Tom Lambotte April 22, 2024 7 min read

Your Employees Are The #1 Internal Cybersecurity Risk to Your Firm

A person is confused, thinking about how many cyberattacks happen because of internal cybersecurity risks and how much that costs a company.

Hosting legal tech webinars and consulting with lawyers has opened my eyes to attorneys’ greatest cybersecurity misconceptions: their firms are too small to be targeted, and simple firewalls keep bad guys at bay.

The truth is, not only are businesses of all sizes at risk, but many data breaches originate inside your office. 43% of small businesses face cyber attacks, and only 14% are prepared to fight them. Internal cybersecurity risks often go ignored completely.

While several high-profile breaches have grabbed headlines and rocked American corporate giants, hackers primarily prey on much smaller outfits. Specifically, 29% of law firms experienced data breaches in 2020. Many came from internal cybersecurity risks.

The most common tool of these internal cybersecurity risks? It isn’t brute force hacking. It’s employees.

Up to 90% of data breaches are attributable to human factors, including deception, carelessness, and malice. Read on for valuable measures to help your employees avoid critical mistakes and keep simple errors from ruining your reputation.

Deception: The Subtle Art of Social Engineering

what is cyber extortion illustration

Most of your employees are great workers and great people who would never intentionally put your firm at risk. Still, they can be overmatched by increasingly sophisticated hoaxes designed to elicit info and access.

“Social engineering” is the catchall description for manipulative methods that win the confidence and subtly coerce users into divulging sensitive information or making security mistakes. They began as clumsy Nigerian Prince scams but have evolved into phishing efforts able to hook Google and Facebook.

What Are Some Examples of Social Engineering?

  • “baiting” (requesting info to collect a prize or offer)
  • “scare tactics” (declaring your system infected and offering a downloadable cure)
  • “pretexting” (posing as a trusted figure who needs you to prove your identity)
  • “phishing” (fake emails seemingly from reputable senders that trick recipients into clicking dangerous links).

It’s easy to think. “I’d never fall for those traps!” — but the methods grow ever more complex and convincing. Even good employees can make mistakes, and it only takes one slip to render your system vulnerable.

You can’t personally screen every message and response, but you can give your team the skills to spot social engineering via security awareness training. Of course, the problem is that security training programs usually SUCK, meaning that employees will skip, forget, or find ways to complete them with minimal effort (along with learning and retention). How do they suck? Here are two significant ways:

  • Far too long – 45 minutes is the average length of cybersecurity training
  • Boring – yes, I swear they go out of their way to find the most monotonous and dull speakers to record these training

Thankfully, training has come a long way from PowerPoint snoozefests of the past.

How Social Engineering Awareness Training Helps Mitigate Internal Cybersecurity Risks

Relying on multimedia presentations and behavioral science techniques, the best providers employ an engaging approach that entertains while educating (and tracks employee progress and participation). The best cybersecurity solutions include just such a program, covering all aspects of social engineering and other cybersecurity issues like mobile security, Wi-Fi integrity, best browser practices, privacy safeguards, malware defense, etc. They use short videos and engaging cartoon characters that make it fun (and more interesting, hence memorable and effective).

Some social engineering tactics are so tricky that training alone isn’t enough — specifically, phishing. It’s a treacherous challenge that accounts for 1/3 of all data breaches, so I recommend regular phishing simulations that assess employees’ perceptions and keep everyone on their toes.

These simulations send convincingly crafted (but harmless) emails to your team, gauging how they’re handled and diagnosing additional measures necessary to protect your data. Phishing simulations should also include a multi-layered cybersecurity plan, including immediate remediation training. If someone clicks on a link in a simulated phishing email or enters their credentials, they would directly be routed to training to learn what they missed and how to protect the firm the next time, making them better prepared.

Training and testing will equip your team to handle social engineering’s deceptive practices, but there’s more work required to turn your staff from a weak link to an anti-hacking squad. That’s especially true when it comes to managing credentials.

Carelessness: The Perils of Bad Password Hygiene

Passwords are our first line of digital defense and — used correctly – provide solid protection…but when improper practices put keys in the wrong hands, those codes suddenly become a weapon.

Unfortunately, far too many employees are careless when it comes to credentials.

Google discovered that 2/3 of employees use the same password for several (or all) of their logins. The average password is reused four times, meaning one lost key corrupts several accounts.

Creating, tracking, and typing complex unique passwords for every site is a lot tougher than remembering your pet’s name. Laziness is understandable…but also unforgivable once data breaches harm your firm or your clients.

