You’ve read the articles, you’ve sat in the seminars, so you know how it goes. We’re talking cyber security and you know what’s coming: the horror stories, the threat landscape and bad actors, the best practice advice, the technical protections and the process mitigations you can put in place. And, then, always, the kicker that for all your preparations, for all your investment, you still can’t legislate for the weakest link, people. And sure, you can try and educate them, make them aware of some of the more obvious risks and scams, but even so, every day people will fall victim.
And I have some sympathy. People will condemn those at fault and say they shouldn’t be so foolish, but you know what? In law firms, staff are busy, pressured, often juggling demands and deadlines. They don’t always make good choices at their keyboard when they’re thus distracted. Plus, some of the more sophisticated social engineering techniques are really clever, they can catch you out even if you have got one eye on the ball. The most important thing is always to learn from this time so there isn’t a next time.
But that’s where my sympathy stops. It does not extend to the person – a barrister who shall remain nameless – who sat next to me on the train last week and, just because he was in an analogue world, seemed to forget everything he had ever been told about security, privacy and confidentiality.
Stock image – not a real barrister!
Out onto the table came court papers, with plenty of Personally Identifiable Information (PII) on view, there was case strategy exposed, marked up files, and then two phone calls in full hearing of a dozen people, with more names and details discussed.
It was a data breach clear and simple – and no laptop in sight. I don’t know how you legislate for that degree of…what was it? This wasn’t a junior person, this was a seasoned professional, so were they just heedless, too in the zone to notice what they were doing? Did they think that because they weren’t on their computer it somehow didn’t count?
I was pretty shocked, I must say. But, when I thought about it, it’s all around us. How many times have you been in a coffee shop and you can hear the exchanges on the adjacent tables, much of it way too explicit with people, places, prices, decisions, descriptions, all being bandied about without a thought.
This whole episode got me thinking about the wartime poster, Careless Talk Costs Lives. Well, thankfully, it doesn’t cost lives so much these days, but your reputation, your bank balance, your livelihood? Cyber security sessions will always call out that people remain the biggest risk factor – but forget phishing and CEO fraud, it’s the train to Leighton Buzzard that you need to watch out for.