As we operate within an ever-changing regulatory sphere, our Regulators require us to be able to demonstrate what adequate security measures we have in place to mitigate risk against cyber-attacks that may be levied against our law firm.
Cyber Crime has been identified as a key risk in the SRA Key Risk Outlook 2015/2016 and Insurers are looking at ways to include cyber security measures into PII proposal forms. The burning question that many are currently asking is- will inadequate risk management processes relating to cybercrime and the mitigation thereof lead to an increase in our PII or get the regulator knocking on the door?
Either way- do you have adequate systems to protect your firm?
What is Cybercrime?
In a nutshell, it is simply a crime that has some kind of illegal activity that uses a computer as its primary means of commission.
Cybercrime: The facts
- Somebody’s identity is stolen every 3 seconds as a result of cybercrime
- Without a sophisticated security package, your unprotected PC can become infected within four minutes of connecting to the Internet.
Current trends in cyber space
We have all heard of Friday Fraud where law firms have been specifically targeted by being called by “finance staff” who convince them they are from the bank that the firm has their client account with and the aim is to gain access to bank accounts before making fraudulent withdrawals. The other trend that we hear of is bogus companies pretending to be genuine law firms, cloning websites in order to gain confidential information for fraudulent use. There has also been reports of bogus emails being sent to law firms, pretending to be sent from financial institutions.
Types of attack
There are many different ways that cyber criminals can attack using the internet. Here are some of the key ones to be aware of:
Malicious software (malware)
Malware is the generic term which refers to viruses, Trojan Horses, spyware, adware, and many more. Criminals infect PCs with malicious software (malware) which can sometimes include functionality that copies anything the user types on the keyboard (key logger) and send it to the criminal. Malware can also result in remote access to a PC by the criminal – the infection created can go beyond an individual’s PC and infect the corporate network.
Key loggers -Key loggers can be installed on hardware devices where a criminal gains access to a PC and inserts a device between the keyboard and the desktop. This can ‘key log’ data and send it to the criminal.
Phishing -Phishing emails sent to employee mailboxes can include an infected attachment (e.g. a pdf) or contain a hyperlink to a website hosting malware.
Distributed Denial of Service -Distributed Denial of Service (DDoS) is where a cyber-criminal uses an extremely high volume of internet traffic to make the site unavailable to clients/customers. This can be linked to financial gain (e.g. holding a company ransom) or ideological beliefs (e.g. terrorism). The criminals use robot networks (botnets) to resend packets of data to the website and make it inoperable.
Ransomware -Files can be encrypted by ransomware (e.g. cryptolocker). This is where the criminal malware encrypts personal and confidential files on a PC, and the user is unable to open the files without the decryption key. They must pay a ransom to obtain the decryption key or the files may be lost forever.
What are the risks?
Remember, it is your firm’s fundamental regulatory obligation to:
- Protect client money and assets (Principle 10)
- Maintain systems and controls for monitoring the financial stability of your firm, risks to money and assets entrusted to you by clients and others (Outcome 7.4)
- Take into account the risks to keeping your client’s affairs confidential (Outcome 4.1)
- Consider business continuity risks including IT failures and abuses (IB 7.3)
A) Internet being used for Cyber Crime Attacks
Cyber criminals use the internet to target law firm by obtaining a client’s/firm’s online credentials through phishing (a rogue email providing a link to a fake website, which then obtains the credentials). Criminals then login as the firm to the online banking system and create a new payment.
A firm’s PC could be infected with malicious software (malware) which could capture the client or other third party confidential data details or hijack a live online banking session, and automatically inject a fraudulent payment.
What controls can you put in place?
There are a number of controls you can put in place to protect your law firm and your clients from becoming victims to these crimes:
- ) Download security software which can warn you if attempts are being made to login to a phishing site. It can also identify and neutralise malware targeting the firm.
- ) Firms can restrict online access from high risk countries.
- ) A device cookie on PC’s can be used to validate online banking access – this means that attempts to login via unrecognised devices are challenged.
To protect against Bogus Firms:
– Check your own website – has content / layout changed?
