Dora

Someone typing on laptop with a credit card in hand

Latest cybercrime risks to the legal sector and how to manage them

A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014.  The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.

The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.

The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.

While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:

  • Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;

  • Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;

  • Ransomware – a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.

  • Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.

The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”

As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:

  • Implementing processes to verify (via independent means) invoices and account details for money transfers;

  • Using ‘cooling off’ periods for changing account details for high value transactions;

  • Encouraging a culture where suspicious transactions are queried;

  • Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;

  • Monitoring user access of systems;

  • Keeping software, and especially operating system (OS), up to date;

  • Control what software and applications you choose to allow into your firm; and

  • Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.

All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.

UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here. The NCSC or the Law Society can sponsor your organisation, as appropriate.

The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.

As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently.  According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.

A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:

  • Restructuring

  • Downsizing

  • Changes in business processes

  • When major new policies are being developed, changed or implemented differently

  • Following identification of weaknesses

  • The introduction of new computer systems

  • After an incident of fraud

Get in touch

Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls, please feel free to get in touch.

Latest cybercrime risks to the legal sector and how to manage them Read More »

digital lock with the CFA logo

Cyber Essentials – Affordable Security

Guest blog from Centre for Assessment Ltd

The Cyber Essentials Scheme has been around for a number of years now, and more and more businesses are finding the demand for this is increasing when it comes to working with particular clients and qualifying for tenders/contracts. The core values of Cyber Essentials offers both clients and supply chains peace of mind, knowing that basic cyber hygiene measures are being adhered to, and the essential elements of the IT infrastructure are running effectively.

The core values of Cyber Essentials are built around 5 main controls: firewalls, secure configuration, access control, malware protection and patch management. The combination of these controls ensure that the risk of cyber-attacks is kept to a minimum, and that companies are showing a commitment to both staff and clients, ensuring data is handled and stored safely and securely.

There are two different levels of cover available through the scheme which are ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.

Cyber Essentials is a self-assessment driven audit, which allows businesses interested in the scheme to be able to evidence their basic conformance to the scheme rules within an application document. Once completed this is then reviewed by a registered certification body for assessment. Decisions on conformance can be made within as little as 48 hours.

Cyber Essentials Plus includes all of the self-assessment elements of the basic Cyber Essentials.  Additionally, it entails a vulnerability scan, on-site testing and a much more comprehensive assessment process verified by independent experts to help further ensure that the IT infrastructure is as secure as possible. This level of assessment represents a much larger commitment to the overall IT welfare of any business and helps in leading the war against cyber-crime within the UK.

These types of assessments are a step in the right direction for any business looking to bolster their IT security within any industry. Cyber Crime is forever evolving and adapting to try and appeal to victims via a range of different means. This can be something as simple as a link in an email or sending updates with ‘URGENT’ in the subject, to try and instil fear and panic usually leading to a knee jerk reaction, which can cost victims dearly.

The legal sector is no stranger to cyber-crime and its devastation, with 62% of law firms estimated to be the victim of a cyber-attack in the last year. Law firms are considered to be 7th most vulnerable industry for malware according to Cisco, with 4.5% of all UK data breaches occurring within the legal sector. Practices are starting to take note of the devastation this causes and are beginning to take steps towards a scheme like Cyber Essentials, to help in the fight against cyber-crime and to re-assure clients.

We are even starting to see schemes like Cyber Essentials incorporated into other standards within the legal sector. In July 2018, a new version of Lexcel, The Law Society’s Legal Practice Quality Mark, was announced, and within some of the policies and procedures there is a direct reference to the scheme stating, “Practices must have an information management and security policy and should be accredited against Cyber Essentials.” This is helping to further enforce the importance of the scheme and general cyber awareness within the legal sector.

Get in touch

Cyber Essentials is available through the Centre for Assessment.  To find out more, visit their website, or telephone them on  0161 237 4080

If you’d like to know more about Teal’s data protection services can help you, get in touch with one of our experts today.

Cyber Essentials – Affordable Security Read More »

Someone writing a report

Revised Lexcel Standard: Be prepared!

The Lexcel Legal Practice Quality Mark has been revised and expanded.  Lexcel accredited practices will be assessed against the revised standard from 1st November which means there is plenty for you to be working on. The Law Society Lexcel website gives you more information.

Broadly, these changes align the standard with recent new and revised legislative requirements in relation to data protection and financial crime.

The SRA Code of Conduct 2011 mandatory outcome 7.5 applies whether or not you are Lexcel accredited… ‘you comply with legislation applicable to your business, including anti-money laundering and data protection legislation’.

1. Start planning

There is a lot here to risk assess, develop, train, implement and test before your next Lexcel assessment … and of course to communicate to clients, as appropriate, and to your staff.

With regard to data protection, look at all the Lexcel requirements and you will soon realise that data protection touches all areas of the Standard.

