Compliance officers in law firms have certainly got their work cut out for them, which is why the ILFM team really supports COFAs especially with our membership and training. Let’s talk about cybercrime, scams and fraud and how you and your colleagues could protect yourselves and therefore your clients’ private data, as well as their money.
We know that COFAs (Compliance Officers for Finance and Administration) have a huge role to play in managing risk within their law firm practices, as well as leading compliance checks, together responsibility for their firms’ systems.
Fraud and cyber criminals have become more aggressive and strategic, but at the same time because there is a wealth of support for firms regarding offering up training and support surrounding this subject, banks and professional indemnity insurers are taking a firmer stance within the legal sector, i.e. they know you know there are ways to exercise and evidence protecting yourselves you’re your clients. Throughout Covid 19 there was a huge spike in cybercrime and although many firms and sole practitioners have become savvier, so have the cyber fraudsters.
"Cybercrime is a priority risk for the legal sector and it’s not going away during the Covid-19 pandemic……and I urge everyone to be particularly vigilant at this time."
Paul Philip, SRA Chief Executive
Let’s go over a list of cyber-attacks:
Types of cyber-attacks targeting law firms
Getting to grips with the different types of cybercrime you should be aware of are listed below:
Phishing attacks
84% of law firms fall prey to these attacks, normally via email when there is a pretence of a trustworthy source contacting someone they’ve targeted at your firm. It’s where they attempt to obtain sensitive information or gain access to client funds. It’s a criminal’s bread and butter sadly.
Spear-phishing campaigns
Similar to the above point, this is another email fraud attempt with a horrible 41% of law firms succumbing to a security warning caused by internal staff. How? It’s when an email is sent within an organisation or to another business that is well known to them. These emails are trickier to catch because of the trust element. These attacks often include a link to click on….so be aware.
Ransomware
The National Cyber Security Centre (NSCS) describes ransomware as a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer (be that a laptop, Mac, PC, phone, or tablet) itself may become locked, or the data on it might be stolen, deleted or encrypted.
Ransomware is typically spread via unsolicited emails and employee’s clicking on genuine looking links. The NCSC suggests this article on ransomware to read.
Website vulnerabilities
The description of a website vulnerability could be deemed as a weakness or problem in the law firm’s software, systems or processes. Did you know there’s free online software where you can check your own website’s vulnerabilities? If you or your team can access those free tools, can you imagine the data and information that the criminals can get to with their sophisticated software?
“Despite COVID-19 stretching many organisations’ cyber security teams to their limits, cyber security remains a priority for management boards. But it has not necessarily become a higher priority under the pandemic.”
gov.uk October 2021 Cyber Security Breaches Survey
Sage advice from ILFM’s expert tutors and partners in how to protect your legal practice from cybercrime would be:
Top Tips to Protect Law Firms from Cyber Attacks
You, your colleagues and your clients are important to all of us at the ILFM, so here are our top tips to protect yourself, your firm and your clients. For any COFAs out there wanting a chat to see how we can support you, please do get in touch.
Train employees on how to spot phishing scams
The vast majority of compliance breaches come via emails, so training your staff and colleagues to be vigilant when it comes to fraudulent threats and the dangers lying within them would be highly recommended. We take our emails for granted, but it’s good to educate ourselves, and therefore knowing that email systems are made up of two primary components that reside in your firm’s IT infrastructure:
1) mail clients
2) mail servers
Between the components are formatting, processing, transmitting, and delivering; the more you learn the more you understand where the gaps for criminal opportunities lie and therefore you can be proactive by averting them.
Some common scams such as: sending links through an email that can hijack systems when clicked; posing as the employee's senior partner asking to transfer client money to a different account with urgency (think Friday afternoon) or “boss” calls when on holiday to obtain banking information; or external fraudsters simply guessing easy passwords in order to gain access to company data.
Classics threats to email systems where fraudsters can access your valuable data are:
- Malware
- Spam and phishing
- Social engineering
- Entities with malicious intent
- Unintentional acts by authorised users (human error!)
