Law firms and their clients continue to make national headlines for all the wrong reasons, as both sides are now a prime target for cyber criminals. The increased frequency of attacks like these is truly alarming, not only for clients, but also for the solicitors who can take a huge hit to their reputation in seconds. One solicitor in Guildford, for example, was conned into sending a criminal more than £700,000 of her clients’ money, resulting in her suspension by the Solicitors Regulation Authority.
It is worrying how easy it is for these criminals to breach a firm’s security systems in many cases. The problem is that there are a variety of methods that hackers can use to access just about any file on a computer and ultimately a firm’s network. The Business Email Compromise (BEC) is an especially popular method at the moment. This particular scam focuses on the weakest link of a firm’s security – the human sat at a desk.
Fraudsters essentially use a BEC to deceive lawyers and their clients into transferring a large sum of money into a fraudulent account. These attacks can take place from one of two angles: either the client is targeted or the law firm itself is compromised.
Either way, the criminal will typically email the law firm or the buyer, asking them to make a payment. In reality, they’ll find that the bank details have been changed – either those of the solicitor or of the client – so that the money ends up being transferred into a fraudulent account. Scams like these have increased by 40% in the recent years and according to the accountancy firm Hazlewoods, a shocking 2.3 million was lost due to attacks on law firms between November 2015 and April 2016 alone.
How have the threats changed over the years?
The truth is that the threats facing law firms haven't really changed all that much in the last 20 years. However, the force behind the threats has changed. Experienced hackers now commit these crimes for the money, particularly through extortion, blackmail and corporate espionage.
As a result, the pressures facing the legal industry are now two-pronged. Industry regulators are becoming more and more focussed on Information Security and requiring law firms to take the issue seriously. At the same time, clients are also driving new behaviours by requiring their law firms to prove their robust information security measures – sometimes even at the pitching stage.
It is this client-side pressure that will be the most immediate concern for firms, which not only need to demonstrate tight security to drive business, but must also increasingly be available to deal with clients’ concerns outside of work hours and away from the office. This means working on different devices and away from established office systems, but still maintaining the highest levels of security.
Meanwhile, whilst the threats related to cyber crime continue to increase, regulation and client expectations will also build steadily. For today’s law firms, the challenge of maintaining flexible and convenient working practices whilst keeping data beyond the reach of cyber criminals is therefore likely to be a key concern, both now in the years ahead.
Why are law firms the most targeted?
Other markets have suffered from cyber attacks in recent years, but nowhere near to the same degree as law firms. Because lawyers often have access to large funds in their systems, they are an incredibly attractive target for hackers. The problem is that criminals know that solicitors are the “middle man” in a wide variety of financial transactions, so if they can find a weakness they’ll exploit it.
Moreover, law firms typically rely on email to share bank account and other personal details, which also puts them at risk of a cyber attack. In more extreme cases, an attacker may even visit the firm where the solicitor works in order to gain even greater knowledge of the company’s operations.
It’s important to realise that attacks like these are never carried out at random. They can take months of planning and are usually quite intricate, since the fraudsters have to ensure that everything goes off without a hitch to avoid being caught. As such, the people behind these attacks tend to be incredibly intelligent. After all, hacking is not easy, especially in situations where robust security systems are in place.
How to avoid being hacked?
In most cases, the secret to defending against these attacks is already contained within the firm itself. The first step is to ensure that all staff are trained well enough to recognise a suspicious call or email.
For example, employees should be encouraged to take a close look at the email sender in any messages they receive. In the BEC scam, an element in the email address will often be very slightly different, whether it is a wrongly spelled domain name or suffix, such as .net instead of .com.
Secondly, it is important to check that that the email style is the same as the sender’s usual correspondence. If the email recipient notices the style or grammar is considerably different, that could be a red flag. If in doubt, both employees and clients should contact the sender to determine whether it is genuine, since the IT team can often track who and where the email has come from if it’s not.
Creating a secure, online portal is another way of sharing information between solicitors and their clients,s reducing the risk of being hacked. There are a different variety of portals that firms can create in order to keep clients’ information safe, both off the shelf or bespoke to a specific firm. Each has different levels of security, so it is up to the firm to decide which to implement. Ideally any situation where money is transferred needs at least a two-stage authorisation process.
Solutions like these may sound overwhelming, but following just one or two of these steps will help to ensure that only the right people have access to private or personal information. For the most part, the security systems that are needed to protect firms from attacks like these are probably already in place in most cases. It’s therefore vital that all staff are provided with basic IT security training, covering areas such as data protection on the move, verification procedures, how to report suspect communications, etc.
Using the ISO 27001 standard is an ideal solution to ensure a firm actively manages and reviews how it manages the security of its assets, including financial information, intellectual property, employee details and confidential third-party data. ISO 27001 is a proven method for conducting a comprehensive risk assessment and managing any issues that are identified. The process is not difficult, and certification can normally be achieved for a reasonable price.
What happens next?
The Solicitors Regulation Authority (SRA) believes that firms are responsible for safeguarding client funds, which means that law firms must replace any money that is improperly withheld or withdrawn from a client account. It is therefore imperative that law firms, particularly those dealing with property purchases and other large financial transactions, are extra vigilant.
In the event of a high-profile cyber attack, firms not only risk seeing their reputation in tatters, but could also be banned from practising law altogether. As such, firms no longer have the option of simply ignoring this risk, and must instead take action to protect themselves – and their clients – right now.
Author: Robert Rutherford, CEO of the business and IT consultancy QuoStar.
(Source: QuoStar)