The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
WWW.ILTANET.ORG 39 We need to create an environment where all employees are conscious of their role in protecting firm and client data and what they can do to be more secure. Here is a five-phase process to inspire that behavioral change. PHASE ONE: SEEING THE POTENTIAL FOR CHANGE Most users and organizations are under the dangerous illusion that "someone else" handles security, their actions have no real impact or the challenge of cybersecurity is intractable. To change this, establish two key messages: Security can be meaningfully improved with the right behaviors Users are the most critical security resource within the firm A simple and engaging way to do this is to create a weekly message populated with links to news reports covering security breaches, particularly where law firms are involved. Lead with a clear description of the event, including what went wrong. These stories will often revolve around a phishing attack, Web-delivered malware or an unsuspecting user being tricked into revealing his/her password. It will soon become evident to readers that even the most sophisticated breach usually begins with something simple and avoidable. PHASE TWO: PROJECTING THE OUTCOME OF CHANGE Attorneys and staff often resist the move to more secure practices because security is perceived as constraining or complicated. This causes new security technologies to go unused and user education to be forgotten as quickly as it is delivered. Paint a memorable picture of positive outcomes by showing the firm what success will look like. Start by talking about likely new measures or expected reductions in costs and hassle, and work with the firm to surface concerns or objections. Leverage your phase one process for security communications and include mock-ups of future reporting, projected trends and expected improvements. Phase two is all about illustrating meaningful outputs before you detail new policies, technologies or requirements. PHASE THREE: PREPARING THE FIRM FOR CHANGE By now your audience should want to be better, either to avoid the types of stories they saw in phase one or to realize the benefits you touted in phase two. Now it is time to educate them on specific tools and practices that will help them be more secure. Begin by positively reinforcing their new actions instead of hammering on what they cannot or should not do. For example, create a process through which employees can submit suspicious email messages or requests. This includes them in the security team and helps reduce the time it takes to identify a breach. About the Author Jack Danahy is the co-founder and CTO of Barkly Protects, which delivers protection against modern sophisticated attacks with unheard-of simplicity. He is a 25-year veteran of the security industry and has been the founder and CEO of two other successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009. He is a frequent speaker and writer on security issues and has received multiple patents for a variety of security technologies. Prior to founding Barkly, Jack was the director of advanced security for IBM and led the delivery of security services for IBM in North America. Contact him at jack@barkly.com. Top 5 Misconceptions About Better Security Better security takes too much time. Good security has been shown to be a net time- saver, as users do not experience accidental data losses or system cleanup delays. Breach response is an unexpected drain on time and resources. Our firm is too small to be targeted. Hacking is both a crime of intent and opportunity. Automated tools, including scanners and attack kits, are often used to identify vulnerable systems selected at random by network address range. Our IT department is on top of this. The best IT department will only be able to identify breaches after at least one machine has been compromised. Across all industries, the average time to discover a breach is over 200 days, according to Mandiant's 2015 "M-Trends" report. IT's response does not mitigate a lack of attention by the rest of the firm. Breaches are inevitable, so why bother? There is a difference between understanding that no security can be 100 percent bulletproof and deciding to passively accept the resulting chaos. Given the very mixed levels of security among organizations, attackers will move on to another victim if they find a target too tough to crack. We do not know enough to move the needle. The most effective controls that firms can adopt are fairly simple. The sophisticated part of an attack is usually in the second stage, after the initial corruption. Reducing the exploitability of the end user and the user's machine is a logical and effective process that any firm can adopt. 1 2