Some quickies to look out for when it comes to phishing emails are:
- The message is sent from a public email domain
- The domain name is misspelt
- The email is poorly written
- It includes infected attachments or suspicious links
- The message creates a sense of urgency
Of course, there’s a lot more to it than just being aware of the above, it’s that extra training for your employees and colleagues into looking at domains and how to double check suspicious messages. Legal cashiers, for example, will be busy working on bookkeeping, client & office accounting, adhering to the SRA accounts rules, and of course working towards annual audits, so it’s no surprise they can be vulnerable targets for criminals.
Use strong, unique passwords and multi-factor authentication
Who looks after your employee’s passwords?
Using the same password for multiple sites leaves us vulnerable because of how frequently company sites are breached and their customers' data end up for sale! We can’t reiterate enough how secure you and your colleagues need to be with passwords.
Here are tips from leaders in the area of security:
- Use two factor authentication where possible. This requires two different methods to prove identity before you can use a service – for example a password and a unique code sent to a mobile number.
- Be wary of public wi-fi, and do not use it to log onto secure sites. Having your cybersecurity and data compliance policy with what to do for all employees and any external bookkeepers, as an example, is paramount.
- Never log onto secure sites through following a link in an email (common phishing fraud).
- Only use remember password facilities on personal computers where you trust any other users.
- Check if a domain is secure. You’re looking for https:// or a small locked padlock symbol at the beginning of a website’s URL - this indicates the site is using a secure link.
- Don’t enter passwords where someone may be able to see you typing.
- Never send passwords by email.
- Never share passwords, or leave them written down next to your computer or in an easily found place.
- Don’t re-use passwords after giving them a break.
Invest in cyber insurance
It’s a sad statement to say, but if you run a law firm, it’s not a case of “if” but “when” you get hit by some form of cybercrime. Your reputation is everything when it comes to trust and will of course have a knock on when it comes to existing clients and new leads. Having cyber insurance from specialist legal insurers is highly recommended, especially as they will have access to world-leading threat intelligence and analytical technology.
We’d suggest creating a map of all your IT systems both inside and outside (home, court, travel) of your business, as well as what data is located within these systems, as this will form an audit for the insurers you choose.
Auditing your firm’s current cyber security policies will highlight where you are exposed and any gaps that require bridging.
Use Encryptions
Remember the horror story of a junior solicitor who left a laptop on a train which held client data? She was struck off by the SDT in March 2020 following a hearing in which she represented herself. She had only been at the law firm for 4 weeks and been qualified for a year. Before that the newsworthy nightmare for an Eversheds solicitor hit the data compliance scene when highly sensitive papers on the Iraq war were stolen from a briefcase that wasn’t guarded.
It may come as a surprise that encryption is one of the least used security attributes in a law firm, yet one of the simplest and effective cyber risk tools to implement.
Working from home and remote working either caused by Covid 19 or new flexible working employment laws, encrypting every device that stores data, so all mobile phones, tablets, desktops, laptops, email communications and any data stored in the cloud or on local servers has to be an exercise that is checked and reviewed constantly.
Outsourced Suppliers’ Check
It is not uncommon for law firms to frequently outsource work to third-party vendors, and here at the ILFM we appreciate that many roles that are often outsourced are bookkeepers and legal cashiers. Could these partners be a weak link in your cyber wall?
Most outsourced cashier, recruiters, IT firms and marketers will have their own security policies in place, but do check if they have insurance, who’s the data controller and where do they store data etc.
Would you like compliance and risk management support?
For a really affordable membership fee, the ILFM is a body of experts that can truly support you and your colleagues keep on top of implementing and maintaining best practice accounting systems and procedures to help maintain sound financial and risk management principles, whilst safeguarding client money. Here’s our membership link if you’d like to know more! My door is always open if you’d like a chat about how the ILFM can help you.
Comments