Cyber resolutions

It used to be if you had enough precautions in place you would probably be safe from a cyber-attack, but that is no longer the case. The new reality is that we all need to think about what to do ‘when’ an attack happens and not ‘if’. This changes the focus slightly from prevention (still important) to mitigation (which is given little thought in some cases).

Implementing a no-blame culture

Although there are many things a legal business can do to help mitigate the damages of a cyber-attack there is one very important measure that is strongly recommended by the Solicitors Regulation Authority (SRA) to meet compliance requirements –implementing and maintaining a ‘no-blame culture’. For a variety of reasons, this should be your primary ‘cyber resolution’ for the New Year.

Acknowledging human error

A no-blame culture is not only a great way to both prevent and mitigate cyber-attacks, it also reduces stress for staff, trainees and solicitors who shouldn’t feel that they might lose their job for accidentally clicking on the wrong link. Human error is one of the primary causes of cyber-attacks in the UK. According to a government survey, 83% of all reported attacks in 2021 were caused by phishing, and these breaches are not successful unless a human being clicks on a link. If human error is inevitable then we need to stop acting like it is worthy of blame, shame or censure. 

There is also a widespread misconception that phishing emails can be easily avoided if people just use common sense. In training sessions and cyber audits when I ask, “How can you spot a phishing email?”, I am given very wide-ranging answers and nearly everyone believes they would be able to spot a phishing email. In one telling case a personal assistant for a partner in a large law firm said she only knew that an email sent to her from what appeared to be the partner was a scam because the partner said “please”, something he had never said to her in over a decade of working for him. The point being that, but for that very tiny detail, the email looked exactly like an email from the partner with the correct email address and footer included. 

Reporting mistakes

Another reason the SRA wants firms to adopt a no-blame culture when it comes to cybersecurity is that it actually helps reduce both the occurrence and impact of cyber-attacks. If a staff member clicks on a link they suspect of being a phishing email they should report it immediately – so that whatever harm the hacker intended can be minimised if not stopped completely. If you make it clear to all staff that reporting is strongly encouraged and won’t lead to blame or disciplinary action, you will avoid negative consequences such as the attack going unnoticed until it causes the intended damage.

Some phishing attacks can go completely unnoticed on some systems without the more sophisticated detection software because the goal is to operate quietly on a system, using the time to gather data that can be sold and/or spread itself to other systems until it reaches its ultimate destination. The sooner reporting happens the less damage will be done.

Psychology of hacking

Another reason culture is important is because of psychology. Hackers are high-level experts in manipulating people to miss cyber-threats and the more stressed or vulnerable people are, the easier they are to trap. A recent example of this is the introduction of various government initiatives to help the public with the energy and cost of living crisis. Accessing various programmes or services was not straightforward for many people and provided an opportunity for fraudsters to take advantage by offering help. One tactic was to tell vulnerable people they were eligible for a particular benefit if they followed a particular link to verify their information. This may seem like an obvious con but when you are concerned about having to choose between heating your home or eating, you are at risk. 

Similarly, the high-stress environment of many young legal professionals makes them a perfect target for phishing emails. In fast-paced work situations many don’t have time to analyse every email or text they receive that looks like it is from a legitimate source. The no-blame culture acknowledges this reality and removes a bit of the stress from an already stressful workplace. 

Making this a cyber resolution for the New Year can help protect your firm from the inevitable ‘when’ of a cyber attack. It will also make your workplaces a bit healthier, happier and more productive.