Please fill out the form below.
Please fill out the form below.
Debate will and should continue about what role individuals and employees should play in the security effort. What is no longer a debate is that an individual’s decision making, when it comes to handling data, transferring information, and protecting devices, can have a major impact on an organization of any size. In today’s hyper-connected world there is an ongoing clash between personal and professional tasks – an individual’s digital life and their attention is often distributed across a number of personal and professional devices. These interconnected variables have created an environment in which a single connection to a rogue network or just one poor decision with a malicious attachment can result in an array of incidents ranging from ransomware to credential theft and many things in between.
Though controls, policies, and system defenses will always play a critical role in minimizing or reducing the impact of these incidents, it’s time for firms to fully embrace the positive influence that encouragement and involvement can play when it comes to the security and privacy decisions that people make.
At its core, technology can accelerate productivity and improve both life and business experiences. In-person meetings and bland voice based teleconferences have been augmented and are often entirely replaced by interactive “virtual” meetings that allow for live collaboration, screen sharing, and live video feeds. Search engines and social networks are turning phone books into historical artifacts, and seeing a person without a mobile device is becoming an anomaly. Hailing a cab in the rain while shivering? All but gone – there’s an app for that. People are willing to rapidly adopt any technology that they perceive will make their life a better or even more enjoyable. These technologies are good; actually, they are great and have positively transformed the way we work and what we are capable of producing.
So why is it such a struggle to get users to adopt basic behaviors and best practices that can virtually eliminate the damage done by the usual suspects: phishing, social engineering, and even lost devices? There’s no single answer. Were it that easy, we’d all be one blog post or software license away from the “cure” (hint: be very suspicious of anyone that claims to have the cure!). Having collaborated on countless security awareness/data privacy programs for the past 4 years, I’d contend that our messaging and approach still needs some work. If our goal is actual behavior modification, it would be nice if we could sit back at a safe distance and steer people towards the light only using tools like phishing simulators, online training, and email based security alerts. While these tools play an important role in raising visibility and increasing competency, they are not a replacement for the life blood of any effort to drive change: personal engagement.
Our colleagues that are not in direct security/risk/compliance roles don’t wake up every morning thinking about data loss or privacy breaches, like us. Our colleagues don’t open email messages at all hours and study the headers and IP details to determine the source of the strange message, like us. Our colleagues also do not head into a job performance review thinking about how their ability to protect company information and trade secrets from outsiders will be evaluated; maybe they should, but they don’t. Hoping that we can change these behaviors “remotely” is running face first into a stiff wind. We need another approach to drive the type of change that makes a meaningful difference. Can we learn from other examples where people commit time, devote energy, and take action on projects that are not associated with their core job function? Yes.
Company based health and wellness programs, community service projects, and fund raisers are excellent examples of activities that occur with frequency and success within organizations of all sizes. Most of these activities share a common quality: they are optional; people can choose to commit or flat out ignore them. A former colleague of mine recently described a pre-work event – dozens of female colleagues met with over a hundred young girls from a variety of local schools at a career discover event. They met, talked, and shared professional career path options with the young stars… unpaid and optional, but very well attended. What was the driver? Engagement. The program was spearheaded by several individuals who relentlessly recruited internal team members to commit and attend, and reached out to the school community. The result – a successful event that had real impact.
So, what do the outcomes of security engagement look like? Last month a colleague in a law firm overheard a counterpart complaining to a peer about the IT Department. The complaint? IT had started renaming his client folders on a shared drive using hexadecimal codes and complex character strings. The colleague commented that it was highly unlikely that IT would rename his folders without prior notification, and asked to see an example. He immediately called the security team who discovered that ransomware file encryption was actively underway. Should there have been an automated alert or preventative control to stop the file encryption? Probably. But when a control falls short or something unusual occurs, an employee that is engaged will act while the employee that is unengaged will tune out the colleague’s conversation about renamed folders.
Security and privacy engagement is a contact sport, not a remote activity. You can’t move behavior and drive change in the absence of shared ownership and a team that is committed to helping drive the message. Sending a fake phishing email to colleagues is a security awareness activity and one that can play a role, but getting involved with influential members of your organization to earn buy-in and gain support and mindshare for your security and privacy program is real security engagement. So are town hall sessions that paint an accurate picture of the threat landscape, the firm’s vulnerabilities, and the drivers behind the “push” for security (esp. the firm’s clients). And speaking at attorney lunches and secretary meetings, or hosting a “Security Awareness Month.” Even better – pushing pinpoint optional micro-learning to your users when a real-world security event, such as the Wannacry ransomware attack, is top of the news. And when a user does the “right thing” and demonstrates engagement with security awareness, celebrate the win to your wider user community. The outcomes of these types of security engagements are the game changers that we seek.
