Why Failing to Provide Mandatory Security Awareness Training is a Huge Misstep
Disclaimer : ALPS presents this publication or document as general information only . While ALPS strives to provide accurate information , ALPS expressly disclaims any guarantee or assurance that this publication or document is complete or accurate . Therefore , in providing this publication or document , ALPS expressly disclaims any warranty of any kind , whether express or implied , including , but not limited to , the implied warranties of merchantability , fitness for a particular purpose , or non-infringement .
Further , by making this publication or document available , ALPS is not rendering legal or other professional advice or services and this publication or document should not be relied upon as a substitute for such legal or other professional advice or services . ALPS warns that this publication or document should not be used or relied upon as a basis for any decision or action that may affect your professional practice , business or personal affairs . Instead , ALPS highly recommends that you consult an attorney or other professional before making any decisions regarding the subject matter of this publication or document . ALPS Corporation and its subsidiaries , affiliates and related entities shall not be responsible for any loss or damage sustained by any person who uses or relies upon the publication or document presented herein .
By Mark Bassingthwaighte
I will admit that , at times and with topics such as cyber security , I can come across as overbearing to some and as a fearmonger to others . Speaking honestly , however , I never try to come across that way . Cybersecurity is simply a topic I am passionate about . Whenever I speak or write on this topic , my purpose is to try and do all that I can to help others avoid becoming yet another victim of a cybercrime .
I share this because I really do get it . Thinking about my own efforts to keep our home network secure and our personal information private , well , all I can say is it seems like an effort in futility . There really are days where I just want to say the heck with it and stop even trying . I don ’ t know if it ’ s a blessing or a curse ; but when those days hit , and for whatever reason , I get angry . You see , I take it personally . The fact that all sorts of bad actors out there want to steal my identity , my money , my passwords , and the list goes on , really ticks me off . The reality is , I ’ m not good with that and this is where my motivation to fight back in whatever way I can comes from . It ’ s what keeps me going . Hopefully keeping all this in mind will allow you to hear my message .
In recent years , I have come to realize the true value of mandatory ongoing security awareness training in every business regardless of size , even solo practices . Truth be told , my wife and I often talk about cyber security . I will share breach stories , explain how specific types of malware work , and show her various real-world examples of phishing emails and smishing texts . And while it ’ s one of the ways she is able to enter my work world , as a victim of a cybercrime herself , she ’ s also well aware of the true purpose behind and value of these conversations . So , you see , even in my personal life , I walk the talk , because this is one of the ways I learn as well .
Now , to the topic of this post , the purpose of which is to explain one of the many reasons why I believe a failure to provide mandatory ongoing security awareness training to every lawyer and staff who works at a firm is a huge misstep . I ’ m going to ask you to trust me when I say that we humans are the weak link when it comes to cyber security and it ’ s all about the art of social engineering . One of my favorite cyber security lines is “ Amateurs hack systems , professionals hack humans ,” because it speaks to the truth . And since humans can ’ t be patched and upgraded the way computers can , all we can do is educate them . Unfortunately , such efforts are often perfunctory , short lived , or never even make it off the “ to do ” list .
Here ’ s the problem with not following through on training . If it hasn ’ t already happened , at some point , someone , maybe even you , will be tricked into doing something that will allow malware to be installed on your firm ’ s network . It might be clicking on a malicious link , opening an infected attachment , or logging on to a spoofed website , just for starters . Very sophisticated social engineering attacks have been , and will remain for the foreseeable future , the preferred attack vector because they are so darn effective at getting people to lower their shields when it comes to the actions they take while online .
The interesting question for me is this : What risks do we all face if our own online actions come up short ? Allow me to share a few , and I truly mean a few , examples of common types of malware attackers are trying to trick you into installing on your network and / or any device that touches your network .
ALPS Risk Manager Mark Bassingthwaighte , Esq . Since 1998 , he has been a risk manager with ALPS , the nation ’ s largest direct writer of professional liability insurance for lawyers . In his tenure with the company , Mr . Bassingthwaighte has conducted over 1,200 law firm risk management assessment visits , presented numerous continuing legal education seminars throughout the United States , and written extensively on risk management , ethics , and technology . Mr . Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association , where he currently sits on the ABA Center for Professional Responsibility ’ s Conference Planning Committee . He received his JD from Drake University Law School .
14 THE GAVEL