout and mental ill-health amongst lawyers. So what does this mean as law firms scrabble to adopt digital transformation and proactive measures to protect the information they handle every day?

Human vulnerabilities represent a huge risk factor for any organisation. Poor overall wellbeing only makes the situation worse, and here’s why.

  1. Phishing attacks rely on hard-wired human behaviours to succeed

Research published by Tessian reveals that phishing sites registered by Google from 19 January 2020 to 17 January 2021 increased by 27%, from 1,690,000 to 2,145,013. The phishing threat is also blowing malware sites out of the water – a comparatively low 28,803 sites were registered by Google at the start of this year.

The most damaging and the most widespread threat facing small businesses are phishing attacks, accounting for 90% of all data breaches. [source]

Social engineering tactics used to trick people into acting on malicious emails (not forgetting SMS messages and voice calls) will only continue to succeed in environments where people are just trying to get their job done and under significant pressure, among other things. Falling short of finding a moment to think twice, your people are less likely to pay attention to the details that could indicate something’s not right. CEO fraud scams in which a criminal impersonates a CEO or senior member of the team to exploit colleagues into disclosing confidential or sensitive (mostly financial) information are also on the up – who’s going to question a request from the boss, even if it is littered with mistakes? 

Lost data, compromise of credentials or accounts, ransomware and malware infections, financial losses. If successful, phishing attacks cause extensive disruption that inevitably comes with a cost. A holistic approach including people, process and technology is essential to achieving maximum protection.

  1. A fatigued workforce is most likely to fall for a scam

LawCare’s report doesn’t only highlight stress levels experienced by lawyers, it also reveals that the stigma surrounding conversations about mental health means many people hide their symptoms of poor health and wellbeing. The global population is experiencing fatigue in every shape and form as we learn to live with the Covid19 risk and re-emerge from wherever we’ve been confined to live, work and school for nearly two years. Hiding symptoms of work-related burnout is fatiguing in itself, so we’re facing a vicious cycle that must not be ignored when we’re talking about security risk.

Staying alert to the signs of fraud relies not only on effective and frequent cyber security awareness and education, a well workforce represents a much stronger defence against the most common cyber threats than a distracted, anxious one.

In terms of working demands, 28% agreed or strongly agreed that their work required them to be available to clients 24/7, while 65% said they checked emails outside of work hours to keep up with their workload. Life in the Law, September 2021, LawCare

Needless to say, workplace cultures that encourage unhealthy levels of connectivity are simply inviting threats like phishing that prey on human emotions and behaviours. An urgent request out of hours sent from a mobile device no longer raises the alarm when logging on round the clock has become the norm. People managing high stress levels and multiple priorities will be inclined to make poorer decisions, and be less able to think rationally (and that’s just neuroscience), leaving them much more likely to fall foul of an attempt to steal valuable and sensitive company, client or colleague data. 

  1. A burnt out workforce opens the door to greater risk of a security incident

Societal transitions like we’re experiencing now are reflected everywhere we turn, including increases in staff turnover regardless of sector or industry. Simply because we’re human, our guard against suspicious or unfamiliar activity is naturally lower as we welcome new colleagues through the door and bid farewell to those moving on.

For example, distinguishing who to trust is more difficult as new names join a firm, and in people’s instinct to be helpful and share access to information, the risk that this kind of behaviour will be exploited somewhere along the line is high. Plus, your information assets may well be walking out the door along with any leavers (especially where stress or burnout have contributed to their decision).

  1. Cybercriminals love research, too

News that lawyers represent a particularly vulnerable group won’t have gone unnoticed by cybercriminals looking for their next easy target. 

The experience of living and working through a global pandemic has had a profound effect on us all and presents an opportunity like no other to reimagine the future and make it happen. Elizabeth Rimmer, CEO of LawCare

Operating on the precipice of new ways of working, new perspectives on what it means to be productive, and long-awaited board-level appetite not just to realise digital adoption, but to prioritise cyber security as a business imperative – today really is the time to seize the shift away from traditional pre-pandemic norms and implement better practices that encompass people, process and technology for a brighter, healthier future.