The risk to all businesses from cybercrime continues to grow, year on year, and yet despite this there still appears to be – even in the legal sector – a frightening level of complacency towards that cybercrime threat which could at best cause a loss of property or reputation and at worst regulatory and criminal sanctions.
In their Risk Outlook 2018-2019 (https://bit.ly/2NPRcKi) the Solicitors Regulation Authority (SRA) reported that they were continuing to receive an ever increasing number of cybercrime reports – 157 reports in 2017, up 52%, compared to 103 in 2016 and that the amount of client money reported to be lost to cybercrime was up from £9.4m in 2016 to £10.7m in 2017. Bear in mind that this is only that which is reported – the SRA have indicated that they suspect there is a degree of under-reporting, particularly where money is replaced promptly by the firm or their insurer – a view which is borne out by the fact that they are seeing fewer reports than would have been expected given media reporting of the frequency of such attacks
Moreover, it is not just the SRA that is raising the increased danger from cyber-attack. IT security company Carbon Black stated at the beginning of September in their report “Hacking, Escalating Attacks and The Role of Threat Hunting” (https://bit.ly/2DqwmRG) that 92% of UK companies surveyed had been breached in the last 12 months and almost half of those (44%) had been breached between three and five times. Even more worrying is the fact that the report reveals that the attacks are becoming ever more sophisticated. This is, it is suggested, hardly surprising since the report also reveals that cybercriminals are thought to be spending somewhere in the region of $1 trillion per annum on developing cyberattack weapons whereas those trying to prevent attack are spending only around $96 billion. In other words, the attackers are outspending the defenders by a ratio of more than 10 to 1.
Despite these figures, and despite the obvious vulnerability faced by many law firms, there is still a huge level of complacency amongst all businesses – including law firms – about the dangers of cybercrime and a general feeling of “it won’t happen to me” that is really not borne out by the statistics.
In their research report “Protect and Survive: Risk and Cybersecurity in the Property Sector”, online solutions provider the TMGroup (https://bit.ly/2OSKBQx) reported that despite more than half of the businesses surveyed (57%) agreeing that cybercrime was a concern at their law firm, only 13% ‘strongly agreed’ that they had spent a lot of time and money securing their communications and an amazing 58% of law firms stating that they felt ‘not that threatened’ (47%) or ‘not threatened at all’ (11%) by the prospect of cyber-attacks.
Complacency about cybercrime is not only a problem among business managers. One of the weakest links in any business’s IT security strategy is the workforce – the people who interact with data and security issues on a daily basis. A report in the Financial Times last year (www.ft.com/content/e75d9c96-eec9-11e6-ba01-119a44939bb6) stated that “Staff either do not understand their role in the complex challenge of security systems or cannot yet be persuaded to care. British workers in particular fail to protect their data and devices.” This may not be surprising if we are to believe the statistics that Barclays have produced in their “UK Digital Development Index” report last year (https://bit.ly/2Du3kQZ). In it, they state that there exists a “digital deficit” with almost half of all workers not possessing the computer skills required to function in an increasingly digitised economy with the so-called “Generation X” (i.e. those in the 35 to 54 age band) increasingly being left behind by technology and becoming far less confident in their computer skills.
What are the risks Law Firms Face?
In their 2018-2019 Risk Report, the SRA stated that, in the first quarter of 2018, “email modification fraud accounted for more than 70% of all cybercrime reports with most other cybercrime reports also involve some form of forgery to deceive targets into responding, rather than explicit hacking of the firm’s systems.” They go on to say that the cybercrimes and scams from which law firms are most at risk “include:
- email modification fraud – the most common type of cybercrime against solicitors, where criminals intercept and falsify emails between a client and the firm, leading to bank details being changed and money being lost
- phishing and vishing – where criminals email or phone to obtain confidential information, such as a password, through gaining the trust of a solicitor or other member of staff
- malware – harmful software that includes viruses and ransomware programs, which encrypt files and demand a ransom in return for decrypting the files
- CEO fraud – where criminals impersonate a senior figure at a firm through hacking, or having a very similar email address, to impose authority and order money transfers
- identity theft – where bogus firms copy the identity and brand of a firm.”
What Should Firms be Doing?
Cyber-attack complacency is becoming one of the main threats to the security of businesses around the world and is increasingly being identified as a key danger.
Part of the problem, as was expressed by David Higgins, an Australian data security specialist with WatchGuard Technologies for an article in PACE Today (https://bit.ly/2Q1CkcU), is that “lackadaisical attitudes are a problem” with people preferring convenience over security. He said that “consumers generally are looking for convenience rather than security. If it’s a trade-off between security and convenience I think convenience is going to win out every time with the consumer.”
So what should firms be doing to ensure that they do not become a victim?
The obvious answer, one would think, would be to tackle complacency at management level and for firms to put in place hardware and software defences – virus protection, firewalls and Unified Threat Management devices to help make sure that hackers and criminals found it as difficult as possible to access systems and information
Important as these no doubt are, the problem may be somewhat more basic than that. It is possible that a far greater benefit could be derived from first of all tackling complacency at workforce level – and especially ensuring that everyone within the firm is aware of the dangers, persuaded that the dangers are real and then given information and strategies to help ensure that they, the individual, are not the cause of the problem.
