chevron-down Created with Sketch Beta.

GPSolo eReport

GPSolo eReport August 2024

Cyber Threat Awareness for Your Law Firm: Boring Training Modules Aren’t Enough

Mark Lanterman

Summary

  • A boring, five-minute module on standard phishing attacks is no longer enough to ward off sophisticated cyber threats involving artificial intelligence and deepfakes.
  • Not only does utilizing AI improve a cybercriminal’s ability to create more sophisticated and more numerous attacks, but it can also allow for their inexpensive production.
  • Deepfake technologies can add yet another layer of believability to advanced spear phishing attacks.
  • Hands-on tabletop security exercises and real-life drills can effectively prepare an organization for dynamic attacks.
Cyber Threat Awareness for Your Law Firm: Boring Training Modules Aren’t Enough
RgStudio via Getty Images

Jump to:

When we think of “cyber threat awareness,” visions of seemingly endless modules, slides, and short quizzes may come to mind: “How can you spot a phishing email? Does the address look familiar? Does the language seem unusual or urgent? We will never ask for this type of information over email. . . .” The topics may seem like old news to some. Although mandatory training and education on cybersecurity are important, reverting to a “check-the-box” mentality is easy to do when completing familiar programs.

Artificial Intelligence, Deepfakes, and the Evolving Cyber-threat Landscape

However, in a constantly evolving cyber-threat landscape, staying apprised is imperative. The threats themselves may remain relatively constant, but the modes through which cybercriminals execute their attacks may improve and adapt. For example, the proliferation of artificial intelligence (AI) applications has the potential both to bolster cybersecurity postures and to help tear them down. An article published by the Harvard Business Review states, “our new research demonstrates that the entire phishing process can be automated using LLMs [large language models], which reduces the costs of phishing attacks by more than 95 percent while achieving equal or greater success rates.” Not only does utilizing AI improve a cybercriminal’s ability to create more sophisticated and more numerous attacks, but it can also allow for their inexpensive production.

Deepfake technologies can be used nefariously as well, adding yet another layer of believability to advanced spear phishing attacks. In fact, multiple organizations have reported fake videos of their CEOs that contribute to successful attacks, resulting in financial losses. In one extreme example, “a Hong Kong finance worker was duped into transferring more than $25 million to fraudsters using deepfake technology who disguised themselves as colleagues on a video call.” In this day and age, even a video call (with multiple, seemingly recognizable people!) is not necessarily enough to ensure the legitimacy of a communication. Compare this type of attack to a “standard” phishing email—riddled with grammatical errors, sent from an unknown source, requesting a secret wire transfer to be made within the next hour (or else!). Most employees would likely be well-equipped to handle the latter, ignoring it or reporting it to IT (in the event it gets to their inbox at all without being filtered out by various tools). But in an age of deepfake-fueled trickery, it can seem that being a top-notch detective rivaling the likes of Sherlock Holmes is a prerequisite for facing the challenge.

The Need for Dynamic Training and Education

Given the possibilities, it can be easy to see how a five-minute module on standard phishing attacks may not be enough to successfully ward off a carefully tailored campaign. Outdated training modules, paired with the lack of enthusiasm that can accompany retaking the same course multiple times, are not optimal conditions for maintaining a thriving cybersecurity culture founded on top-down management support. As with anything, actions can speak louder than words. Dynamic training and education programs take multiple types of learning into account, moving beyond the bare minimum imposed by compliance and regulations. Rather, modules and written materials demonstrated with hands-on tabletop security exercises and real-life drills more effectively prepare an organization for dynamic attacks.

Managing cyber threats and their associated risks is not a “one-size-fits-all” endeavor. Organizations will have varying approaches based on their own risk tolerances and requirements. From robust cyber insurance policies to security assessment schedules, organizations can employ a number of different methods to counteract the risks they may face. Whatever the methodology, however, all organizations should strive for a strong cybersecurity culture built on leadership engagement with, and support for, security practices. The most complete policies, practices, procedures, and programs are worth very little when confined to the paper on which they are written. Avoiding gaps between ideal written policies and implementation often depends on leadership involvement.

Thinking back to training and education, organizations should ask themselves the tough questions. Is this program outdated? Is this program boring? Realistically, what type and degree of attack does this program best prepare an employee to identify and manage? How does it support our overarching cybersecurity culture, and how does it measure up to our risk mitigation goals? Well-developed training and education programs typically reflect well-developed cybersecurity postures. Managing risk starts with prioritizing resilience and supporting strong security cultures.

    Author