Cyber security is an increasingly widespread issue. Law firms are often an attractive target for criminal not just because they hold not only large sums of money but also client information.
Cyber-crimes and scams include:
- Malware – harmful software including viruses, programs allowing access to data, and ‘ransomware’ programs that encrypt files and demand a ransom in return for a decryption key;
- Phishing and Vishing – where a criminal uses email or telephone to obtain confidential information such as a password through building a personal relationship with a solicitor or law firm employee;
- Email modification – using details gained from hacking or social engineering to modify emails and redirect money due from a client, bank or supplier; and
- CEO fraud – where a criminal impersonates a senior figure at a law firm through hacking their email address or purchasing a very similar email address, in order to impose authority and order money transfers
99 cases of cyber-crimes were reported to The Solicitors Regulation Authority (“SRA”) between December 2015 and 2016. Email modification was by far the most reported scam, making up three quarters of the cyber-crimes experienced by firms. Half of the reports were email modification frauds against conveyancing proceeds, with 75% relating to “Friday afternoon fraud.”
The SRA recently held a roundtable bringing together a number of leading agencies and experts from a range of sectors to discuss the risks that cyber-crime presents to law firms and how they can protect themselves and their clients.
One of the themes emerging from the roundtable discussions was that cyber-security is too often considered to be just an IT risk. In fact, it is a business risk that requires engagement and ownership at board level. Additionally, it was agreed that people and processes are as crucial as technology. Staff need to know what to do if, for example, a client emails them with a change of bank account details. Further, the use of unsupported software increases an organisation’s vulnerability to cyber-crime.
What can help to protect client information and money?
Firms can take reasonable, affordable steps against cyber-crime such as:
- Implementing rigorous, unambiguous procedures such as verifying emailed requests to change bank details by telephoning the client on a previously known number;
- Keeping systems up to date, in particular browsers and anti-virus programmes, to mitigate the risk of malware or hacking and only using supported software;
- Training staff to recognise common scams, unsolicited emails and fraudulent attempts to access information;
- Informing the SRA of failed attempts to compromise accounts or information. This enables them to keep track of trends and provide the best advice.
Paul Philip, SRA Chief Executive, said: “We all benefit from information technology, but that means we are all vulnerable to cyber security risks. These risks evolve rapidly. Whether it is money or sensitive client information, law firms are an obvious target. It is the job of firms to take steps to protect themselves and their clients, but we want to help.”
A version of this blog originally appeared on the website of one our MHA association member firms, Broomfield Alexander.