15th February 2022
No business, large or small, can ignore the risks and realities of cyber crime – it is a critical issue that affects every industry. As firms increasingly go digital, so too does crime and the attacks have, in turn, become more sophisticated.
From email, SMS or voice phishing, social engineering, email spoofing, invoice hijacking, malware, ransomware, viruses, website hacking and more – cyber attacks can take many shapes and forms.
The legal sector is undeniably vulnerable to cyber attacks as lawyers frequently retain large volumes of sensitive personal and commercial data, and other privileged information. The consequences of a cyber attack on a firm can be far reaching – from financial loss, reputational harm, breach of legal obligation, breach of contract and breach of professional rules and standards.
With firms built on trust and integrity, it means cyber security concerns must be handled sensitively to ensure that potential threats are addressed. A proactive attitude towards cyber security can help lawyers and firms avoid devastating repercussions.
Here we share some best practice advice for lawyers to enhance security at your firm.
Tips for firms:
Home working - Develop a policy for home and mobile working and ensure staff are trained to follow it. Devices need to be securely configured with anti-virus software, with an updated operating system and encryption. Connection to the business systems and data should be secured, for example, through a Virtual Personal Network service.
Malware prevention - Install anti-virus solutions on all systems and keep your software and web browsers up to date.
Encrypt sensitive data - Ensure that sensitive data is encrypted when stored or transmitted online so it can only be accessed by authorised users.
Computer network security - Protect your networks, including your wireless networks, against external attacks by using firewalls, proxies, access lists and so on. Maintain an inventory of all IT equipment and software. Identify a secure standard configuration for all existing and future IT equipment used by your business. Change any default passwords.
Removable media - Restrict the use of removable media, such as USB drives, CDs, DVDs and secure digital cards, and protect any data stored on such media to help stop data being lost. Scan all media for malware before importing onto corporate systems.
User awareness and training – Education is at the heart of understanding the scope and breadth of data protection. Ensure that your staff have read this guide and have received appropriate awareness training, so that everyone understands their role in keeping the firm secure. As well as explaining procedures, the training should incorporate advice on the risks the systems are designed to avoid and their potential consequences.
Website testing - Websites can be altered fraudulently, and without a firm’s knowledge, to include the insertion of false email addresses and phone numbers, leading to clients being lured into providing personal details or paying money into the wrong account. Check your own website regularly or get an outside agency to do so.
Secure configuration - Many security safeguards will be built in to your computer systems, including antivirus software, algorithms that check for unusual activity, automatic back-up and so on. Ensure that your IT systems are fit for purpose. Take steps to put security controls in place for your firm. If you use third-party managed IT services, check your contracts and service level agreements, and ensure that whoever handles your systems and data has these security controls in place.
Managing user access and privileges - Restricting access to inappropriate websites will lessen the risk of being exposed to malware. Create a policy governing when and how security updates should be installed. Allow staff and third parties minimal access to IT equipment, systems and information. Access controls should be allocated on the basis of business need. Keep items physically secure to prevent unauthorised access.
Cloud computing and collaboration platforms - Ensure that cloud portal/platform login credentials are secure by following a strong password policy. Enable and configure portal security controls such as two-factor authentication. Make sure that you and your employees recognise when a cloud-based system is being used and when it might not be appropriate to send or store information via a cloud-based system.
Reduce risk of invoice hijacking - Warn your clients never to send funds to a new account without speaking to the relevant person in the office first; remind clients to check the addresses of any emails purportedly sent by your firm, particularly if they relate to payment of funds. Consider adopting a cyber crime disclaimer warning on your terms of engagement letters and as a footer on all correspondence. This could advise that the firm’s bank account details will not change during the course of a transaction; the firm will not change bank details via email; and, clients should check the account details with the firm if they are in any doubt.
Peter Watson shared these insights with the Royal Faculty of Procurators.