Social Engineering Attacks: Is Your Law Firm Safe?
By Doug Striker, CEO, Savvy Training & Consulting
According to Kevin Mitnick, infamous hacker and now world-renowned cyber security expert: “Your employees are the weak link in your IT Security. Social Engineering is the number one security threat to any organization. The alarming growth in sophisticated cyberattacks underscores the vulnerabilities modern organizations face. Numerous reports and white papers show U.S. organizations are exposed to massive increases in the number of cyberattacks over the past five years, with a current average of 138 successful attacks per week, up from 50 attacks per week five years ago. Your end users are the low hanging fruit for cyber criminals.”
Wait, back up. “Social Engineering is the number one security threat to any organization.”
What, then, is “social engineering?”
Putting it bluntly, social engineering attacks prey on your weakest link: your staff. Here is an example from DarkReading.com that we all know about:
Nigerian princes who send you emails asking for money don't generally turn out to be princes at all. But that doesn't stop people from falling for the scheme.
One of the most embarrassing examples in recent times occurred in 2007. Thomas Katona, the treasurer of Alcona County, Michigan embezzled roughly $1.25 million of the county's $4 million operating budget and paid at least some of it to a scammer. The county had little hope of recovering any of the stolen money.
Nigerian prince and "419" scams are definitely not a thing of the past. In 2013, according to recent research, such scams cost victims $12.7 billion worldwide; $82 million in the US alone. As the researchers explain, some of the worst victims of advance fee fraud scams experience something like an addiction, and some experience something akin to the Stockholm syndrome that kidnap victims suffer, defending their scammers, even though they only know them through e-mail communications.
And here’s another very familiar example from DarkReading.com that should have law firms thinking about their security:
In 2013, attackers lifted an unheard-of 40 million credit and debit cards from retail megachain Target's point-of-sale systems. Investigators suspect the attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning subcontractor Fazio Mechanical Services via a phishing email that included the Citadel Trojan.
Even if a retailer giant makes certain every one of its greeters is as well-trained in social engineering defense as they are in saying "welcome to Target," they aren't entirely safe from phishermen. Target served as a lesson to require better security from third-party contractors and to limit the network access those parties are provided.
If you think of your law firm as a third-party contractor to your clients, would you be able to prove that your systems will keep their classified information safe?
This blog is just the first in a series of articles that I am going to write about law firm security. As a partner with KnowBe4, the world’s most popular integrated Security Awareness Training and Simulated Phishing platform, I can help you prepare for and prevent the attacks that will undoubtedly come your way.
Based on Kevin Mitnick’s (mentioned above) 30+ year unique first-hand hacking experience, KnowBe4 provides the tools to better manage the urgent IT security problems of social engineering, spear phishing and ransomware attacks.
Stay tuned for more as I continue exploring this fascinating – and urgently important – security challenge.
If you’d like to chat further about social engineering attacks and how to protect your firm, don’t hesitate to call me or email me at: 303-800-5408 or Doug@savvytraining.com.
Savvy Training & Consulting works with leading companies and technologies to deliver the most up-to-date training solutions and curricula to law firms. Savvy recently unveiled an award-winning Learning Management System (LMS) for law firms, SavvyAcademyTM, which delivers scalable training capabilities, reportable data down to the individual user and 24/7 support, all for a fraction of the cost of traditional LMS services. For a free demo, click here.