Fortunately, there is another easy solution – password vaults.

Why Use Password Vaults?

These team-based credential managers generate and store complex, unique strings for every site in a safe central location that your staff shares and is universally updatable. No more messy Post-Its or production lost to conflicting credentials – your whole team is up-to-date, secure, and able to enter the passwords with accompanying browser/mobile apps automatically.

In addition to a vault, you should make sure employees activate two-factor authentication (2FA) for all accounts. 2FA employs an alternate confirmation (text, email, security question) to verify suspicious logins. It’s another simple step that’s often overlooked (or permanently procrastinated), but it can save trouble down the road in just a few minutes.

One other essential tool in the fight against password breaches is Dark Web Monitoring. This measure won’t stop employee carelessness but detects when mistakes have imperiled your firm’s credentials. Proactively scanning digital black markets provides alerts when company information is being traded by hackers, letting you change the locks before they strike.

Proper password hygiene requires a certain level of vigilance that not all employees will practice…and if just one worker slacks off, all your data can be exposed. Enlisting services that automate best practices while making life easier for your team is a great way to implement critical protocols.

Interlocking layers are the “key.” Password managers ensure unique codes, 2FA adds a layer of safety, and Dark Web monitors patrol for stolen credentials…all working together to secure your data and keep your online access “oops-proof.” 

Malice: The Danger of Disgruntled Workers

The last category of employee misconduct is the one we least like to consider, yet one that poses a genuine danger: malicious acts.

A recent security assessment revealed that 22% of data breaches were intentional deeds committed by internal actors. Such attacks can be particularly damaging: fired workers know passwords, are familiar with your network, and may retain direct access to your cloud apps and records.

Disgruntled employees often prove particularly dangerous to smaller firms run more like a family and lack corporate HR experience to deal with the threat.

In such instances, established security protocols can prove invaluable.

Security protocols specify protective/remedial measures necessary after certain foreseeable challenges. In addition to emergencies like natural disasters, external hacks, or facility damages, these plans cover the steps to eliminate employee access and prevent disgruntled revenge. In the emotional aftermath of a tense termination – protocols provide checklists to avoid fatal oversights.

Regular system scans are also essential if a departing worker has left malware or ransomware behind. These programs can lie dormant and undetected in a network until future activation; it’s imperative to identify and extract them before that can happen.

Backing up data can also be vital to overcoming malicious deletion or corruption. Employees with access can erase countless files, so having an offsite copy of critical data (like email) is an insurance policy against the unthinkable.

Every employer hates to consider that they might be at risk from their workers; we screen all our hires, grow close to our team, and shudder to think of a breach that’s also a betrayal. But it happens.

You can’t catch every bad apple, deflect every temptation, or be a perfect psychologist for your staff…but with security protocols, system scanning, and email data backup, you can limit the damage suffered should things go south with a multi-layered cybersecurity program. 


The cybersecurity landscape is daunting enough without worrying about threats from within. Unfortunately, the deception of social engineering practices, the carelessness of credential mismanagement, and the malice of soured workplace relationships all make employees a danger to data…whether intentional or not.

By training (and testing) your team, giving them tools that simplify compliance, and taking precautions against someone going rogue, you can instill confidence and implement safeguards to protect your data better.  

Don’t let your greatest assets become an existential liability – make your good employees better and your bad ones less risky. You can learn more about this threat and others in our guide on the top cyber threats for law firms.

Profile headshot of Tom Lambotte

Tom Lambotte


Tom Lambotte is a cybersecurity expert who has been in the legal tech industry for close to two decades. He founded BobaGuard, an affordable suite of turnkey cybersecurity solutions to help protect small and midsize law firms from getting hacked. Tom’s passion is helping legal entrepreneurs grow by leveraging technology.

Related Articles

Computer monitor displaying security protection shield next to bags of money and stacks of coins to represent cyber insurance cost
How Much Cyber Insurance Do I Need?

How Much Cyber Insurance Do I Need?

7 min read

You might be wondering: So, how much cyber insurance do I need? Is it really necessary to devote time to look closely into policy limits? Short answer: Yes.

Read More
Man sleeping at computer displaying graphs being exploited by cyber extortion, man will have to make a plan how to recover from a cyber attack
Cybercrime Aftermath: How to Recover From a Cyber Attack

Cybercrime Aftermath: How to Recover From a Cyber Attack

9 min read

Learn why having a cyber attack recovery plan for your business is so important.

Read More