Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Cybersecurity Training: An Imperative for Your Law Firm

March 30, 2021

It doesn’t matter what size your law firm is – you need to take cybersecurity training seriously. Since the pandemic struck and work-from-home has become routine, the bad guys are chalking up all kinds of victories in their attacks. Ransomware, in particular, has become a nemesis.

So it is very timely that SANS has published its 2021 Security Awareness Report: Managing Human Cyber Risk. The report analyzes the data of more than 1,500 security awareness professionals from around the globe.

While not limited to law firms, the report should speak loud and clear to them.

Over 75% of security awareness professionals spend less than half their time on security awareness, which usually means that it is only part of their job. The majority of people leading security awareness programs are from technical backgrounds (often IT/cybersecurity personnel) who frequently have trouble effectively engaging their audience and talking about technical subjects in plain English. Less than 20% of respondents had a non-technical background.

The majority of security awareness professionals report to an Information Technology Director/Manager or a Chief Information Security Officer (CISO) or a Chief Security Officer (CSO). The average annual salary reported was $103,000.

Most respondents reported that they have moved away from a compliance focus and now are focused on promoting awareness and changing behavior. That’s a good step, but the SANS report suggests we need to move on toward long-term sustainment and culture change as part of a more mature program.

Who is most supportive of cybersecurity awareness programs? Usually departments such as Security, Information Technology, Human Resources, Audit and senior leadership.

Those who are most likely to be an impediment or, as the report calls them, “blockers” are Operations and Finance Departments. Finance holds the purse strings and it is imperative that they understand the costs involved in data breaches, compliance failures and failure to meet client or vendor security requirements. Then they might loosen the purse strings!

Operations is sensitive to lost work hours, the politics surrounding mandatory training and the complexity of program operations. Getting them involved in planning cybersecurity awareness training may lessen their resistance. Having support from the law firm leadership is key – and also helps to build support among other departments.

The best line in the report is this one: “Never let a breach go to waste.” Amen to that. Data breaches are strong motivators and they provide real-life teaching tools. It’s also helpful to have your firm document all incidents that have happened in the last six months and how much they cost the firm. Use real-life examples from other law firms if you need to – no worries, there are plenty of those!

We are often hired to do cybersecurity training, partly as the “pros from Dover” and partly because we are professional speakers who can engage an audience and reduce complex subject matter to something that non-technical employees can understand. Bringing in outsiders has a couple of good side effects – the training seems more important when outsiders are brought in and it underscores the seriousness of the risks employees can present to their firms.

As we expect that we will continue to live in a partially work-from-home world, cybersecurity training becomes even more essential as the home environment needs to be secured – and the humans need to be aware of security dangers when working from home. Law firms should do cybersecurity training at least annually, but more often is better. Over time, it’s simply human nature that people forget some measure of what they were taught – refreshing and updating the content of training will keep the training “fresh” and the lessons will be “top of mind” for law firm employees.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson