Cyber security risks are a hot topic in the area of law firm compliance right now, and rightly so. A quarter of law firms have reported being the victim of a cyber attack, of which nearly one in ten result in money being stolen.
With cybercrime risks continually evolving as criminals devise new ways of beating security software and tricking people into handing over their personal or business details, it makes sense to be aware of what the newest cyber risks are – and the steps you need to take to ensure your firm stays secure and compliant.
The threat of malware – software that seeks to disrupt, damage or gain unauthorised access to computer systems – has been around for a while now, and one of the fastest growing forms of malware today is called ransomware.
As its name suggests, ransomware blackmails its victims by locking down access to systems and data, and promising only to return access in exchange for a sum of money – usually one or two bitcoins (at today’s rate that is around £900 - £1800). However, many law firms would pay such sums if it ensured that their data was recovered in full – if not, the financial impacts could be much more significant.
The problem with ransomware is that, even if the sum is paid, research from TrendMicro suggests that a fifth of organisations do not actually receive their data back. Even if they do, the costs to law firms is still significant, with consequences including lost files, reputational damage and a breakdown in client relationships, and a significant loss of time to put the issue right.
If your Disaster Recovery Plan is not optimised for such attacks, you should ensure that you can get your backups live in minutes, rather than hours or days, so that significant time is not lost rectifying the problem.
After all, every 6 minutes is worth around £200-400 for a solicitor practising in London.
2. Online activism to cause downtime – DDoS attacks
Deloitte has predicted that in 2017, Distributed Denial of Service (DDoS) attacks “will become large in scale, harder to mitigate (increasing the severity of impact) and more frequent”. This form of cyber attack involves a concentrated overloading a business’s servers in order to cause downtime, either by activist groups or as a result of systems being hijacked with malware. Such attacks can result in computer systems crashing for long periods, causing major business disruption.
The first and best defence against DDoS is to recognise an attack and respond early. You should ensure that you invest in the right technology to help identify such attacks, such as anti-DDoS software, and have a team on-hand that are proactively monitoring your server for spikes in network traffic or a slowdown in performance. Your team – whether internal or external – should also have up-to-date experience and knowledge in what the latest attacks and prevention methods are, along with access to back-up ISPs to reroute traffic in the event of an attack.
3. Friday afternoon fraud
Whilst not a new cyber threat as such, it is the most prevalent legal cybercrime risk and is only likely to rise further as criminals find new ways of tricking law firms. The SRA’s figures show that 75% of cybercrimes reported to them are of Friday afternoon fraud and the Financial Times reported last year that QBE Insurance had received 150 claims over an 18-month period, resulting in £85 million of claims. The money stolen typically ranges from £65,000 to £1.9 million.
Friday afternoon fraud’s namesake is attributed to when conveyancing deals often complete. Criminals traditionally would pose as lender or clients over the phone but are now just as likely to hack into your law firm’s systems to steal client monies sitting awaiting completion by accessing and altering email correspondence between the client and its solicitor so that funds are redirected.
It is imperative that your computer systems are up-to-date and installed with the latest anti-virus and malware software to help protect against the risk of hacking and malware scams where client monies can be lost.
Lawyers should still be mindful of fraud arising from non-cyber activities, such as telephone calls or instructions that are unusual or change at the last minute, and should ensure that policies are in place such as not providing bank details over the phone without an outward call to the bank to verify the call.
All of these cyber risks can result in some law firms shying away from adopting innovative cloud solutions. However, the choice need not be between innovative delivery of client services and maintaining data and client confidentiality. Find out more about the benefits that cloud technology can bring and how to ensure you minimise cyber risks with our eBook: A guide to cloud for legal professionals.