Think of your accounts like your home. You can have the best locks and the best alarms but, if burglars want to get in, they can often find a way. However, having the best locks and the best alarms does deter them, and it’s the same with cybersecurity. You have to do everything you can to prevent cyber-attacks, protecting your law firm and making it as secure as possible.
When looking to prevent cyber-attacks at your law firm, there are a number of things you can do. This blog provides advice on ways to safeguard and limit your law firm’s exposure to cybercrime.
Safeguards to prevent cyber-attacks
There are numerous safeguards to prevent cyber-attacks. Some may seem a little obvious, but it’s important that they’re all in place to protect your law firm to the best of your ability. These are the most important safeguards:
1. Two-factor authentication on all logins
Whatever account you log into, you usually do so with a username or email, and a password. Two-factor authentication is an extra layer of security. Once you’ve input your username and password, you’ll then have an additional task to complete. This could be authorising the login via an app on your phone or computer, or a text message with a one-time-only code. It’s only when you complete this additional task that you’re able to access your account.
Make sure you have two-factor authentication set up on all your accounts, so it’s much more difficult for scammers, or baddies, to access them.
2. Regularly monitor sign-in activity on your account
Many logins, especially email logins, notify you when someone has logged into your account. These notifications can provide information such as who has logged in and where they’ve logged in from, for example, if they’re overseas.
Make sure, where possible, that you have these notifications activated. That way, when a baddie accesses your account, you’ll be able to act swiftly.
It’s important to note that the location may not always be genuine. If the baddies are using a VPN, they may be able to hide their location and make it look like they’re in the UK.
3. Anti-virus protection
Although it sounds obvious, anti-virus protection can significantly increase your security. It can often detect when a website looks odd, or something doesn’t look quite right. It will alert you to potential suspicious activity, giving your law firm an extra layer of protection, making it more difficult for baddies to get into your accounts, and helping you prevent cyber-attacks. Having your IT department test these firewalls is essential to check they are working.
4. Spam filter
The spam filter isn’t always reliable. Although it can detect some potential fraudulent emails and move them to your spam folder, it can often miss them. Also, genuine emails can often get caught up in spam. However, it does add an extra layer of security and makes you think twice about emails that end up in your spam folder.
5. Strong passwords
According to an article by Tech.Co on ‘Securing Accounts in 2023’, it’s quite easy for hackers to guess uncomplicated passwords. If a password is under 10 characters, it will only take 2 weeks to crack, and a simple 10-character password made of numbers or lowercase letters can be cracked in under 24 hours.
Therefore, making sure your accounts have strong passwords is an extremely important part of safeguarding to help prevent cyber-attacks.
Limiting exposure to cybercrime
In addition to putting safeguarding measures in place to help prevent cyber-attacks, there are various ways in which you can also help limit exposure to cybercrime:
1. Where possible use an app for clients to confirm bank details
There are apps available where clients can confirm their bank details together with the name of the person that’s expected to receive funds and it will confirm their details. Some banks also now match up the recipient’s name. It’s important to note that these tools are useful for guidance, but you can’t rely on them to be 100% accurate.
2. Never accept bank details over email
Pick up the phone, or better still, speak to them in person to get their bank account details. Although we appreciate it’s not always practical to do that.
3. Set up daily payment limits and limits on amounts per transaction
Although this isn’t necessarily practical as a conveyancer, given you’re dealing with transactions of huge amounts of funds all the time, setting up daily payment limits and limits on amounts per transaction can be very beneficial. If you’re unable to do this with your client account, you might want to consider it for your current account.
If you do this, and a baddie does access your account, they’ll be limited to what they can transfer, which limits your exposure to risk.
4. Dual authorisation on banking
Dual authorisation on banking can be really useful. It’s the modern-day equivalent of having two signatures on a cheque. The advantage is, if there is a scam, one person failing to recognise it is possible, but two people failing to recognise it is much less likely.
5. Have more than one bank account
The advantage to having more than one bank account is that if baddies manage to get into one account, they’re only limited to the funds in that account.
Taking a step back from the cybersecurity reasons, there’s also a practical reason for having more than one bank account. Money in most UK banks is under FCS protection. Your money is protected up to £85,000, but anything over £85,000 is not covered by FCS protection. It’s unlikely that more than one bank would go under at any one time and therefore spreading your money across different bank accounts limits your risk.
6. Regular virus checks
Having regular virus checks on all your devices, such as phones, tablets, laptops, and PCs, can significantly reduce risk and prevent cyber-attacks.
7. Have a good IT response
When a cyber-attack takes place, your response time is extremely important. If something were to happen, you need IT support on hand, rather than trying to find someone to help and wasting valuable time. Having someone at the end of the phone, who put your systems on lockdown and limits your exposure is extremely important.
How to prepare for a cyber-attack
It’s important that you prepare for a cyber-attack by ensuring that a firmwide policy is in place which details what should be done in the event of a cyber-attack
It’s also important to ensure that everyone has had the relevant training, which includes how to detect a cyber-attack. The SRA has suggested that you should probably have training every four months as people can easily forget what they have to do, so they need a reminder.
Carrying out a root cause analysis after an attack is important to establish why the attack happened and what measures can be put in place to stop it happening again.
Cybersecurity insurance
Many people believe that in the event of a cyber-attack, their business or professional indemnity insurance will cover it. However, they don’t actually cover cyber-fraud.
Insurance companies know that cybercrime is a substantial risk so the cybersecurity insurance they offer usually has an extensive premium and a rather hefty excess. Many law firms when assessing the risks believe that the cost of the premium and excess is so large, that they’re never going to claim on it, and therefore, having it would effectively waste their money.
Because cybercrime is so high-risk, the insurers often put a lot of limitations on the policy as well as expectations on the policyholder. So, if you do have cybersecurity insurance you need to ensure you’re well aware of all of these points and also what the insurers’ reporting requirements are in terms of time periods. Otherwise, you may find yourself in a situation where you pay a lot for a policy that isn’t fit for purpose.
What are the SRA regulations in the event of a cyber-attack?
In the event of a cyber-attack, you need to contact the SRA. As a solicitor, you have certain obligations under the account rules.
If money has been sent to the wrong person from the client’s account, the SRA regulations state that you need to pay that money back into the client’s account immediately. You can’t wait to try and get the money back first.
There was a case where the SRA fined a law firm as they didn’t pay the money back into the client’s account for four months. This was a breach of accounting rules that resulted in a significant fine.
There’s also a requirement to report the incident to the ICO within 72 hours.
You also need to tell your client. You don’t want your client to find out another way, such as if it ends up on the news, or the regulator contacts them. Be honest and open, even when it’s difficult.
Get in touch
If you need advice or would like to talk to us about one of our products or services, simply get in touch and one of our experts will be happy to help.
