Spotting Email Compromise in Law Firms: Users Vs Technology.

Author:Pearch, Andy

The legal sector presents the perfect playground for cyber attackers, with sensitive data waiting to be exploited and the reputations of law firms waiting to be destroyed. Diversion fraud, spear phishing, phishing and social engineering are all very real threats currently facing law firms. To combat these threats, law firms need to move away from placing the burden of spotting cyber attacks on employees, and instead use sophisticated detection engines and threat intelligence sources to transform their email security and threat protection.

Repeating past mistakes.

While no business wants to risk damaging their reputation, it is particularly critical for the legal sector. Law firms only have one chance to protect their reputation before clients lose confidence and take their business elsewhere. From intellectual property to personal data, the value of information held by law firms is high, making them a big target for any cyber criminal. In reality, though well-protected FTSE 100 companies are tempting prey, their legal representatives provide equally rich rewards and are, unfortunately, likely to be easier to breach.

Companies are increasingly aware of cyber threats, but many in the legal sector are still focusing their defence efforts on their employees, which isn't a good place to start. Commonly heard phrases such as 'users are the weak link in cyber security' are prompting rigid user training programmes, in the hope they will give employees the skills they need to spot a potential cyber attack, saving the firm from the resulting repercussions.

With other messages highlighting that over 70% of cyber attacks start with email, it's easy to see why companies start to believe that user training is the best approach to take especially when law firms have been scarred by past incidents of email-based diversion fraud, where clients have transferred payments to criminals rather than law firms. That's a situation no law firm wants to be in.

Realistically, companies cannot risk their business reputation and base their security posture on the assumption that employees will never make a mistake; especially employees who are up against the clock. Fraudulent emails are sophisticatedly designed to fool users, so how can a company assume that no user will ever act on a fraudulent email that landed in their inbox?

Risking liability.

Relying on users to spot malicious emails is not a strategic approach. Of course, it's still important for users to be aware...

To continue reading