Cyber crime is a significant threat to the legal sector and is on the increase. Unless we develop a culture to up our cyber knowledge, it’ll be a threat that’ll only continue to grow.
In the Cyber Security Breaches Survey 2019, conducted by the Department for Digital, Culture, Media and Sports (DCMS), 32% of UK businesses had reported a cyber security breach in the last 12 months. Over a third admitting this breach led to a loss of data or assets.
Poor cyber hygiene is to blame, of which staff training is a contributing factor. It seems silly that something that could cause such catastrophic damage both reputationally and financially, has so little resource attributed to it.
Cyber criminals use sophisticated social engineering techniques to conduct their cyber crime; however, these do have red flags which people can be trained to spot. Some of which have been highlighted by the Solicitors Regulation Authority’s (SRA) scam alerts.
The SRA issued 217 alerts in 2018, informing people about criminals replicating reputable and genuine law firm websites and spoofing emails in a bid to steal client/firm money. The DCMS report found that 80% of UK businesses had experienced sustained phishing attacks last year.
In the past 3 months, Linklaters have reported several attempts on their domain name. Each time, a subtle change was made to look like the original e.g. @linklaters.co or @linkiakers.com. Impersonation fraud, the act of using fake domain websites and email addresses extremely close to the originals, cost the UK £92.7milion in 2018.
‘Fraud the Facts 2019’ report highlighted that email (malicious redirection) fraud has become a lucrative business. Fraudsters use emails to convince a home seller or law firm to change their bank details before a payment is made resulting in £123million lost in 2018.
According to the Financial Commissioner’s Office, the UK has amassed a total of 10,600 notified breaches since 24th May 2018. This equates to over 1,000 notified breaches per month and over 42 per day.
When breaches are so frequent and attempted attacks are even more persistent, how can law firms ensure they are able to defend themselves?
Lexcel and CQS urge members to adopt Cyber Essentials, a Government backed accreditation which encourages business owners to consider the ways they protect their businesses from cyber crime. It adds extra kudos if you’re dealing with a firm that has cyber essentials as you can be confident, they’re doing all they can to combat the cyber criminals.
Changes to the SRA standards and regulations come into force on 25th November, look at expanding the role of the Compliance Officer for Legal Practice (COLP) focusing on staff training and breaches, covering the base of employees receiving regular training and as a result increased accountability in the future.
Similarly, firms should have protocols, procedures and responses securely in place, so staff are aware of the next steps if and when a serious breach occurs. Ensuring that your law firm is cyber aware is not only a definitive way of protecting the firm’s reputation and data, it is also a regulatory imperative.
As the threat of email impersonation and spoofing increases, using email encryption to ensure the message you send is received by the intended recipient, or DMARC email services that ensure the law firm’s domain is spoof proof can also offer increased protections.
The Cashroom Ltd