“For additional insight on security awareness engagement, Capensys hosted a webinar titled How to Build & Maintain an Engaging Program (with everything else that you have to do!).”
Fladgate’s principal goal was to ensure that they achieved a consistently high-level of IT competence in areas that were useful to lawyers and support staff. They wanted an innovative, workflow-based learning program that focused on the day-to-day work of lawyers and staff. They also needed a robust long-term solution to ensure that they could build on initial successes.
After researching a variety of options, they were pleased to find that the competencies covered by the LTC4 certification program mirrored those that they had already identified via their initial training needs analysis. They were also impressed by how the modules focused on the workflows that lawyers undertake on a daily basis.
Another advantage was that LTC4 required skills could be taught, and proficiency measured, via Capensys courseware and evaluations tools. The Capensys Goal-Based Approach ties training to business and user goals and delivers training modules that are process-driven rather than application driven. This approach was perceived as very flexible solution, allowing lawyers to learn when and where they wanted to do so, rather than via fixed classroom sessions.
Michael Wells, the senior trainer at Fladgate led the charge, and it’s been 18 months since the program launch. As of this date, they have completed the Working with Legal Documents learning plan. Michael estimates that over 90% of the firm are now certified in Working with Legal Documents.
In just a few weeks, Michael will begin the certification process for the LTC4 Security learning plan using the Capensys Sentinel security awareness modules.
The third learning plan, Working with Documents and Emails, is already planned, developed, and ready to go. It will be launched later in the year - around July or August.
According to feedback from stakeholders and users as well as observing performance in the workplace, some of the significant training gains Fladgate has seen are:
Michael was pleasantly surprised when “Contrary to expectation, tutorials and assessments are undertaken at all times of the day and night. People are really using the flexibility to train when it suits them.”
Fladgate is first and foremost, experts in law. Many of their lawyers are recognized leaders in their field. They serve their clients as partners in business with a focus on implementing practical solutions that deliver results. Fladgate offers advanced legal expertise across all major legal specialties, combined with a detailed understanding of the dynamics and pressures of their clients’ business sectors.
Capensys Ltd. is a full-service training company for law firms. Capensys provide all types of training for the legal industry including classroom trainers, webinars, on-line learning, evaluations and a security awareness program. Capensys training philosophy is to link training to achieving business goals. Capensys were also the founders of the Legal Technology Core Competencies Certification Coalition (LTC4). To learn more about Capensys please visit www.capensys.com.
LTC4 is a non-profit organization, that has established legal technology core competencies and certification that all law firms, law schools and legal departments can use to measure ongoing efficiency improvements.
"...It's critical that your employees or coworkers understand the severity of the risk and their role in preventing compromise. Every employee with access to a computer has the responsibility to undergo training covering the risks associated with that access, and every employer has the responsibility to make sure that communication is timely and relevant and mandatory. Employees need to raise their guard and pick up the phone any time something seems out of the ordinary. ...If you want a good turnkey solution for that in place, check out Capensys' Sentinel, which can map to the LTC4 core competency framework. The cliché that you are only as strong as your weakest link has never been more accurate than it is here...'
Our purpose for implementing a firm-wide training program for attorneys and staff focused on competency based performance standards, evaluation and ongoing training that would have a meaningful impact on firm morale, productivity and profitability. The program offered the opportunity to become LTC4 certified in various workflow based core competencies which were relevant to how users work.
We knew that an attorney up-skilling program based on LTC4 would provide us with an industry standard of legal IT core competencies, a benchmark for them to achieve — a benchmarkExpected Outcomes and Objectives.
There were multiple objectives and expected outcomes for implementing a certification program at pir firm:
The Director of HR spearheaded the initiative. We formed a small committee and presented a package to the managing board which included an executive summary of what we wanted to do, outcomes and objectives, and an efficiency impact table for those areas of improvement we would track. Once the board approved the program, we made sure that everyone knew about the benefits of the program and how it was going to be implemented. We created FAQs for the participants so they would receive the same information as the stakeholders.
