Unlearning What We Know In Cybersecurity 

 October 1, 2021

By  Jane Frankland

Alvin Toffler once said,

“The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.”

His statement couldn’t be truer and as I chaired the European Security Forum 2021 in London this week, I was amazed at how the theme of unlearning what we know glued together (figuratively speaking) all the other speakers’ presentations. I’d only come up with it at short notice, too, having been asked to present in addition to chairing. Now it’s this theme I want to explore with you, but before then, I’ll tell you a little bit about the event.

Over the course of a day, we explored how the IT and security landscape has shifted exponentially over the past 24 months, and why cybersecurity vigilance is a fundamental priority and necessity for all businesses. We debated a journey from resilience to recovery in the legal profession and our speakers delved into the rise of malicious actors due to the hybrid workforce, how firms need to increase vigilance in their supply chain, the growing risk that the cyber skills gap presents, and coping with expanding IT services, technologies, national and cross jurisdictional policies and controls, whilst considering external and insider cybersecurity threat detection.

It was necessary. The legal sector is an important one. It offers a unique environment and is increasingly becoming a logical target for all manner of threat actors, from criminal syndicates to sophisticated state sponsored attackers and hacktivists simply because they hold sensitive client information, handle significant funds, and act as intermediaries in commercial and business transactions. And it’s this storage and trade of information that can make law firms vulnerable to attacks, particularly when it comes to the suppliers they work with.

Now the payoffs from an attacker’s perspective can be huge. For example, a group known as Cosmic Lynx, who’ve been operating since April 2019, meticulously research their M&A targets, craft their email campaigns and set up a secondary email chain that appears to be from a major law firm who is brokering the deal. According to sources, the average transfer requests made in one of these attacks is USD 1.27 million3, with the highest being nearly USD 3 million3. But we’ve seen higher in the legal sector when it comes to ransomware attacks.

In May of 2020, Sodinokibi (REvil) ransomware group listed Grubman, Shire, Meiselas, & Sacks on their data leak site “Happy Blog”. They initially demanded a ransom of USD 21 million, which they doubled to USD 42 million after the law firm refused to pay the initial amount.

In the last 12 months, we’ve seen some particularly high profile ransomware attacks on law firms. For example, 4 New Square was hit in June 2021 and an intriguing aspect of this attack was that the firm obtained a UK High Court injunction that ordered the perpetrators not to “use, publish or communicate or disclose to any other person any of the (unspecified) data they stole.”

Then there was Campbell Conroy & O’Neil, a large law firm that works with A-list clients, which was hit by ransomware in February 2021 and had a range of sensitive data about its clients leaked online. To minimize the reputational damage from this attack, the firm offered 2-years of complimentary access to credit monitoring, fraud consultation, and identity theft restoration services for affected individuals. 

The same month, Jones Day fell victim through a supply chain attack whichexploited a zero-day vulnerability in the Accellion file transfer service. This previously undiscovered vulnerability provided an entry point to steal sensitive data belonging to Jones Day. And when Jones Day failed to respond to the attacker’s ransom demands, stolen information began appearing on the dark web.  

Now It’s crystal clear from just these few stories that the cyber threat to the legal sector is significant and growing. Whilst ransomware and supply chain attacks are on the increase, phishing attacks remain a concern among many firms, as do hacks that target the firms themselves. Deepfakes are growing and the prices to procure them are failing. Small and medium-sized firms often struggle with ensuring they allocate enough resource – time, budgets, people and tools – so they can be productive and adequately protect their client’s data and communications. The cost of client audits comes up time and time again. And, then firms have their own data, operations, and intellectual property to protect.

The culture is tough too, for many of the partners are keen to understand more but are playing catch up. Or they want to innovate but don’t know how to without an increase in risk. Then, there’s tension between the fee earners who want speed and agily, and cybersecurity leaders who demand safety. Legal professionals also have an ethical and legal duty to ensure technology competency. The list goes on, and the problems need solving. And that’s what the event was all about.

Even though the last 24-months have been dire, we’ve seen executives place much more trust in their own tech capabilities and the skills of their workforce because they’ve seen them deliver results. We’ve also seen tech teams get more out of the tools they’ve procured and implement them to a fuller potential. Thanks to the pandemic, previous barriers to implementation have been removed and those who took a measured risk by moving first, have done well.

