Making Your Practice More Cyber Secure
Statistics and reports from the Solicitors Regulation Authority continue to demonstrate that as a profession, lawyers are increasingly at risk of being the target of some form of cybercrime.
The SRA’s Annual Review 2017/2018[i], published a few days ago, reveals that payments from the compensation fund in relation to conveyancing fraud – much of which is occurring through the medium of cybercrime – is up from £700k in 2015/2016 to a staggering £3.7m in 2017/2018. This is a rise backed up by figures contained in the Autumn 2018 update to the SRA Risk Outlook[ii] which stated that reports of cybercrime were up 52% between 2016 and 2017 and by a further 10% for the first half of 2018 with Email modification fraud accounting for 80% of all cybercrime reports in the second quarter of 2018.
These trends are reflected in other parts of the economy. The National Crime Agency, in its report “The Cyber Threat to UK Business”[iii], states that £32.2m has been lost to UK business solely from compromised emails whilst a 2018 survey of business cyber breaches undertaken on behalf of the Department for Digital Culture Media and Sport[iv] found that 43% of those interviewed had experienced a cybersecurity breach or attack in the previous 12 months with over half of those having lost assets or data.
In the face of figures such as these, it is surprising therefore that many law firms are still not doing enough to make themselves and their clients secure from cybercrime. The LOGICFORCE 2018 Cybersecurity Scorecard for law firms[v], revealed that only 55% of law firms (up from 43% the previous year) have documented policies and procedures for cybersecurity and that globally, 22% of all law firms experienced some form of cybersecurity attack in 2017 – a 14% increase on the previous year.
Law firms, and solicitors in particular, often hold substantial amounts of client money, have access to confidential and business sensitive information and are involved in many high-value transactions. Despite this, many do not have the resources to invest in what can be expensive cybersecurity processes and procedures. Little wonder, then, that they have become a regular target for cybercriminals.
It is essential that firms be more vigilant than they are currently being – if only because it is a requirement of the current SRA Code of Conduct which states that solicitors must provide services to their clients in “a manner which protects their interests”[vi]. This is a proactive, not reactive, duty as required at Outcome O (7.3) which requires solicitors to “identify, monitor and manage risks to compliance” and “take steps to address issues identified”[vii].
What do we mean by Cyber Security?
The term cyber security is used here to mean a range of scenarios, including:
- the process of protecting computers and networks, mobile devices, electronic systems, and electronically stored data and accounts from malicious attacks;
- the steps required to be taken to prevent a firm from being subject to fraud or data loss whether by electronic methods or not – including ensuring that those working for the firm are not the weakest link – e.g. preventing phishing emails or identity theft leading to a security breach;
- planning ahead to ensure business continuity in the event of an incident occurring by putting in place disaster recovery plans so that the firm can respond to a worse-case scenario with the least possible impact upon clients and the firm;
- the provision of training and raising the general awareness of all within the firm about what to look out for, what to avoid, how to respond and what to do and not do.
Moreover, it is not only about responding to, and preventing the effects of criminal or fraudulent activity. It is equally about being aware of the need to avoid negligence, lack of understanding, mistake or even just bad-luck from resulting in the loss to the firm or its clients of property or information.
In other words, it encompasses all aspects of the interface between electronic data, information and property with the day-to-day practice of the firm.
The Five Steps to Cyber Security
So, what can a firm do to make itself more resilient – to help it from becoming a victim of cybercrime or incurring a loss as a result of the intentional theft or inadvertent loss of data or assets?
There are a number of basic steps that a firm can take to help create a secure environment. These include:
- Carrying out a cyber risk assessment. Unless there is awareness of the potential risks then it is almost impossible to create a strategy for minimising them.
- Putting in place policies and processes designed to address the different aspects of cybersecurity.
- Ensuring physical systems used are secure – for example the use of effective firewalls, anti-virus and anti-malware programmes and end-point security.
- Reducing the human security risk – in other words ensuring partners and staff are aware of the dangers and have the resources for dealing with and combatting them.