2. Risk assess

You will need to look at the wider picture to assess and manage the risk of breaches and other offences.  A thorough review will include your compliance plan, risk register, policies and procedures, record keeping, monitoring and training.  Are you, for example, maintaining appropriate records of data processing activities, information asset registers, money laundering risk assessments and records?  Remember it is important to keep records of your decision making to evidence compliance and to have robust breach reporting procedures.  You need to understand your vulnerabilities and risks and address these accordingly.

3. Develop documentation

For all these new requirements off the shelf template policies or procedures may be helpful but are not always likely to be sufficient as every practice is different. One size does not fit all.  Examine the profile of your own practice, undertake thorough risk assessments and gap analyses.  Bespoke policies and procedures in plain language and applicable to your business are best practice, and likely to be more robust and easily understood by everyone.

4. Train, implement and test

Ensure your policies and procedures are effective. Undertake audits and spot checks.

Be prepared for assessors (and potentially other bodies), to review your central documentation, follow the audit trails, check your matter files and interview staff for evidence that they understand their responsibilities relevant to their role and have received appropriate training.  Importantly too, are your staff able to identify potential breaches or compliance failures and do they know how to go about reporting this?

A wealth of information and guidance is available on the ICO, Law Society and SRA websites.  As always, Teal blogs are a great resource for practical guidance.

Make sure you check out the Cyber Essentials scheme which, for Lexcel accreditation, firms are now encouraged to achieve.

Take a deep breath, consider your risks, raise awareness in your business, and start your reviews and preparation now.

Get in touch

Most of all, don’t lose sleep! To find out more about our risk management services, simply contact one of our experts today to chat about how we can help.

Revised Lexcel Standard: Be prepared! Read More »

British pounds - notes and coins scattered

The human cost of money laundering

It is very easy to silo oneself when immersed in the world of investigating money laundering and to forget that actually it isn’t just about currency, commodities and hidden profits, but it’s about people.

I have investigated a plethora of cases during my career and the focus is usually centred upon the villain and the criminal gains. How often do we actually sit down and examine how many people have been damaged along the road to the conviction? We get the conviction, we take back the proceeds of crime via the machinations of POCA and we send the villain to jail. Do we know what happened to all the others that were affected somewhere along the way to the Courtroom steps?

Just like fraud, I have often heard people say that it is a victimless crime. This couldn’t be further from the truth.

Money laundering is a crime that many people consider irrelevant to them. If it is a problem at all, they consider it is a problem only for banks. That is far from true. Money laundering has massive effects, not only on financial institutions, but also on governments, industries, economies and also individuals.

What are the effects of these widespread crimes that fly under the radar of much of the population? And why are these effects so massive?

To understand the reasons you need to understand the nature of money laundering. It is not an overt crime like robbery or assault; it is secretive and buried under multiple layers so as to avoid detection. It is also not headline news. How often do you see a laundering case at the top of the News at Ten? It’s not a headline grabber and so the consequences of this crime also get buried in the myriad stories about Brexit, Russian Spy Poisoning and Britain’s Got Talent!

Have you ever stopped to consider what might be under your nose when taking a stroll through the main street of your town or through a large, out of town shopping mall? Have you ever considered the rise and proliferation of the nail bar?

That is not to cast aspersions over every nail bar in the land, but have you ever considered how a business, with seemingly very few customers in an area of high business rates, is able to sustain itself?

I have investigated a number of cases involving nail bars. They are often used as a ‘front’ for cannabis farms. These farms are often linked to organised crime, often of Asian or Vietnamese origin.  The profits of the sales of cannabis are often laundered by creating fictitious sales or customers on the books. A simple scheme where no one is really hurt?

Cannabis farms don’t run themselves. The crop needs tending. Organised criminals don’t employ a local firm of horticulturalists. They often turn to human trafficking to find their staff.

When Police conduct search warrants at these cannabis farms they usually find a single male ‘gardener’ on the premises, locked into the building and controlled by others who are higher up the food chain. This male is usually living in fairly squalid conditions, sleeping on a camp bed if he’s lucky, and left only with sufficient food and water to exist. The ‘gardener’s’ sole function is to tend to the lucrative crop. There will be no pay or rewards beyond basic existence.

This is the reality of laundering. A person who has been trafficked. A prisoner in a foreign land with no rights or standing. They may actually have a better standard of living than in their homeland and do not view themselves as victimised, but a victim they are.

Money laundering and financial crime hurts real people.

Money launderers need to engage with professionals to enable their funds to be assimilated into a legal system. As professionals in this arena you will come into contact with launderers. They will want your assistance.

By engaging with launderers, whether knowingly or unwittingly, you become part of the problem.

Perhaps you may now look differently when engaging with some businesses. What lies beneath?  Think……..What can I do about it? What should I do about it?

Get in touch

We assist firms everyday with practical advice on AML and on how to spot the signs of money laundering in real life.  Contact us today for more information.

The human cost of money laundering Read More »