If you’ve ever received an email from a foreign prince asking for your help to park his money in the United States in return for making you rich, then you’ve been the target of a social engineering attack. In the many years since this entrepreneurial prince started sending emails, these attacks have become much more sophisticated. Law firms are major targets of these schemes.
Why are hackers interested in law firms? They’re targeting the money that law firms administer, manipulating individuals into divulging confidential or personal information. They’re also good at it.
Social engineering attacks occur in several ways: via email, in person, by phone and more recently via text messaging. In each instance, hackers will attempt to provide a level of detail or personal information to convince the recipient it is safe to share that information or detail. More often, at least via email and text, the hacker will impersonate someone the recipient knows or otherwise would trust. By phone and in person, they often represent authority figures or parties to a transaction, and again, present enough information to make the situation appear legitimate.
Start with Training
Your best defense against the myriad of social engineering schemes is to train your staff on what to look for and how to handle these schemes when discovered. Conducting this training, under the guidance of a skilled cyber security firm or well-trained information technology professional can drastically reduce a law firm’s susceptibility to a social engineering hack. From examining full email addresses and looking for spelling and grammar errors, to following firm-prescribed verification procedures, an ounce of training can save the firm thousands of dollars.
Conduct Your Own Hack-a-Thon
Hiring a reputable cyber security company to test for vulnerabilities is a great way to get buy-in from all firm stakeholders. Many of these companies will conduct a mock attack at the request of management. Once completed, they present their work to appropriate managers and firm leadership. As partners, associates and staff see firsthand how easily hackers might manipulate them into putting the firm at risk, everyone is typically eager to receive training and not end up as “the one” who facilitated a hack.
Create a Cyber Security Policy
Working with your IT team, human resource representative and insurance provider, your firm should have its own cyber security policy. This policy should clearly state the types of cyber risks, including social engineering, that are of concern and address what steps members of the firm should take if they suspect an attack. These steps should include potential response strategies for digital, telephonic and in-person social engineering attacks. Your cyber policy must also document who at the firm is authorized to conduct financial transfers and procedures for verifying any such transfer requests, among other details.
Finally, your cyber policy should include recommendations to reduce employee risk of being a target. This should include cautions about providing contact information online, how much work-related detail they should or shouldn’t share on social media and what work-related information can and cannot be shared outside of the firm’s secure network and devices.
Know Your Risk
Social engineering attacks are frequent and severe. As a result, finding insurance coverage with high limits has become harder than ever. Only firms operating best-in-class controls are able to secure coverage.
Speak with your insurance agent or broker today to find out if you have the appropriate level of cyber risk insurance coverage you need, and what steps you should be taking to secure this coverage if you don’t already have it.