- Reviewing the adequacy of all steps taken – making sure the security provisions are up-to-date and continue to be fit for purpose. Unless you review your policies, hardware, training and all other aspects of your cybersecurity you will soon find that it ceases to be fit for purpose.
All five need to be built into the firm’s overall processes, need to be a standing item on the agenda at partners/directors meetings and need to have a budget allocated so that they do not have to fight for every penny of funding.
Cyber risk assessment
In order to understand the risks the firm faces it will need to undertake some form of a cyber risk assessment, the complexity and level of which will be dictated by the complexity of the firm, the nature of the work undertaken, the knowledge and understanding of cyber issues within the firm and the resources available. Thus, a sole practitioner dealing with employment claims or housing benefit cases will have a less complex assessment than a large firm dealing with property and commercial transactions.
As the term suggests, the assessment will be of the cyber risks that face the firm and should allow it to identify and prioritise those risks in order that processes and procedures can be put in place to mitigate the impact and potential consequences of them. In other words, the primary purpose of a cyber risk assessment is to help inform decision-makers and to support proper risk responses. This is best achieved by identifying relevant threats to the security of the firm, the impact that those threats are likely to have and the best way to mitigate the effect that they will have upon the firm in the short and long term.
There are a number of other reasons why the firm might want to undertake a cyber risk assessment. These include:
- Reducing long-term costs – by identifying potential threats and then taking steps to mitigate the impact they are likely to have, the firm will reduce, or even prevent, security incidents which could impact upon management costs. This could include wasted fee-earner/partner/director time in putting right the issues resulting from the incident, replacing losses of client funds and dealing with and reversing any consequent loss of reputation which itself could impact upon the profitability of the firm.
- Providing a starting point for future cyber reviews. Cyber risk assessments should not be viewed as a one-off exercise but something which is undertaken on a regular basis.
- Providing the firm with a deeper understanding of potential defects in the firm’s cyber systems.
- Avoiding breaches and other security incidents which could place client information at risk.
- Reducing the cost of cyber insurance.
- Satisfying regulatory and legal requirements – for example those contained in the SRA Handbook or provisions to be found in the GDPR or Data Protection Act 2018
Carrying out a cyber risk assessment
Before starting to assess risk, the firm must ascertain what requires protecting – this will include assets such as client money (both held and transmitted by the firm) and what data is held, how it is held, what it is used for, who has access to it and how it is accessed. Thus, the firm will need, if it has not already done so, to undertake a GDPR style data audit.
Having identified that which needs to be protected, the firm needs to establish parameters for the cyber risk assessment. This can be done by answering certain key questions including:
- What does the assessment seek to achieve?
- What is the scope of the assessment?
- Are there any priorities or constraints likely to affect the assessment?
- Who within, or outside, the firm needs to be contacted to gather the information required?
- Is external assistance needed to achieve the assessment?
- Is there a time-scale within which it needs to be achieved?
Having established what needs to be achieved, the first step is to identify the threats to the property and data held.
As referred to above, there are two types of threat to the property and data – outside malicious threats of the sort that would come from cyber crimes, hacking, phishing and so forth and internal non-malicious threats such as those that come from mistake, negligence and accident. Both types of threat need to be assessed.
The firm needs to be realistic in forecasting from where threats are likely to come. A High Street practice carrying out residential property work is more likely to be affected by fraudsters wanting to divert completion funds than from state sponsored terrorism. However, large city firms acting for major multi-national industries or politically exposed persons may wish to include incursions at state level. Likewise, if the firm rarely undertakes work outside of the office then the chances of data being lost as the result of negligence by staff whilst outside of the office will be less than for a firm that regularly works at the premises of clients or attend court on a regular basis.
Having thought about the “who” in terms of a threat thought needs to be given to the “what” – in other words the types of incidents that could give rise to a data breach. These might include;
- Unauthorised access – this can be either as the result of an external attack on the firm by cybercriminals or it could be just employee error – for example allowing the wrong person access to the wrong account.
