Sarah makes a valid point. Sure, during the COVID pandemic it’s nice that you can go into a restaurant and scan a QR code to view the menu instead of handling physical menus. I worked in a restaurant kitchen in college, I know how nasty some menus can get. On the other hand, are we teaching people to trust something they shouldn’t trust?
Law firms are an attractive target because of the data, but also because it might be easier to breach a firm than it would be to hack the clients they represent. As the rest of the article goes on to describe, there are still too many firms without cybersecurity training, proper policies, or incident response plans. That is not going to keep things secure.
On top of that, as I’ve written before, the whole culture in firms is a problem. Anytime you have a large group of people in charge, (partners), who are often not to be questioned, social engineering gets a whole lot easier, and the likelihood that even some policy that exists might get ignored is pretty high.
They had some interesting findings on gender (doesn’t matter) and age (young and older employees seemed more likely), but this is one that I think impacts a lot of what we do when it comes to protecting against phishing:
“An interesting finding in the ETH study is that employees who are continuously exposed to phishing eventually fall for it, as 32.1% of the study participants clicked on at least one dangerous link or attachment.”