Why Failing to Provide Mandatory Security Awareness Training is a Huge Misstep

I will admit that, at times and with topics such as cyber security, I can come across as overbearing to some and as a fearmonger to others.  Speaking honestly, however, I never try to come across that way.  Cybersecurity is simply a topic I am passionate about.  Whenever I speak or write on this topic, my purpose is to try and do all that I can to help others avoid becoming yet another victim of a cybercrime.

I share this because I really do get it.  Thinking about my own efforts to keep our home network secure and our personal information private, well, all I can say is it seems like an effort in futility.  There really are days where I just want to say the heck with it and stop even trying.  I don’t know if it’s a blessing or a curse; but when those days hit, and for whatever reason, I get angry.  You see, I take it personally.  The fact that all sorts of bad actors out there want to steal my identity, my money, my passwords, and the list goes on really ticks me off.  The reality is I’m not good with that and this is where my motivation to fight back in whatever way I can comes from.  It’s what keeps me going.  Hopefully keeping all this in mind will allow you to hear my message.

In recent years, I have come to realize the true value of mandatory ongoing security awareness training in every business regardless of size, even solo practices.  Truth be told, my wife and I often talk about cyber security.  I will share breach stories, explain how specific types of malware work, and show her various real-world examples of phishing emails and smishing texts.  And while it’s one of the ways she is able to enter my work world, as a victim of a cybercrime herself, she’s also well aware of the true purpose behind and value of these conversations.  So, you see, even in my personal life, I walk the talk because this is one of the ways I learn as well.

Now, to the topic of this post, the purpose of which is to explain one of the many reasons why I believe that a failure to provide mandatory ongoing security awareness training to every lawyer and staff who works at a firm is a huge misstep.  I’m going to ask you to trust me when I say that we humans are the weak link when it comes to cyber security and it’s all about the art of social engineering.  One of my favorite cyber security lines is, “amateurs hack systems, professionals hack humans” because it speaks to the truth.  And since humans can’t be patched and upgraded the way computers can, all we can do is educate them.  Unfortunately, such efforts are often perfunctory, short lived or never even make it off the “to do” list.

Here’s the problem with not following through on training.  If it hasn’t already happened, at some point, someone, maybe even you, will be tricked into doing something that will allow malware to be installed on your firm’s network.  It might be clicking on a malicious link, opening an infected attachment, or logging on to a spoofed website, just for starters.  Very sophisticated social engineering attacks have been and will remain for the foreseeable future the preferred attack vector because they are so darn effective at getting people to lower their shields when it comes to the actions they take while online.

The interesting question for me is this.  What risks do we all face if our own online actions come up short?  Allow me to share a few, and I truly mean a few, examples of common types of malware attackers are trying to trick you into installing on your network and/or any device that touches your network.

• Malicious Bots – A bot is a software application that is typically used to perform simple repetitive tasks much faster than any human ever could.  Malicious bots give an attacker control of your computer, often for the purpose of incorporating your computer into a botnet, which is a much larger network of computers infected with bots. Botnets are often used to launch massive attacks on other computers networks or to send out vast amounts of spam email. Malicious bots can also be updated remotely, giving the attacker the ability to change the bot’s functionality at any time.
• Ransomware – a type of malware that uses encryption to permanently block access to the victim’s data and/or enables the hacker to steal and then threaten to publish the victim’s data unless a ransom is paid.
• Wiperware – a malicious program whose sole purpose is to destroy all computer files by wiping (digitally erasing) the hard drive of every computer it infects. Wipers typically have three targets: files, the boot section of the operating system, and backups. In short, these programs are highly destructive.
• Keylogger – a program that records every keystroke made by a computer user and then sends that information to the attacker.  Its purpose is to allow the attacker to obtain as much confidential information as possible, to include passwords.
• Remote Access Trojan (RAT) – a program attackers use to take complete control of a victim’s computer for the purpose of performing any number of malicious activities, to include potentially activating a webcam without turning on the active camera light. RATs can reside on systems for extended periods of time before being detected and can be extremely difficult to successfully remove. They operate in a stealth mode and are quite difficult for antivirus software programs to identify.
• Banking Trojan – Disguised as a legitimate application so that victims will willingly download and install it to their computers or mobile devices, a banking trojan is actually a malicious program that seeks to capture information that will allow the attacker to gain access to a victim’s banking and investment accounts.

Perhaps now you have a sense of why I get angry and want to do all I can to fight back.  More importantly, however, I hope you can begin to understand why I believe that failing to provide mandatory ongoing security awareness training to everyone who works at a firm, regardless of firm size, is a huge misstep.  It’s because being hit with any of the above malware examples will prove to be more than a minor inconvenience.  For some, such an attack may sound the death knell for the firm.  With so much at stake, why risk it?  If security awareness training isn’t currently in play, it’s time to make it a high priority item because the pros are out to hack your human assets and, like it or not, education is the only way to counter that.