SPOTLIGHT ON
Continued from previous page Specops Software found on average just 29% of business sectors have initiated additional cyber security training. 94% of respondents claimed it was the responsibility of their company to keep them up to date with cyber security training, whilst 79% could not identify if they were hacked! To further complement the survey, Specops Software’s Cyber Security Expert Darren James has provided some expertise: 1. Why is it important for all employees to be trained? The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cyber security training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring to it via training at work, the less likely people in general will fall victim to these crimes.
2. Should companies integrate training on a regular basis and how often? Generally, it’s a good idea to provide basic training to everyone, and to all new employees, so everyone is at least on the same page. Then, it is a good idea to promote awareness through the use of a good password policy, and maybe when IT experience interactions with users e.g. service desk/desktop support etc. provide further reminders where appropriate. Some “high risk” users such as IT admins, HR and finance teams should have regular awareness training. 3. What can companies do to ensure training is kept up to date, especially now everyone is working from home? Working from home represents another challenge when providing training. You can send emails out or put something on an extranet/ intranet page, but let’s be honest not many people are going to willingly go and look. Try arranging a “working from home cyber security awareness" call if possible – whether it is per team, or with team managers who can then pass on key information. Please see the full research here: https://specopssoft.com/ blog/uk-business-sectors-lacking-cyber-security-training/ ■
Greater than ever need for law firms to remain cybersecure ■ Review of 40 reported cyberattacks across which £4 million stolen. ■ One in four firms had inadequate processes and controls ■ E xamples of good and poor practice common throughout With Covid-19 meaning huge numbers are now working remotely and carrying out both personal and business affairs online, a new report has highlighted the need for law firms to remain extra vigilant over the threat posed by cybercriminals. Published today, the Solicitors Regulation Authority’s (SRA’s) Cybercrime Thematic Review takes an in-depth look at 40 incidents of cybercrime reported by law firms to the regulator over a three-year period. While not all resulted in financial loss, the cases reviewed did collectively see more than £4million stolen by criminals. These figures do not include the wider impact and costs the crimes had on both law firms and their clients. The review, which considered incidents that occurred between 2016 and 2019, found that law firms and legal transactions were still a common target for cybercriminals. Two of the larger firms visited reported that they were targeted by hundreds of different cyberattacks every year. Most of the firms visited said they were aware of the dangers posed by cybercrime and felt that the most important factor in defending against it was the knowledge and behaviours of their staff. Despite this, the SRA still found that only around two-thirds of staff in the firms it visited claimed to be ‘knowledgeable’ about cybersecurity and IT issues, with some senior figures even unable to answer basic questions about terminology. Although human error was identified as their biggest risk, more than a quarter of firms visited did not have adequate 12 | The Bill of Middlesex
cybersecurity policies and controls in place, while a fifth did not provide specific training on IT and cybersecurity. Paul Philip, SRA Chief Executive, said: “It will be some time before the implications of the Covid-19 pandemic for the legal sector are fully understood, but we all know that millions more people than ever before are working from home, be they law firm employees or clients. That means the need for everyone to remain cybercrime vigilant has never been higher. Law firms should make sure that they have effective cyber security policies in place, and, crucially, that everyone in the firm understands and follows these day-to-day.” Good practice identified during the visits included the widespread use of anti-virus software, two-factor authentication for many sensitive interactions, regular backing up of data, and nearly a third of firms holding specific cybercrime insurance. However common incidences of worrying practice included: ■ More than half of firms allowed external USB sticks to be plugged into company devices ■ Two firms were using out-of-date Windows operating systems, with a further 16 using systems soon to become unsupported ■ Firms did not necessarily report/know when they had to report incidences of data theft to the Information Commissioner’s Office In April the SRA published dedicated Covid-19-themed cyber security advice and Q&As. The thematic review, published today, can be found here: www.sra.org.uk/sra/how-we-work/ reports/cyber-security/ ■