The audience was attorneys, paralegals and staff. We assembled two learning plans based on the LTC4 core competencies: Legal Documents and Document Management. We phased the program over one year, giving people two months to complete the learning plans and skills evaluations and one month off for review and consolidation. Certificates were given for every phase, which users really appreciated and displayed at their desks with pride.
The following LTC4 Learning Plans have been completed and are getting LTC4 certification:
Legal Professionals: 54 (21 attorneys and 33 paralegals)
Legal Support Specialists: 79
Managing Documents & Emails:
Legal Professionals: 33 (paralegals)
Legal Support Specialists: 95
We are one of the first firms in the world whose users are certifying for LTC4. We are currently working on certification for two more LTC4 Learning plans: Customer Relationship Management and Data, Reports and Exhibits learning plans. We will be submitting our results for LTC4 Certification as soon as we are complete.
Downs Rachlin Martin PLLC (DRM), a New England based law firm, has always counted innovation among their brand’s key characteristics. When, however, IT Director Karen Norman learned that Kia's in-house counsel D. Casey Flaherty was using attorney technology testing to drive down rates, she knew she needed a way to turn that core trait into hard data, and fast.
In order to achieve the highest level of compliance, Ms. Norman knew she’d need the full support of the firm’s management. She engaged the Managing Partner around the concept of being able to demonstrate the firm’s commitment to innovation through the use of technology. Fully aware of the changes in the market place, the management team was quick to engage the Practice Group Chairs in support of this program. The Practice Group Chairs then nominated a representative from their respective groups to form a committee whose purpose was to identify the specific core competencies they believed were of highest value to clients.
The committee had made notable progress defining the core competencies when Norman learned about the Legal Technologies Core Competencies Certification Coalition (LTC4). LTC4 is a non-profit group consisting of 80+ law firms who have developed industry-standard legal technology core competencies. Ms. Norman felt this helped her cause significantly because it gave DRM an industry standard path to follow.
It was around the same time that Ms. Norman met Capensys, a training company for law firms, LTC4 founders, and vendor members. The firm chose to partner with Capensys because they offer a delivery system that supported 130+ staff and attorneys from 5 different offices accessing the Learning Management System. Equally as important are the KnowledgeChecks, which allow the firm to evaluate the skills learned at different stages of the core competency program, with tools to manage and report on the success of the training program.
Once the core competencies were decided upon and the learning materials and tools from Capensys were in place, the firm promoted the program internally. They applied the firm’s brand standards and named the core competency program ”Step It Up." Most importantly, they devised a reward system that encouraged timely participation. Using monthly incentives, the firm saw a very high level of participation with 100% of staff and paralegals and 80% of associates completing Level 1.
The firm delivered 2 levels of the core competency program. Level 1 consisted of core competencies that were common to all users. Level 2 was customized to align with the jobs and specific roles of users.
The training and IT team reported that the program was going really well. After the Level 1, they sent out a survey to ask for feedback. The feedback was overwhelmingly positive with respondents saying that they had learned something. People commented that it was "Very helpful" and "Not repetitious".
The firm is also using the program very successfully for their new hire program, where they are incorporating a lot of the skills from the Step It Up program. For example, IT trainer Marsha Kuhn makes sure everyone completes the FileSite online learning before they come to new hire training. When users are already prepared it allows her to cover more in her face-to-face sessions.
Capensys’ Resource Gateway was rolled out by the firm to provide reference materials that users could utilize after the training. To encourage self-service behaviour, Kuhn wrote an article about the Resource Gateway and how it can be used for just-in-time support and coaching.
DRM is a now member of LTC4 and will continue to use it as the basis of their core competency program. They feel that working towards LTC4 certification will be very helpful to associates.
The firm was also awarded CLE accreditation for the Security online course provided by Capensys, and attorneys will be going through this to get one hour of CLE.
“All of this serves to help us provide even more value to our clients”, says Ms. Norman.
The firm will be moving to Capensys’ new tool “LIA” (Learning in Action) to continue to build on the core competency program and to measure multiple methods of accomplishing tasks. The firm is also working towards including the completion and mastery of the core competency program into the annual appraisals of the staff and paralegals.
The management team at DRM is pleased with the outcome of the program and feels that continual training in technology provides a competitive advantage and improves the firm’s ability to serve their clients.