It is generally acknowledged that people are usually the weakest link in the IT security chain. You can have as many sophisticated technology based solutions in place as you can get and if one of your workforce discloses their password or gives out confidential information then it is all rendered useless. IBM’s 2015 Cyber Security Intelligence Index (https://bit.ly/2KSIX3q ) stated that 95% of cybersecurity breaches were down to human error and that more than half of all security attacks are caused by individuals who had insider access to organisations’ IT systems.
Often the problem is as simple as awareness. If firms do not make their staff aware of the potential problems that can arise, if they do not train the workforce in what to look out for in a phishing attack, then they can only blame themselves when that staff member gives away information.
That training and awareness needs to be offered across the board – partners, fee-earners, support staff – to anyone, in fact, who has access to data and who could be a threat to the security of the firm. It needs to cover all of those areas where sensitive information – be it bank accounts, passwords or client/employee data – could be disclosed inadvertently whether through cyber-attack, mistake, negligence, fraud or simply bad-luck.
In providing training and awareness, managers of firms need also to understand that part of the solution lies in understanding why people become victims of these sorts of attacks and to understand the psychology of the workforce’s online behaviour.
One factor seems to be the pressure of the workplace itself – the need to act rather than think because of the time constraints under which staff at all levels are placed. This is part of a phenomenon known as “cognitive efficiency” – the maximum information for the least brain effort resulting in workers making mental shortcuts which can be triggered by familiar logos, names or even phrases such as “Sent from my iPhone” which seem to give them a sense of security and therefore make them more likely to believe in the validity of the message. Thus, when a computer user sees a bank logo they immediately assume that the request which accompanies it is more likely to be legitimate than one without the bank logo. Alternatively, if they were to receive an email purporting to come from the SRA, their inbuilt need to comply with authority might make them more likely to give out sensitive information than if it came from an unknown source.
This is something which can only be addressed by, in addition to training, ensuring that staff have the time to think about what they are doing and that they are not panicked into making on the spur of the moment decisions that might save them time but could end up costing the firm a considerable amount in lost money, resources time or client confidence.
Another factor that needs to be taken into account is that of perceived safety. It lies at the heart of the complacency problem – the fact that the person in question is somehow inherently safe and therefore a low risk in cybersecurity terms. This might be for one of many reasons including low self-worth, a belief that the work they do is not important, security from practising in what is a perceived to be a safe place geographically, the view that cybersecurity is something made up to benefit security firms or a belief in the strength of the system through which they carry out their work. Whatever the reason, the result is the same, namely that the person in question puts little effort into remaining secure and taking even the most basic of steps to protect their data and assets. It is a problem akin to the problem of people in the countryside not locking their doors because they do not see a perceived threat.
A further factor is that of the extent to which people use technology making them blasé to the potential problems that use can create. Workers who use email all of the time will inevitably come to do so generally without thinking. When the use of technology becomes routine then those using it become less aware of what they are doing on a day-to-day basis and it becomes a habit rather than a conscious act. When that happens, the individual is less likely to check on the validity of messages received, less likely to be suspicious of a request that seems to be an everyday request (but which may be from a cybercriminal) and more likely to undertake cyber activity whilst doing something else which may, at that time, be more important or more enjoyable – for example reading and responding to emails over lunch. It is this lack of awareness of the potential problems and lack of concentration that can lead to problems such as opening phishing emails or clicking on malicious hyperlinks without thinking.
The training that staff need may not simply involve being told what to look out for or what to do and not do. It may actually have to involve staff being put into the situation of needing to receive and respond to tests to ensure that they become used to dealing with phishing emails or malicious software attachments. In their report “The Icarus Effect: Tackling Cybercrime Complacency”, (https://bit.ly/2NGXn8d ) cybersecurity company RSM stated that when more than 230 spoof emails requesting validation of a staff login were sent to the employees of one organisation, 81 of those staff members had clicked on the link by the end of the first working day. Had that email been one containing genuine malware the organisation would have had a serious problem on its hands.
Other steps to take may include:
- Ensuring that staff do not neglect software updates – either at work or on devices at home that they may use in connection with their work. It is not uncommon for IT users to switch off update functionality or to ignore update warnings when received. Keeping software up-to-date is one of the main ways of avoiding cybercriminals exploiting weaknesses in software to gain access to systems.
- Develop a sense of urgency about cybersecurity. Do not put off until tomorrow issues of cybersecurity on the basis that no one is pressing you to do it by a deadline or because it is an expense that is not immediate in the same way as rent, business rates and salaries. Also, make sure that cybersecurity is an ongoing, rather than a one-off process.
- Plan ahead. Put in place processes designed to prevent a security beach from happening rather than processes and not just for what to do in the event that a security breach occurs – although the latter has to be allowed for too.
- Spend wisely. It may be far more cost-effective to ensure that staff are properly trained rather than putting in place expensive hardware solutions. Whilst both might be desirable in an ideal world, if resources are limited concentrate them on where they will have the most effect.
Cyber complacency is a large and growing problem and one which needs to be addressed by all firms of all sizes.
Tackling it has to come from the top down. Staff are not going to believe in the danger unless partners take a similar view. Sending staff on cybersecurity training courses will not be effective unless managers and partners attend too.
Yes, it can be time-consuming to have to train staff on something that may or may not happen. However, it is even more time consuming to have to deal with the fall-out from a successful phishing or malware attack and certainly far better than having the firm closed down because it can no longer function or because the partners have been deemed to be in beach of the professional regulations.