Fraud and cyber-crime is an increasing problem for business and individuals. A crime of this nature is now committed in the UK every four seconds and for law firms this issue is particularly relevant. Given the amount of client data and funds that law firms hold, they are a prime target for hackers.
The Law Society recently warned firms that professional indemnity insurers may, when setting premiums this year, ask firms what they are doing to prevent criminals from stealing client money or confidential data, and what security and IT systems they have in place.
When it comes to protecting your business, we really see two types of firms. Those who live in the hope that they won’t be targeted and those who plan for a breach. Those that hope, react to things happening, and are unlikely to take steps unless they are in a position where they are driven to by negative experience. Those that plan, assess risks, understand what the risk is and the consequences, and put in place measures to minimise the risk.
Given the numbers of law firms being targeted by cyber criminals, and the increases that we’re seeing year on year, firms really do need to plan and assess risk appropriately.
Of course, in the event of a breach, it is not just productivity that is impacted and the immediate financial loss – reputational damage is difficult to quantify but is significant and very difficult to regain.
When we look at the reasons why companies don’t have cyber security they often fall into these distinct categories:
• Education Not fully understanding how to approach the issue. That’s why it’s really important to engage with other members of the business, specialists and external expertise, if required.
• Management buy-in – As with any project and cultural change, cyber-crime prevention needs management buy-in and to be led by the top of the business. Directors need to know how their firm is assessing risk and how they will respond and recover in the event of a breach.
• Transfer of responsibility – Many firms simply think ‘we have IT to deal with this’ without actually understanding what measures they have in place and what support they need to establish policies and education throughout the business.
• Lack of pressure from clients and contracts – There has, until recently, been a lack of pressure from clients and contracts but that is changing rapidly. As there is more coverage in the media, private and corporate clients are increasingly aware of the risk, panels are asking for evidence of processes in place and insurers are also asking questions specific to protection measures.
• The ‘it’ll never happen to us’ culture
Training staff to be aware of potential threats and having robust policies in place are essential to minimising risk, but education and policies are not fool proof. When a firm is targeted and receive a company-wide email containing a cyber threat, there is still a chance that staff will open the email.
Although it helps, you can’t rely on staff and policies to protect your businesses from cyber threats. You need to ensure you are protecting your systems as much as possible using technology.
There isn’t one solution that provides 100% protection for all cyber-crime. You shouldn’t assume having a firewall will provide all the defences against cyber threats. Using cheap devices similar to ones used at home are not adequate for a corporate network and you should be using recognised brands. Any firewall solution needs to be maintained and have regular penetration tests performed on the perimeter of your network.
Having an anti-spam solution that also protects against viruses and malware is the minimum firms should be doing to protect email. However having this basic email protection won’t protect firms from all the new email cyber threats that are targeting firms every day.
Weaponised attachments seem to have been on the rise over the last six months. The most common being ransomware. When these are released onto a firm’s network by staff opening an attachment, they encrypt all data the user has access to and you need to pay to decrypt the files, most of the time when firms pay the ransom, they never receive the decryption key.
There are additional levels of email protection which we’d advise law firms to put in place which can stop suspicious attachments and urls from being accessed by end users, and mitigate spoofing threats. For those in conveyancing and other sectors where there is a threat of funds being redirected, secure messaging is a tool that allows you to send all or confidential emails through a secure messaging portal.