How to Phish Your Law Department Before the Hackers Do
Basic cybersecurity skills aren't that complicated. A vigilant eye -- and good filtering software -- can protect you from many malicious online tricks, like phishing. Phishing, if you're not familiar, is a form of email fraud where messages appear to be legitimate in order to steal sensitive information. An email purporting to be from your HR department, for example, could ask for your company password and poof: Russian spies are all over your email system.
Phishing attacks can result in millions of dollars of damage and corporate legal departments are some of the most gullible targets. Thankfully, testing your team is pretty easy and a great way to identify weaknesses before hackers exploit them.
Setting up a phishing test is simple. If you, or your IT guy, are skilled at "computer stuff," you can create a temporary web server, put up your own phishing site, and send out your own phishing emails. This takes a fair amount of work and design, though.
If you're less of the DIY-type, there are plenty of easy phishing services out there as well. PhishMe, Wombat Security, and Phish5 all provide simple, quick cybersecurity testing services. PhishMe, an SaaS company, puts employees in "simulated phishing scenarios with targeted security education delivered directly to their inboxes." Phish5 lets you design and send out phishing emails to up to 10,000 people at a time. Consider it like having your own in-house, white hat hacker.
Most importantly, your phishing test should not compromise your colleague's data. You want to test their vulnerability, without actually stealing their data. According to Phish5, no sensitive information will be stored, transmitted, or saved through its program. The program clears all forms before submission. You learn that data was submitted, but nothing more.
Get Ready for Your Department to Fail the Test
Odds are, your legal department won't get an A+ on their phishing test. Legal departments, along with communications and customer service offices, had the highest rates of opening phishing emails, according to Verizon's 2015 Data Brach Investigation Report. Phishing attacks accounted for 20 percent of "significant threat actions" over 2015, Verizon reported.
If your legal department does well, congratulations! You've passed cybersecurity 101. If everyone starts handing their social security numbers, corporate credit cards, and mother's maiden names over, however, don't despair. Some targeted training is usually enough to help fill in your cybersecurity holes.
- Kirkland & Ellis CIO: 'We're Doing Phishing Attacks on Our People' (Bloomberg)
- Legal Depts Are Too Easy to Hack. Here's How to Protect Yourself (FindLaw's In House)
- The Greatest Threat to Your Data Security May Be Yourself (FindLaw's In House)
- Beware of the Dyre Wolf: Sophisticated New Scam Targets US Corps (FindLaw's In House)