Unlearning What We Know In Cybersecurity

Alvin Toffler once said,

"The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn."

His statement couldn’t be truer and as I chaired the European Security Forum 2021 in London this week, I was amazed at how the theme of unlearning what we know glued together (figuratively speaking) all the other speakers’ presentations. I’d only come up with it at short notice, too, having been asked to present in addition to chairing. Now it’s this theme I want to explore with you, but before then, I’m going to tell you a little bit about the event.

Over the course of a day, we explored how the IT and security landscape has shifted exponentially over the past 24 months, and why cybersecurity vigilance is a fundamental priority and necessity for all businesses. We debated a journey from resilience to recovery in the legal profession and our speakers delved into the rise of malicious actors due to the hybrid workforce, how firms need to increase vigilance in their supply chain, the growing risk that the cyber skills gap presents, and coping with expanding IT services, technologies, national and cross jurisdictional policies and controls, whilst considering external and insider cybersecurity threat detection.

It was necessary. The legal sector is an important one. It offers a unique environment and is increasingly becoming a logical target for all manner of threat actors, from criminal syndicates to sophisticated state sponsored attackers and hacktivists simply because they hold sensitive client information, handle significant funds, and act as intermediaries in commercial and business transactions. And it’s this storage and trade of information that can make law firms vulnerable to attacks, particularly when it comes to the suppliers they work with.

Now the payoffs from an attacker’s perspective can be huge. For example, a group known as Cosmic Lynx, who’ve been operating since April 2019, meticulously research their M&A targets, craft their email campaigns and set up a secondary email chain that appears to be from a major law firm who is brokering the deal. According to sources, the average transfer requests made in one of these attacks is USD 1.27 million3, with the highest being nearly USD 3 million3. But we’ve seen higher in the legal sector when it comes to ransomware attacks.

In May of 2020, Sodinokibi (REvil) ransomware group listed Grubman, Shire, Meiselas, & Sacks on their data leak site “Happy Blog”. They initially demanded a ransom of USD 21 million, which they doubled to USD 42 million after the law firm refused to pay the initial amount.

In the last 12 months, we’ve seen some particularly high profile ransomware attacks on law firms. For example, 4 New Square was hit in June 2021 and an intriguing aspect of this attack was that the firm obtained a UK High Court injunction that ordered the perpetrators not to "use, publish or communicate or disclose to any other person any of the (unspecified) data they stole.”

Then, there was Campbell Conroy & O'Neil, a large law firm that works with A-list clients, which was hit by ransomware in February 2021 and had a range of sensitive data about its clients leaked online. To minimise the reputational damage from this attack, the firm offered 2-years of complimentary access to credit monitoring, fraud consultation, and identity theft restoration services for affected individuals. 

The same month, Jones Day fell victim through a supply chain attack which exploited a zero-day vulnerability in the Accellion file transfer service. This previously undiscovered vulnerability provided an entry point to steal sensitive data belonging to Jones Day. And when Jones Day failed to respond to the attacker’s ransom demands, stolen information began appearing on the dark web.  

Now It’s crystal clear from just these few stories that the cyber threat to the legal sector is significant and growing. Whilst ransomware and supply chain attacks are on the increase, phishing attacks remain a concern among many firms, as do hacks that target the firms themselves. Deepfakes are growing and the prices to procure them are failing. That will continue, as will their innovation.

Small and medium-sized firms often struggle with ensuring they allocate enough resource – time, budgets, people and tools – so they can be productive and adequately protect their client’s data and communications. The cost of client audits comes up time and time again. And, then firms have their own data, operations, and intellectual property to protect.

The culture is tough too, for many of the partners are keen to understand more but are playing catch up. Or they want to innovate but don’t know how to without an increase in risk. Then, there’s tension between the fee earners who want speed and agily, and cybersecurity leaders who demand safety. Legal professionals also have an ethical and legal duty to ensure technology competency. The list goes on, and the problems need solving. And that’s what the event was all about.

Even though the last 24-months have been dire, we’ve seen executives place much more trust in their own tech capabilities and the skills of their workforce because they’ve seen them deliver results. We’ve also seen tech teams get more out of the tools they’ve procured and implement them to a fuller potential. Thanks to the pandemic, previous barriers to implementation have been removed and those who took a measured risk by moving first, have done well.

Cybersecurity has always been a pressurised environment, but in the last 24 months with so much change and threat evolution (especially deepfakes), it’s become even more so. And that’s why to advance it’s essential we adopt a beginner’s mind – a growth mindset – and stay open to unlearning what we know.

Just think about this for one moment.

