Strategies+: A Blog for Legal Marketers

4 Steps to Build a Security-Minded Culture at Your Firm

Posted by Ethel Crosby on Sep 11, 2019 11:51:01 AM

LMA Strat+ Cybersecurity Culture

By Ethel Crosby, director of technology operations and offerings, One North

Cyber-attacks and data breaches unfortunately aren’t new to the business world. Worse, clean up from these attacks can be extremely costly — both from a monetary and reputational perspective. Take Equifax as an example. On July 22, 2019, the company agreed to pay the largest settlement on record for a data breach, up to $700 million, to investigate claims stemming from its 2017 breach. If you tack on damage to the Equifax brand, it’s easy to see the high price organizations pay when they fail to proactively protect themselves from security incidents.

These days, protection often means ensuring even your least tech-savvy employee can sniff out a hacker before your computer systems are penetrated. After all, hackers aren’t going to target people like themselves who know how to build and dismantle strong networks. Instead, they focus on those they believe will be easier to trick, manipulate and bypass. Law firms, in particular, are ripe for attacks because of their access to sensitive data and high-profile clients and cases.

To avoid such attacks, it’s important to build a culture of security, where every employee and all departments are responsible for protecting the firm and its customers. Security should not be an afterthought, nor should it only fall on the shoulders of the IT department.

The following are four important steps that law firms can take to ensure their firm maintains an army of employees with a security-focused mindset to remain protected.

Click to Tweet icon"Security should not be an afterthought, nor should it only fall on the shoulders of the IT department."

1. Understand the risks you face today.

The best way to strengthen your human firewall is to understand where your vulnerabilities lie. It may be wise to hire a third party to perform an information security risk assessment. This will help uncover risks and prioritize how to address them. Additional ways to determine whether your systems, networks, users and/or facilities are secure and configured properly — and that you have a process in place to manage and maintain this going forward — is to undergo penetration testing, conduct a network architecture security review and develop a patch management program.

2. Train all employees early and often.

The only way you can expect employees to know how to respond to a breach attempt is to educate them on the appropriate actions to take and explain why each action is important. Be proactive and hold frequent security training sessions for the entire business. Give employees concrete examples that are relevant to their specific roles, including signs to look for and the process to report an incident. As new hires join the business, prioritize security training so they’re prepared to react to any threat that may come their way. Finally, recognize that training needs to happen regularly. After all, the controls you implement today won’t necessarily address the risks of tomorrow. Security is about staying one step ahead of the bad actors, which often requires a shift in approach or mindset.

3. Put your people to the test.

According to the Verizon 2018 Data Breach Investigations Report, phishing and pretexting (see definitions below) comprise 98% of social incidents and 93% of breaches. That’s a lot of human error. How do you prevent this in the future? Orchestrate a fake breach attempt and see how your colleagues respond. If they’re able to sniff out the attack, they’re already on the defense. You can use these employees as advocates when educating those who failed to recognize the signs of a breach.

Phishing: An attempt by an attacker to trick people into giving up sensitive information, such as login credentials or credit card info, or take action by clicking on a link or downloading an attachment. This type of attack is typically executed over email by disguising as a trustworthy source to influence a person to “take the bait.”

Pretexting: Using a false story to trick people into sharing sensitive information or influencing people’s behavior for a malicious intent. This type of attack can happen as a phone call or targeted email exchange with a back and forth dialogue. 

4. Make security fun.

As you build a culture around security, engaging presentations and positive reinforcement go a long way to encourage secure behavior. Reward success stories and milestones by publicly acknowledging those who do well.

As Warren Buffet said, “It takes 20 years to build a reputation and five minutes to ruin it.” Law firms especially have so much at stake — their brands, their clients, their partners and their revenue. Foster a culture of security, and you’ll do your part to exclude your firm’s name from the headlines of the next data breach.

Ethel-Crosby_ColorAs director of technology operations and offerings at One North, Ethel Crosby is responsible for the management and execution of digital technology solutions and product management. She is also responsible for the oversight and management of technology operations, IT, enterprise security, risk management, data protection and privacy compliance. Ethel is a Sitecore MVP – a distinction awarded to experts of Sitecore’s digital experience management software. She received her bachelor’s degree from Loyola University Chicago and holds a master’s degree in computer information systems from Northwestern University.

Topics: Client Services, Technology Management, cybersecurity, data breach

Recent Posts

Posts by Topic

see all

Subscribe to Blog RSS

About this Blog


Strategies+ is your online resource to discover exclusive content on the state of the legal marketing profession that goes beyond Strategies magazine, including:

  • Case studies from Your Honor Award winners
  • Weekly trendspotting
  • Guest blogs from legal marketing leaders
  • And much, much more!