Latest cybercrime risks to the legal sector and how to manage them

Someone typing on laptop with a credit card in hand

Date

A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014.  The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.

The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.

The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.

While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:

  • Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;

  • Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;

  • Ransomware – a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.

  • Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.

The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”

As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:

  • Implementing processes to verify (via independent means) invoices and account details for money transfers;

  • Using ‘cooling off’ periods for changing account details for high value transactions;

  • Encouraging a culture where suspicious transactions are queried;

  • Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;

  • Monitoring user access of systems;

  • Keeping software, and especially operating system (OS), up to date;

  • Control what software and applications you choose to allow into your firm; and

  • Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.

All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.

UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here. The NCSC or the Law Society can sponsor your organisation, as appropriate.

The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.

As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently.  According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.

A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:

  • Restructuring

  • Downsizing

  • Changes in business processes

  • When major new policies are being developed, changed or implemented differently

  • Following identification of weaknesses

  • The introduction of new computer systems

  • After an incident of fraud

Get in touch

Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls, please feel free to get in touch.

More
articles

Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch