We are often asked by our law firm customers about the right actions and responses to take when dealing with Cyber Security. That’s because Cyber security is seen by UK law firms as the second greatest challenge behind COVID-19.
Why law firms?
Well, Cyber criminals seek to exploit human or security vulnerabilities in order to steal passwords, data or go straight for the cash.
Law firms, particularly firms who specialise in conveyancing transactions, are the gate keepers of significant sums of cash being used to purchase properties.
In addition, most of the firms in the UK who offer such a service are smaller businesses with smaller teams (fewer checkpoints and layers of oversight) and limited resources to adequately protect from attack. The cyber fraudsters then target their victims through the full playbook of cyber-attack methods, including ransomware, phishing emails, denial of service attacks, and sophisticated human persuasion and manipulation.
Given the data the law firms hold on a range of client matters and the money which is being held, cybercriminals have a lot to gain through various entry points.
SRA Stats
According to the Solicitors Regulation Authority (SRA), theft of law firm funds (including client funds) had increased “3 fold from 2019 to 2020 alone”, which isn't surprising, considering attack methods, such as ‘‘phishing threats have increased 337% in 2020 too”.
The most significant risk factors are: (i) the fact that firms hold large sums of client money and confidential information, and (ii) staff who have not received any or adequate cybercrime training... around 90% of breaches happen due "human error" and so they are targeted usually by phishing techniques received via email.
Home Working Also, employees who are working from home are at increased risk of a cyberattack and confidentiality breaches due to:
Home wifi devices and networks being less secure than offices
Shared workspaces make it difficult to contain confidential information
Mobile IT equipment being used for a combination of personal and office use
Staff being unaware of who they are messaging if they are/are not online
Bottom Line As we are constantly pushing our dependency into the IT / online / cloud environment, we have more work to do in order to make sure we are transacting securely. I will leave you with the SRA’s guidelines from their most recent ‘Thematic Review’ [/sra/how-we-work/reports/cyber-security/]: “the cost of mitigating cyber threats is usually much lower than the losses of a successful attack. Protecting your firm, customer's data and money, therefore, makes business sense.”
Best Practices Our advice to all:
Make cyber security a key item in the business agenda - have cyber committees that report into those who are responsible for governance, which will impact the ‘tone from the top’ in this critical area.
Speak to and work with qualified Cyber Security professionals - Your IT departments need specialist assistance, by being able to converse with management about strategy of security, instead of purchasing a piece of software to plug a gap.
Promote security Skills and awareness - identify the right skills and training required needed for all employees, so they can spot an irregularities at the front door and become a strong line of defense.
Consider certifications - ISO certifications are internationally known, Cyber Essentials plus is quickly becoming a prerequisite in the UK. They are there for guidance, recognition and a well known quality standard that says you are well equipped.
"Prove your security" - If you have put work into securing your company and have achieved a good level, be proud of your badges / accreditations and show them off on your website. Your clients should know that you take security seriously. At OCiSO, we firmly believe that proving your security will bring trust from your customers and enhance your business profile. The other 5.99m SMEs in the UK will be doing the same.
Buy strong Cyber insurance policies (ensure you take advice before choosing) that will actually cover your company.
We at OCiSO understand that this can be tough work, in addition to your everyday work with the stretched resources that the SME companies have today. This is why we created OCiSO in providing qualified and experienced information security specialists who advise owners, boards, management and other stakeholders as members of the team. OCiSO's Virtual Chief Information Security Officers:
Raise awareness within organisations and take responsibility for setting the Cyber Security agenda.
Respond to Cyber and Data Security incidents and breaches.
Manage cyber and data compliance.
Ensure ISO Certification and Audit readiness - ISO 27001, ISO 23301, ISO 9001 and Cyber Essentials Plus.
Our V-CISOs are supported by our legal, compliance and governance team experts to ensure we meet all of the IT and Data Security requirements of our clients.
Click through to our website to find out more: www.OCiSO.co.uk