This is really the thing. We all know that our devices are with us all the time, and we all know that everyone else knows. So when the notification pops up, there’s an instantaneous thought process that we all go through.
And no, it’s not is this important or can it wait? The actual thought process is “they know I see this and are probably expecting a response”
However the article below also points out that much of the time, that’s isn’t true. Someone was just reaching out and there is no hurry or even an expectation of immediate response but we don’t know that. So, we either drop everything to reply or we apologize for any delay in replying.
Which makes no sense.
I’ve been involved in direct work with clients in half-day training, or multi-hours long workshops and replied to an email afterwards with an “I’m sorry, I was tied up” opening.
Yes, I’m apologizing for doing my job and paying attention to it.
How dumb is that?
Law firms are an attractive target because of the data, but also because it might be easier to breach a firm than it would be to hack the clients they represent. As the rest of the article goes on to describe, there are still too many firms without cybersecurity training, proper policies, or incident response plans. That is not going to keep things secure.
On top of that, as I’ve written before, the whole culture in firms is a problem. Anytime you have a large group of people in charge, (partners), who are often not to be questioned, social engineering gets a whole lot easier, and the likelihood that even some policy that exists might get ignored is pretty high.
They had some interesting findings on gender (doesn’t matter) and age (young and older employees seemed more likely), but this is one that I think impacts a lot of what we do when it comes to protecting against phishing:
“An interesting finding in the ETH study is that employees who are continuously exposed to phishing eventually fall for it, as 32.1% of the study participants clicked on at least one dangerous link or attachment.”