Cybersecurity has always been a pressurised environment, but in the last 24 months with so much change and threat evolution (especially deepfakes), it’s become even more so. And that’s why to advance it’s essential we adopt a beginner’s mind – a growth mindset – and stay open to unlearning what we know.

Just think about this for one moment.

When a technology or processes becomes outdated, we have to unlearn it/ them in order to stay relevant. That doesn’t mean we have to forget but it does mean we have to challenge ourselves to do something different. Maybe it’s just about us asking better questions, staying curious, playing devil’s advocate. Maybe it’s just about us taking better care of ourselves so we don’t overload our adrenals and self-medicate on too much caffeine, alcohol and or drugs to compensate. It happens and when it does our thinking becomes slower and weaker.

As an industry, with so much at stake, we have to lead more. We have to consciously slow down so we can pay better attention to what’s going on and the decisions we’re making.

Growth is messy, and it’s not linear despite what the learning curve tells us. Just watch this video by Destin Sandlin, he’s an American engineer and science communicator who produces the YouTube series Smarter Every Day. You see, when we go through a process of unlearning, we’ll all clumsily move through the steps – from unconscious incompetence to conscious incompetence to conscious competence to unconscious competence.

So,as assumptions kill possibilities, I want you to consider what are you going to have to unlearn? Is it…

  • The skills you think are sufficient to take you to the next level?
  • How you manage, motivate and lead people remotely or in a hybrid environment?
  • Who your target hires are, what competencies they hold, what they want and value?
  • How to communicate to a whole new set of stakeholders?
  • How to secure a dissolved perimeter, onboard new partners and suppliers, manage passwords, train your employees on security awareness, and deal with a breach or ransomware attack?

Whatever it is, one thing is clear. What got you here, won’t get you there.

Technology moves in and out of the market and it’s not just technical skills that you’re going to need to update. With the changing times, people develop, and increasingly they need soft skills to adapt with time so they can better engage with new stakeholders and their changing job roles. For example, once someone is promoted to a leader, he or she will have to undergo the process of unlearning. He or she will have to unlearn the behaviour of an individual who was a deliverable (a direct cost or contributor) and learn how to lead a team, maintaining the right balance between the people and organisation. And he or she may have to unlearn primitive management skills and replace them with new ones in order to lead the new generations of digital natives.

He or she will have to work on creating trust and trustworthiness too – which in a world of fakeness is becoming a higher currency value. For leaders, trust is essential for attracting, retaining and developing the best talent and for many, they need to unlearn command and control, hierarchical leadership styles. They need to learn a new power of competence which is based on themselves not on their position or company. That way, when leaders create more trust and build psychological safety into their workplaces, their teams get comfortable with not always being “right” and not always having all the answers. They are developed, supported and as a result are less dependent on their leaders and less resistant to change.

It also means creating diverse teams because these slow us down, which can be good. They give us time to think, and they challenge our narrow perspectives. With other viewpoints they help us not to be so blindsided, make better decisions, innovate, which improves our output – a safer, happier and more prosperous world.

So please think about all of these things and know the fact that business models of the future are rooted in abundance. This means unlearning scarcity and learning that there is now enough for all. The more a person or company improves themselves and then contributes that value to the whole, the more WE ALL benefit.

So, get crystal clear on what you want. Think about how you want to lead, what sort of culture you want to build in your team, who you can collaborate or partner with, what you want to be known for, what legacy you want to leave. With this information, you can then compile a list of skills you need to learn and unlearn.

Now I want to hear from you…

  • What else do you need to unlearn?
  • What comes up for you when you think about unlearning? What words and phrases do you hear? What are you resisting? Let me know by sharing in the comments or message me privately.

PS. Photo credit is by Window at Unsplash.com

Did you enjoy this blog? Search for more blogs that you want to read!

Jane frankland


Jane Frankland is a cybersecurity market influencer, award-winning entrepreneur, consultant and speaker. She is the Founder of KnewStart and the IN Security Movement. Having held executive positions within her own companies and several large PLCs, she now provides agile, forward thinking organisations with strategic business solutions. Jane works with leaders of all levels and supports women in male dominated industries like cybersecurity and tech. Her book, IN Security: Why a failure to attract and retain women in cybersecurity is making us all less safe' is a best-seller.


Follow me

related posts:

Leave a Reply:

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch