Posted by Legal Futures Associate Searchflow
The global coronavirus pandemic, and the rise in people working from home, has unfortunately provoked a growth in cyber-crime. The UK government estimates that the cost of cyber-crime is £27bn per annum.
The legal sector handles sensitive data and large financial transactions, which makes it an attractive target for cyber criminals, who are constantly looking for new ways to exploit any situation they can.
In September 2020, the Solicitors Regulation Authority (SRA) published its review of firms who had suffered cyber-security breaches and found that the results ‘were often catastrophic’. In addition to the money stolen, law firms incurred additional costs in higher insurance premiums, lost time and damaged client relationships.
The SRA publishes recent scam alerts on its website, so that we can all see what to look out for. It also presents a scams round-up as an overview of current scam activity.
Cyber-security steps you can implement now
The repercussions of cyber-attacks can be devastating for both clients and law firms, who may never recover their business reputation. It has never been more important to ensure that protective measures are in place.
A practised and well communicated incident response action plan (IRAP) can help everyone to understand their role in a crisis and minimise the inevitable impact. This plan should include:
- Initial steps to secure the situation;
- A PR/communication plan to stakeholders, clients and third parties;
- Maintaining a contemporaneous document tracking the situation, essential facts as discovered, key decisions and resulting actions; and
- Lessons learned and future protection plans
There are accrediations that can also help, like Cyber Essentials Plus, a government-backed scheme which will demonstrate to your stakeholders that you take cyber-security seriously.
With some planning, training and the right technology in place, law firms can reduce risk and be confident that if a breach happens, they know how to respond to it and have everything they need in place.
Here are some questions that can help provide a snapshot of where your business is now:
- What are the current cyber-crime risks for property professionals and law firms?
- How up-to-date are your current cyber security policies?
- Are there any new or emerging cyber risks to be aware of and consider addressing?
- Do your IT systems have suitable back-up, network and systems protection in place to support diagnostics and remedy in the event of any concern?
- Do you have the expertise in-house to deal with cyber-security, or do you need to outsource to experts and have them pre-prepared should you ever need them?
You could choose to put together a strategy based on these suggestions:
- It doesn’t matter how big or small your company is, plan as if you expect to be attacked. It could happen to anyone.
- Enforce a strong password protocol. For example, insist that passwords are a good length (minimum 12 characters, more is better), follow the latest advice on making up passwords – for instance by adding together three words to make them easier to use, mixing in capitals or numbers.
- Back up your data frequently and in different locations (on and offline) in response to a ransomware attack. Remember to validate the back-ups from time to time.
- Be aware of the latest phishing scams, which can happen via email, phone and text. Remember that some 80% of attacks are via phishing.
- Put a mobile working policy in place: Make sure staff who are not office-based understand company policies and procedures to stop sensitive information being lost, stolen or compromised. Seriously consider making a VPN your standard remote access method.
- Make sure the personal information of all staff and customers is securely protected and you are certain your data protection impact analysis is up-to-date.
- Invest in staff training: Ensure staff know about different types of cyber-attacks and the procedure to report a suspected attack.
- Finally, get expert advice. If you don’t have your own cyber-security staff, it’s essential to use experts and find a suitable technology partner.
You can find out more from the National Cyber Security Centre. It has put together a collection of resources to help companies protect themselves from cyber-crime.
SearchFlow regards cyber-security as a vital part of any business. We’ve put together a handy list of key questions to help you examine the current state of your cyber-security.