– Vary the content on your website – e.g. regular updates such as news items, or feeds make it harder to clone;
– Web Searches e.g. Google against the name of your firm and any associated firms and individuals to see what comes back;
– Check Find a Solicitor for your entry to ensure the details haven’t been amended and likewise your company pages on Social Media e.g. Face Book, Linked In, You Tube &Twitter;
– Check Rating sites – what is being said about your firm;
– Consider acquiring other website domain names similar to your own & derivatives e.g.co.uk;.org;.com etc
– Claim your Google Places listing;
– Establish an alert with Companies House to alert to changes your company records;
– Security of letterheads, passwords and key assets;
– Staff don’t work in a manner you don’t control;
– Passwords are changed frequently and strongly constructed e.g. a mix of upper and lower case and numbers or symbols so the hacker will give up and move on;
– Thorough vetting and supervision of new staff members;
– Email encryption techniques for particularly sensitiveinformation;
– Never work from generic email accounts like aol, hotmail, gmail, btinternet, yahoo etc.
B) Unsolicited emails
Be wary of opening unsolicited emails – particularly those with attachments or hyperlinks. They can contain malware which can infect your PC or even the network. If you suspect you’ve received a phishing email at work you should escalate this within the firm in accordance with your Firm’s reporting guidelines.
C) Suspicious emails
If you open a suspicious email and an associated attachment, or click on a hyperlink, you must report the incident to the IT department to check your PC to ensure it hasn’t been infected by malware.
What you should do?
Here are the steps you should take to protect your computer:
- )You should protect your PC with an anti-virus
- )You should ensure your PC is regularly updated with security patches. These can include those for your Operating System (e.g. Windows 8), your Internet Browser (e.g. IE11) or individual programmes (e.g. Adobe Reader). The patches are released to fix known vulnerabilities in the software and failure to patch software increases the risk of being attacked.
- )Your PC firewall should always be turned on – this acts like a gatekeeper and can control.
How can you generally mitigate against the risks imposed by cybercrime?
What can you do?
In order to comply with these obligations, it is important that computer security is assessed as part of your firms risk assessment and recorded on your risk register in order that it is given a high priority. Policies and procedures should include items such as:
- Password protection and access control
- Encryption – limiting the use of USBs
- Backups/ restoration
- Anti-virus/ firewall software installation/ unknown email recipient checks
- Training your staff- internal staff may be your biggest problem!
- Control mechanisms as to how data enters or leaves every PC
- Scan inbound emails so to quarantine any mail suspected of containing malware.
- USB ports should be controlled and locked down to prevent employees connecting infected devices to their PCs.
- Macros (which can contain malicious code) are disabled by default in Microsoft Office.
- Restrict staff from being able to install software to their PC.
- Be wary of opening unsolicited emails, particularly those with attachments or hyperlinks. They can contain malware which can infect your PC
- If you’ve opened a suspicious email and an associated attachment, or clicked on a hyperlink, report the incident internally according to your Firm’s IT incident process
- Ensure any documents you download from the internet are from a trusted source.
- Avoid browsing any non-reputable websites.
- Be wary of clicking links which use a URL shortener (such as http://bit.lt/fy6e5t). These are designed to shorten a lengthy website address, therefore you have no way of knowing where they will actually take you.
- Do not upload sensitive information to external websites.
- Don’t use your work email address to join any mailing lists which aren’t business-related.
- Before entering any sensitive data to a website, ensure the address starts with https:// and displays the padlock next to it.
- Be wary of adverts on websites – clicking on these links may take you to a malicious website.
Summary
Confidential and private information in our possession can be wrongly obtained in a number of ways by third parties. These include a call from an imposter posing as an IT consultant or from the finance department of your bank, the hacking of phones and devices (personal devices used outside the workplace may be less secure), malware which can capture and send private data, or phishing emails which ask for information such as IDs and passwords, or containing attachments which, if opened, allow data to be captured. To address this range of threats, we need, as legal professionals, to consider issues ranging from IT security at our law firms, through to training of staff, establishment of a firm cybercrime policy to ensure safe online practices by all staff and a procedure to report and deal with breaches. Adequate assessment and implementation of security and cybercrime procedures, together with continuous evaluation and monitoring is fundamental to help your law firm prevent this ever growing threat called cybercrime.
Loschinee Naidoo
Senior Risk and Compliance Specialist
Legal-Eye Limited (subsidiary of ULS Group)
7 March 2016[/vc_column_text][/vc_column][/vc_row]