When a technology or processes becomes outdated, we have to unlearn it/ them in order to stay relevant. That doesn’t mean we have to forget but it does mean we have to challenge ourselves to do something different. Maybe it’s just about us asking better questions, staying curious, playing devil's advocate. Maybe it’s just about us taking better care of ourselves so we don’t overload our adrenals and self-medicate on too much caffeine, alcohol and or drugs to compensate. It happens and when it does our thinking becomes slower and weaker.

As an industry, with so much at stake, we have to lead more. We have to consciously slow down so we can pay better attention to what’s going on and the decisions we’re making.

Growth is messy, and it’s not linear despite what the learning curve tells us. Just watch this video by Destin Sandlin, he’s an American engineer and science communicator who produces the YouTube series Smarter Every Day to really understand that point.

You see, when we go through a process of unlearning, we’ll all clumsily move through the steps – from unconscious incompetence to conscious incompetence to conscious competence to unconscious competence.

So, as assumptions kill possibilities, I want you to consider what are you going to have to unlearn? Is it…

• The skills you think are sufficient to take you to the next level?
• How you manage, motivate and lead people remotely or in a hybrid environment?
• Who your target hires are, what competencies they hold, what they want and value?
• How to communicate to a whole new set of stakeholders?
• How to secure a dissolved perimeter, onboard new partners and suppliers, manage passwords, train your employees on security awareness, and deal with a breach or ransomware attack?

Whatever it is, one thing is clear. What got you here, won’t get you there.

Technology moves in and out of the market and it’s not just technical skills that you’re going to need to update. With the changing times, people develop, and increasingly they need soft skills to adapt with time so they can better engage with new stakeholders and their changing job roles. For example, once someone is promoted to a leader, he or she will have to undergo the process of unlearning. He or she will have to unlearn the behaviour of an individual who was a deliverable (a direct cost or contributor) and learn how to lead a team, maintaining the right balance between the people and organisation. And he or she may have to unlearn primitive management skills and replace them with new ones in order to lead the new generations of digital natives.

He or she will have to work on creating trust and trustworthiness too – which in a world of fake is becoming a higher currency value. For leaders, trust is essential for attracting, retaining and developing the best talent, and for many, they need to unlearn command and control, hierarchical leadership styles. They need to learn a new power of competence which is based on themselves not on their position or company. That way, when leaders create more trust and build psychological safety into their workplaces, their teams get comfortable with not always being “right” and not always having all the answers. They are developed, supported and as a result are less dependent on their leaders and less resistant to change.

It also means creating diverse teams because these slow us down, which can be good. They give us time to think, and they challenge our narrow perspectives. With other viewpoints they help us not to be so blindsided, make better decisions, innovate, which improves our output – a safer, happier and more prosperous world.

So please think about all of these things and know the fact that business models of the future are rooted in abundance. This means unlearning scarcity and learning that there is now enough for all. The more a person or company improves themselves and then contributes that value to the whole, the more WE ALL benefit.

So, get crystal clear on what you want. Think about how you want to lead, what sort of culture you want to build in your team, who you can collaborate or partner with, what you want to be known for, what legacy you want to leave. With this information, you can then compile a list of skills you need to learn and unlearn. 

Now I want to hear from you…

• What else do you need to unlearn?
• What comes up for you when you think about unlearning? What words and phrases do you hear? What are you resisting? Let me know by sharing in the comments or message me privately.

And if you want to hear from some industry leaders (me included) on managing burnout and creating safe spaces, Cisco has created this useful ebook.

PS. If you’re a woman or business that supports women and are ready to unlearn, learn and relearn in a way that's fun, inspiring and uplifting, join us at The Source. You can get on our waitlist and then be the first to hear when we open our doors again next year for new members, partners and corporate sponsors.

About Jane Frankland

Jane Frankland is an award-winning leader, best-selling author, speaker and women’s change agent. She works with women and businesses who value them and is solving the problem of making women in cybersecurity standard not exception. She does this through her writings, keynotes, consulting and brand new unifying women in security platform, The Source.

Having spent over 23-years in cybersecurity, Jane has become one of the most celebrated female influencers in the world and been named a UNESCO trailblazing woman in tech. Having cut her teeth in tech by building her own global penetration testing company in the late 90s, she has also worked as an executive for some of the world’s most well-known consultancies whilst contributing to leading industry accreditations, schemes and forums. 

Jane is well known as an awards judge, executive advisor, consultant, trainer, mentor, author and mother. She regularly shares her thought leadership in keynotes with some of the world's most forward thinking companies as well as with governments, the UN, EU Commission, India High Commission and World Assessment Council. Jane has been a guest lecturer at Kings College London and Columbia and her media appearances include the BBC, The Guardian, The Times, The Financial Times and Forbes. Her Movement, which follows on from her bestselling book, IN Security, has enabled more than 205 women to receive scholarships so they can up-level, and her code of conduct has been keeping women safer at events worldwide since 2019. To find out how to work with Jane go to https://jane-frankland.com