Ethics, integrity and security awareness
A safe and secure computer network is a top priority for the Hutchens Law Firm team. Ben Ruocco is a network and security engineer at Hutchens Law, where he’s tasked with supporting the IT and security needs of the firm’s 275 staff and attorneys. He’s managed the firm’s in-house security and awareness education for several years, first bringing in Infosec IQ in 2017. Since launch his program has consistently produced excellent results — helping deliver on the safety and security commitment the firm’s clients expect and deserve.
Going beyond security awareness basics
For Ben, due diligence in terms of security controls and training has always been an important part of his approach to securing the firm’s client data. Training on physical security, policies and other important security topics have been a long-standing component of the Hutchens Law employee onboarding process.
“We’ve always had a good foundational security awareness program at Hutchens Law, but we wanted to go beyond the basics,” Ben said. “After implementing Infosec IQ’s AwareEd and phishing campaigns, we’ve really seen employees take note of security vulnerabilities and how exposed email can be. There is so much malicious activity out there. Implementing this program showed our employees how seriously we take cybersecurity threats and really reinforced the overall importance of good security habits.”
Empowering employees to play an active role in security
Maturing the firm’s security awareness and training program has led to positive changes in employee security habits, particularly when it comes to email security. Ben reports the help desk is contacted daily for assistance verifying whether a questionable email is legitimate. There’s also been an increase in the number of employees reporting malicious emails so they can be examined and blocked in the future.
Even with staff already tuned in to cybersecurity threats, we did not see this level of care and concern prior to implementation.
Security awareness campaigns run quarterly at Hutchens Law, with Ben sending monthly phishing simulations tailored to the type of malicious email an attorney or partner might actually receive.
“There is no doubt the Infosec IQ tools we put in place have made a measurable difference,” Ben said. “Even with staff already tuned in to cybersecurity threats, we did not see this level of care and concern prior to implementation. The AwareEd campaigns help supplement our existing security awareness program, and the phishing campaigns help us assess how well the training is working.”
Training modules customized to different areas of expertise
Hutchens Law Firm has an onsite trainer who works closely with Ben to manage the program and maximize its effectiveness. She selects modules based on individual departments’ past performance and assigns training campaigns based on observed knowledge gaps. Ben then follows with phishing simulation campaigns to keep the training top of mind. Phishing simulations are also targeted toward different areas of the practice to optimize results.
When asked about the value of frequent security awareness and training, Ben points to the firm’s 2% phishing click rate as evidence of its success.
“One of the highest risk areas for any organization, no matter how much technology you implement, is employee behavior. So training and awareness is an absolute must. We’re satisfied with what the Infosec IQ tools are helping us achieve. It’s a great tool for us because of its flexibility, granularity and overall reporting metrics. But we’re not about to sit back and rest on our laurels. We know as cyber threats evolve, we have to work to stay ahead of them.”
The Hutchens Law Firm was recently recognized for excellence and named a finalist for the Impact Award in the 2020 Infosec Inspire Security Awareness Awards. The Impact Award celebrates the successes of Infosec’s most innovative and inspiring clients and partners. Award-winning success stories detail high-impact security awareness and training initiatives that empower employees and motivate effective security habits.
The award was announced during the Inspire Awards ceremony held during the Infosec Inspire Cyber Skills Virtual Summit. The only event of its kind, Inspire is hyper-focused on the human side of security — equipping cybersecurity leaders with knowledge and insights to develop employee cyber skills, forge their organization’s security culture and make a lasting impact. Learn more about Infosec Inspire here.