Posted by Paul Saunders, managing director of Legal Futures Associate Legal Eye
The skills shortage in our businesses is the biggest threat to our industry when looking at cybercrime. Cybercriminals are not just after money but are looking for sensitive information too, so the legal services sector is an obvious target.
In the last year we have had reports of around £7m of client money being lost to such crime. The Global Risk report says that 90% of global businesses are insufficiently prepared to protect themselves against cyber-attacks.
In a threat report published by the National Cyber Security Centre and the National Crime Agency, officials noted that 188 high-level cyber-attacks had been made in the last three months of 2016. It is suggested that online identity theft occurs every two seconds.
This is not an IT issue and it should not be left to the IT teams to sort out. It is a high-level responsibility and a board-level issue that must be taken seriously.
We suspect that we will look back on 2016 and ask why we didn’t respond quicker. None of us want one of your business to be one of the statistic. The UK has a huge reliance on the digital economy – last July alone, UK shoppers spent almost £10.7bn online – and increasingly customers demand that our services are available in similar mediums.
Two broad categories are of cybercrime are data breaches and sabotage.
Data can relate to personal data, intellectual property, trade secrets and information relating to bids, mergers and prices are tempting targets for a data security breach.
Sabotage can take the form of denial of service attacks, which flood web services with bogus messages, as well as more conventional efforts to disable systems and infrastructure.
In addition to commercial losses and public relations problems, disruption of operations and the possibility of extortion, cyber-attacks may also expose an organisation to regulatory action, negligence claims, the inability to meet contractual obligations and a damaging loss of trust among customers and suppliers.
Cyber security is a senior level responsibility similar to other compliance issues partners for which can be held responsible if they do not discharge their responsibilities properly.
This is unfortunately now a question of when it will happen, not if. It is not sufficient for you just to have policies in place – you must put them into effect and train your staff on what they should be doing. In your business planning you are going to have to take account of the cost of implementing systems and processes to ensure that you do your best to mitigate the risk.
Hardly a week goes by without yet another report of an attempt by hackers to divert client funds by corresponding by email with a conveyancing client, building up a rapport whilst purporting to be an employee of the client’s solicitor’s firm and then sending an email which seeks to amend the bank details to which the client’s funds, in readiness for exchange, should be sent.
It is suggested that the statistics reported are just the tip of the iceberg and far from a true reflection of the scale of the issue as, whilst encouraged to do so, many firm are not reporting thwarted attempts where no monetary loss occurs, although considerable time (and thus money) are spent by senior members of staff dealing with the issue.
It is all too easy to fall into the trap of thinking that this won’t happen to you. It could. You may not be able to prevent a cyber-attack but you can ensure that you do everything possible to mitigate the risk of a cyber-attack being successful.
The advice from regulators does not really help as the rules are designed to protect the money held for clients and commercial confidentiality. They also fail to consider the position of the in-house lawyer and how they manage the responsibility.
There is little work done on ‘stress testing’ systems and processes in law firms or by in-house teams. Ultimately a good data breach response is a practiced one. But the input to that is a broad and wide-reaching business one, not simply a risk team’s responsibility. The staff training and policy implementation is firm wide.
You have an obligation to know how your staff would behave in these circumstances. Outsourcing your requirements and having external audits of your cyber processes is one of the strongest ways of ensuring you have impartial opinion and knowledge. What you do with that knowledge is then, as always, your choice.
The following simple and practical steps are key in the fight against cybercrime:
Educate your client about the risks of cybercrime
- Advise your client at the outset of the matter, in a prominent place in your client care documentation, that you will never send out your bank details by email, you will not change your bank details during the course of their transaction and that if they receive any communication which suggests that you have, they should immediately contact you to discuss and should not, under any circumstances, transfer any funds; and
- Remind your client of this regularly by a prominent notice on your email footer and on any letters sent to the client.
Educate your members of staff about the risks of cybercrime
- Ensure staff only send bank account details by post and not by email;
- Provide regular and appropriate training for all members of staff on how to spot cybercrime, different types of cybercrime and what to do in the event of an attack;
- Ensure strong passwords are used and passwords are changed regularly;
- Don’t assume an email is authentic; and
- Ensure that you have the correct policies (ie email, social media, data protection, internet usage) procedures and plans (including business continuity, cyber-incident response) in place.
The SRA reports that email hacks of conveyancing transactions are the most common type of cybercrime in the legal sector; 75% of these cybercrimes were committed by hackers modifying emails directly, often on a Friday afternoon when most completions take place.
Statistics from the Information Commissioner’s Office confirm that, during the first quarter of 2016, the legal and justice sector reported the fourth highest number of data security cases and there is a suggestion that these sectors under-report.
Don’t be complacent about cyber-security. The codes under which lawyers work require firms to have proper risk management procedures in place (including in relation to cybercrime) and to protect client monies and assets.
Legal Eye has a product range specifically designed to help law firms protect themselves against cyber-attack and a cyber audit that will raise the awareness of your business and help you stay safe.