SECURING THE LAW FIRM
5th July 2023 • London, UK
Solving cybersecurity’s people problem
From insider error to CISO burnout, most cybersecurity issues are human - not machine. It’s time to prioritize people over process and technology.
A well-known piece of UK ICO research highlights the most common causes of data breaches in the legal sector:
• 52% occurred from sharing data with the wrong person (via email, post, or verbally)
• 25% occurred from phishing attacks
• 10% occurred from losing data (loss/theft of a device containing personal data, or of paperwork or data left in an insecure location)
• 54% occurred from verbal disclosure; failure to redact or use Bcc; alteration of data; hardware misconfiguration; documents emailed or posted to the wrong recipient
These human errors from non-technical employees are compounded by three other human factors. First, technical staff are human and make errors themselves. Second, malicious staff are creating deliberate insider risk. And third, CISOs and other cybersecurity staff are burning out and/or changing careers at an alarming rate at the same time as filling key security positions is made almost impossible by the extreme talent shortage in the sector.
One of Gartner’s key strategic assumptions is that by 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors.
None of this is remotely surprising. However, huge amounts of the cybersecurity conversation still revolves around complex threats and vulnerabilities, while most of the real risk of data breaches remains with very simple human errors.
The same is true of other kinds of the most common and damaging cyber attacks. From BEC attacks to ransomware, the problem is fat fingers, carelessness or a genuine inability to tell fake from real.
The cybersecurity debate defaults to technology because that is the easiest part to address; the many human-related issues are either swept into the ‘awareness and training’ bucket or they are tacitly written off as impossible to solve.
So is there a better way to think about cybersecurity, starting with the practical business and human realities? This edition of Securing the Law Firm will try.