A discussion of the threat that social engineering (aka the "human side of hacking") poses to law firms, and some tips and practical guidelines to reduce its effectiveness. What follows is an excerpt:
"The great news is that law firms have readily available steps to dramatically reduce the effectiveness of social engineering ploys and they do not require Mission Impossible technology. Social engineering is all about exploiting gaps in humans’ knowledge and awareness.
"Law firms investing in cyber social engineering awareness training and regular training of the firm’s employees, contractors and even clients will create a powerful first line of defense against this method of attack and remove the bad guys’ most effective weapon.
The four top methods of social engineering include phishing (email), vishing (phone), smishing (texting) and impersonation (face-to-face). Each method utilizes unique tactics to create trust and authenticity in the ultimate communication used to defraud the recipient.
The more repetition there is of personalized, detailed or highly focused communications, the higher the rate of success there will be in convincing the recipient to let down her defenses and for her to click on, open or run malignant communications. Combining each of these different methods, and a hacker may even acknowledge in such communication an individual’s security training, can produce great results for the hacker.
Training and Testing
Training needs to provide tools to help employees validate the bona fides of the sender of the electronic communication regardless of the method of communication used. Also providing varied examples of how social engineering attacks may occur will get employees thinking outside the standard security box.
Often, attackers play on an individual’s weakness, susceptibility and curiosity. The email impersonating someone from human resources or finance with a simple sentence of “Bill, do you really think these expenses should be approved?” with a malicious file attached to it will get hits almost every time.
After monitoring news accounts and press releases and performing other “due diligence” on an unsuspecting employee, such as a company bookkeeper, sending a feigned wire instruction to him just when a transaction is about to close and indicating that payment needs to be made by a certain time for the deal to close often works like a charm to cause payment to be made to the bad guy. Role playing or gaming in employee training will make individuals more aware of their susceptibility to such ruses.
In addition to social engineering training, which is your last line of defense, do not forget to do regular real-world testing. Bring in security professionals, who understand up-to-date social engineering artifices, to challenge your investment in “behavior modification” training of your employees and hopefully validate it and improve your security system.
Empowering your law firm’s employees with such cyber fighting skills also can be a huge morale boost transforming them from victims to warriors in the battle to protect confidential client and law firm information. Building a training and awareness environment which seeks to keep this knowledge and awareness fresh, relevant, frequent and varied in its means of delivery will make it effective.
Contact us at 561.969.1616 so we can assist you and your staff stay protected against social engineering threats.