Cyber security: reducing human error

26/08/2024 10:39:48

See how building cyber security awareness in your team can reduce the risk of human error and protect your firm.

Cyber security is an issue of growing concern for law firms, with client accounts and confidential information often being prime targets for increasingly sophisticated attacks. Law firms can fend off many threats by implementing a combination of technical measures and organisational practices.

While technical measures involve IT infrastructure, organisational strategies focus on management, business continuity planning, and promoting safe behaviours among staff. Human-centric security measures include mandatory cyber awareness training, simulated phishing exercises, and clear protocols for handling sensitive information. These empower staff to recognize and respond to threats effectively

The role of human error

Human error remains a significant gateway for attacks. Whether through everyday internet use, emails, or social media, everyone in the firm must be vigilant. Training is essential to equip staff to recognise suspicious emails, attachments, and links. Since many attacks begin with phishing attempts, showing staff real examples of fraudulent emails can be highly effective. Regular testing, where employees distinguish between genuine and fake emails, reinforces their ability to spot potential threats.

As far as possible, the use of USB devices should be avoided. Where USB devices have to be used, there should be strict protocols for their use. Training on the proper use of USB drives and portable devices is also crucial, as these can introduce malware into the firm’s network. By focusing on cyber security awareness, firms can reduce the risk of attacks stemming from human error.

Common threats to highlight

Several cyber threats pose risks to law firms, and it’s worth highlighting these to your team:


Phishing, whether through email or other channels, refers to attempts to prompt an individual to disclose sensitive information such as banking details. Often, attacks will attempt to create a sense of urgency in the target, encouraging them to share the information without thinking – encouraging your staff to stop and think before clicking on or disclosing anything mitigates the risk.


Blocks access to a firm's systems or threatens to release confidential data unless a ransom is paid. This often results from staff clicking on corrupted email attachments. Regular file backups can mitigate the impact of such attacks.


Activated by opening infected files, viruses can delete or alter data, potentially rendering systems unusable.


Disguised as legitimate programs, trojans can monitor keystrokes, gather sensitive information, and install additional malware before staff notice the breach.


Uses online ads to spread malware or redirect traffic, often without any user interaction. This method can install spyware that steals financial data or bank details.


Sophisticated attacks can impersonate colleagues or clients through email or social media to extract confidential information. LinkedIn is a popular platform for building fake relationships with staff, leading to phishing attempts. Two methods of impersonation are important for staff to understand.

  1. Pretexting: Criminals create a fabricated scenario or pretext to manipulate victims into divulging sensitive information. For example, they might pose as IT support staff to gain access to login credentials.

  2. AI-powered impersonation: Criminals use generative AI tools, such as synthetic voice creation software, to mimic the voices of colleagues or clients. These tools can create convincing voice messages or real-time calls, tricking staff into divulging confidential information or authorizing fraudulent transactions.

As AI-powered impersonation becomes more sophisticated, it's crucial to implement verification procedures for voice communications. Encourage staff to independently confirm unusual requests, especially those involving sensitive data or financial transactions, even if the voice sounds familiar. This extra step can prevent falling victim to AI-generated voice scams.

Encouraging safer behaviours

Through training and reminders, you and your team can act as an effective defence against attackers. In addition to training, you can reduce the risk by encouraging safer everyday behaviours, including:

  • skepticism about unexpected requests, especially financial transfers,

  • using secure websites (check for the "https" protocol),

  • creating strong, unique passwords,

  • abiding by technical measures adopted by your organisation, including multi-factor authentication,

  • taking a moment to verify unusual requests, particularly when they might involve transferring money or sharing sensitive information, and

  • avoiding public Wi-Fi or public charging stations when accessing firm systems.

By fostering a culture of cyber security awareness, law firms can prevent human errors that often lead to breaches.

Learn more

This is an abbreviated version of ‘Attack Mode’, published in the June 2023 Law Society Gazette.