Cyber security has been identified as one of the top ten business issues in the Risk Outlook 2018/19 Report published by the Solicitors Regulation Authority (SRA). The annual SRA risk report is an accurate ‘barometer’ of the commercial and legal challenges faced by small and large law firms in the UK. Responsible for the regulation of 180,000 solicitors, the SRA aims to protect the public by ensuring solicitors meet high standards by adhering to strict professional principles and a code of conduct.
Paul Philip, Chief Executive, SRA, confirmed, ‘Cyber security has always featured in the Risk Outlook as a consideration when protecting people’s information and money. But we recognise that this is of increasing concern to the profession, so we have set it out as a separate risk. We have also worked with the National Cyber Security Centre to provide the profession with top tips on keeping cyber-safe.’
How big is the cyber security risk?
The Report confirms a significant increase in the number of incidents of cybercrime. There were 157 reports in 2017, which is an increase of 52% when compared to 103 in the previous year. For 2016, £9.4m of client money was reported as stolen, with an increase to £10.7m in 2017.
Given the UK government estimates that over half of all UK businesses may have experienced a cyber attack in 2016, these number seem relatively low. The SRA suspect there is underreporting of cyber crime, particularly where stolen money is replaced promptly by the firm or their insurer.
Email modification fraud
The most common type of cyber attack against solicitors is where criminals intercept and falsify email communication between a client and the firm. This often involves the payment of funds into false bank accounts or the theft of confidential information from ither partner. In the first quarter of 2018, email modification fraud accounted for more than 70% of all cybercrime reports.
The SRA provide an example of an attack commonly used to steal conveyancing money. Known as ‘Friday afternoon fraud’, criminals contact the solicitor from the client’s stolen email address to inform them that bank account details have changed. Often requested at short notice and with the pressure of an exchange deadline, solicitors arrange to transfer the funds which are then quickly removed by the criminal.
With almost all the other cyber reports involving some form of electronic forgery, the key take home message is that that email fraud is a greater risk to a law firm than a direct attack on its IT system by a hacker.
2017 was the year of self-propagating ransomware and while the Report does not mention impact of WannaCry by name, it does highlight yet again the role played by email infection and social engineering tactics. It also confirms that law firms can prevent ransomware attacks by implementing security best practices such as patching vulnerabilities, network segmentation and effective incident response plans.
Phishing describes a type of social engineering where cyber attackers trick individuals into disclosing confidential information or paying money into a fraudulent scheme. While phishing is conducted via a text message, social media message, or by phone, most people use the term to describe attacks that arrive by email.
A CEO cyber attack is a specialised type of phishing that targets high net worth individuals or decision makers working at MD, CEO and CFO levels in an organisation. This involves the perpetrator (prior to the attack) acquiring detailed information of staff, suppliers, customers and trusted partners such as accountants and professional advisors. Spoof messages are often sent from these partners to managers with financial authority and ask for the payment for an outstanding invoice or order for new services.
Bring Your Own Security Risk
In a trend matched by other professional services companies, partners and staff in legal firms are increasingly using their own mobile computers and phones for business purposes. Combined with the use of low cost cloud-based applications, these BYOD devices allow users to work at any convenient location. These machines are however often poorly managed and can present cyber criminals with many opportunities for exploitation.
Internet of Things (IoT)
IoT refers to the use of internet-connected devices in automated industry, business and domestic devices. While an intelligent washing machine may not be a cyber risk to a legal practice, the SRA make the point that the status of a smart alarm or heating system could easily be used to indicate if a building is unoccupied. Or much closer to home, a compromised video conferencing system or network printer could be used to steal sensitive data.
SRA recommendations to mitigate cyber risks
- Keep IT systems and software up to date with software patching
- Use antivirus software on desktops and laptops
- Backup important information frequently and test its restore functionality
- Encrypt mobile devices and install a system to track and delete data if they are lost
- Train all staff to create and use secure passwords
- Carefully manage the use of administrator accounts with privileged access IT systems
- Ensure staff are aware of email modification fraud and common phishing scams
- Create and practice a cyber incident response plan
About Wizard Cyber
Wizard Cyber is dedicated to helping law firms mitigate the risks associated with malicious or accidental cyber attack. We are a trusted supplier to many UK law firms and deliver 24/7 outsourced cyber security via our flagship range of CYBERSHIELD-MDR services.