Volver al blogTraining

How to protect your business through your people

90% of incidents in law firms and agencies start with a person, not a technical failure. 10-minute checklist to protect your business.

cydoo team
cydoo teamCybersecurity for everyone
Jun 15, 20265 min
How to protect your business through your people

It is 9:47 in the morning. Someone on your team has just opened an email that appears to be from a regular supplier. Attached is a pending invoice. Click. In less than three seconds, something that shouldn't be on your network is already inside.

Not because your systems are bad. Not because that person is careless. But because no one had taught them to recognize a fraudulent email.

In cybersecurity, that has a name: «the human factor». And in businesses that handle sensitive data such as law firms and agencies, it is the most frequent entry point for recorded incidents in Spain.

The good news is that the best reinforcement you can count on is already on your payroll. You don't need a technical team or an investment in complex technology. No complications. Your first line of defense starts with the people who already work with you.

The three mistakes most teams make without knowing it

The human factor in cybersecurity is any action or inaction by a person that opens the door to a security incident. It doesn't have to be anything serious. It is enough to open an attachment without looking at the sender, use the same password on multiple sites, or share a document via WhatsApp because the email was taking too long.

According to the INCIBE 2025 Cybersecurity Balance, phishing, or fraudulent email, was the most frequent entry method in Spain, with more than 25,000 recorded cases. 4 out of 10 incidents started with someone clicking on something that seemed completely normal to them.

These are mistakes made out of ignorance, not carelessness. And that difference matters because ignorance has an immediate solution.

1. Opening attachments or links without verifying the sender

Phishing is the most widely used technique in SMEs, notary offices, law firms, and agencies because it works. A well-written email, with the bank's or the Tax Agency's logo, arriving at a time of intense work, is difficult to detect if no one has taught you to look at it calmly.

The simplest sign that anyone can learn in two minutes is this: before clicking, hover your cursor over the link without clicking it. The actual address appears at the bottom of the browser. If it doesn't match the sender or looks strange, do not enter and call the person who supposedly sent it directly.

2. Weak or shared passwords

"The Drive password is 1234, so we all remember it." This phrase, said with the best intentions in the world, is one of the most frequent access points that attackers exploit in agencies and law firms.

A strong password is at least 12 characters long, mixes letters, numbers, and symbols, and is not repeated in other services. And there is no need to memorize it: password managers like Bitwarden (free in its basic version) do it for you.

3. Using personal tools for professional work

There is a question worth asking: where do your clients' documents travel when someone works from home or is in a hurry?

If the answer includes WhatsApp, personal email, or a mobile phone without a screen lock, the information is circulating through channels that no one in your office controls or protects. Not because the team has bad intentions, but because no one has established a clear alternative.

An agreed, well-known, and easy-to-use professional channel helps close that door.

The actionable checklist for any SME, law firm, or agency

No courses. No technical department. Open this list with your team, mark what you already have, and turn what is missing into your first step.

1. Reviewed accesses

Review who has active access to email, Drive, and the case manager. If someone no longer works with you and can still log in, that access remains open until someone manually closes it.

2. A clear rule for suspicious emails

Agree on a simple rule within the team. Any email asking for money, data, or passwords is not answered without consulting the person in charge directly. One step, ten seconds, and you avoid the most expensive mistake there is.

3. Two-step verification activated

Do you have it activated? It is the smallest change with the biggest impact. With two-step verification, even if someone gets your password, they can't log in without your mobile phone. It activates in less than 5 minutes in Gmail or Microsoft 365.

4. The team knows what to look at before opening anything

The name that appears on an email does not always correspond to who sends it. Before opening any attachment or clicking on a link, look at the full address. If something doesn't match, delete it without opening and notify the person in charge. It is the easiest habit to incorporate and one of the most effective.

5. Documents travel through professional channels

Your clients' information deserves to travel through channels you control. Agree on which tool you use to share documents and always use it. The office email, the case manager, the platform you have. Whatever is not included in that agreement, should not be used.

Now you know what is missing. Now it's easy.

The human factor is not a weakness of your team. It is an opportunity. Because people, unlike systems, learn. They adapt. And when they understand why something matters, they apply it without anyone having to remind them every week.

In Cydoo we help law firms, agencies, and SMEs protect their data, comply with the GDPR, and build a cybersecurity culture without technicalities or complications, starting from the people outwards.

Do you want to protect your business?

Discover which plan fits your needs and start working with peace of mind.

See plans
Your company has more entry points than you imagine

Your company has more entry points than you imagine

Oct 13, 2025Leer
Your antivirus doesn’t have superpowers (even if it seems like it)

Your antivirus doesn’t have superpowers (even if it seems like it)

Oct 13, 2025Leer
Cybersecurity for Everyone: Cydoo's Commitment

Cybersecurity for Everyone: Cydoo's Commitment

Aug 22, 2025Leer

Managed cybersecurity for companies that can’t afford to improvise.

Partners