- Misuse of information by authorised users – this could include the accidental or negligent altering or deletion of data.
- Incorrect data disclosure – this could occur, for example, where the wrong attachment was added to an email or an email sent to the wrong recipient.
- Money or assets being sent to the wrong account or address.
- Funds being transferred being intercepted by fraudsters.
- Client misunderstanding.
- Loss of data. This could include physical loss of data, for example a device or file being stolen from a car or hotel room, or the virtual loss of data where it is deleted or filed in the wrong place.
Finally, consideration will need to be given to the “when” and the “how” – the circumstances in which a property or data loss could occur and what would be the mechanics of that loss. Thus, if it is a ransomware attack that prevents the firm from getting at data, how might the malicious software get on to the system and under what circumstances? If it is money being diverted to a fraudster’s account, what would the fraudster need to do in order to achieve this?
The next matter for consideration is the likelihood of that threat occurring and the impact that it would have upon the firm in the event that it was to occur. Consideration needs to be given to the types of events that could cause a threat and the likelihood of them being successful. Thus, if client funds are lost, would the firm be able to replace those funds without becoming financially unviable? If client data were lost, what could the firm do to mitigate the impact upon the client? If bank account details were stolen, how easily could the firm block that account and continue to use another account.
In more complex cases, other factors might also need to be addressed including impact upon staff and staffing levels, deployment of personnel following an attack, the need to consider the use of alternative premises until networks and systems can be made safe and work in rebuilding the firm’s reputation.
Your cybersecurity policy and processes
For any policy or process in the firm to be effective, whether it be cybersecurity or any other type of policy, there must be significant buy in from senior managers and all staff. Policies and processes which are imposed by managers but ignored by everyone else provide little or no benefit and can even be dangerous in that they can lead managers to believe that they are more secure than they are in fact.
Policies and procedures do not need to be long and complex. Often the most effective ones are the ones which cover only the main problems and provide practical methods for ensuring that risk is avoided. One way to achieve this is to have one main, relatively straight forward policy addressing all of the key issues, supported by a number of additional policies dealing with specific areas of the practice such as emails, internet browsing, social media, password use and working outside the office.
So, what should your firm’s cybersecurity policy cover? Basically, it should set out:
- what the firm is protecting. Make it clear this is not just IT assets such as networks, servers, laptops etc. but also includes intangible things such as client data, money in bank accounts, login details, personal information and information about the firm.
- the threats to those assets and how those threats might occur – for example phishing, ransomware, hacking, loss of confidential files etc., and
- the steps that are, and will be, taken to protect those assets and your business generally.
As with the risk assessment, the actual content of the policy will be driven by a number of factors including:
- the size and complexity of the firm,
- whether staff operate away from the main office (e.g. branches, client’s premises or home),
- the hardware/software the firm uses,
- the kind of work undertaken,
- the extent to which outsourcing and external contractors are used,
- the IT sophistication of staff, and
- the resources available to implement the policy.
Policies and processes should be no more complex than they need to be.
Again, depending upon the complexity of the firm, policies may need to be divided into a number of subsidiary policies to make them more manageable.
Any policy or process should make all partners, staff and other approved users (such as contractors) aware of their responsibilities in protecting all of the assets of the firm. It is vital, also, that it is enforced throughout the firm – from the senior partner/managing director to ALL other staff and contractors – and be seen to be supported by partners/directors as much as by everyone else within the firm.
What should policies and processes address?
Without wishing to state the obvious, policies and procedures need to address all of the key issues that are likely to occur and leave out those issues which are unlikely, fanciful or of low potential impact. Thus, the policy should probably address the following:
- a. The importance of cyber security
- Explain why cyber security is important to the firm and the potential risks of it not being taken seriously. For example, the theft or loss of client data could have serious ramifications for the individuals involved, as well as severely jeopardising the reputation and financial viability of the firm.
- b. Keeping information confidential
- Stress the importance of confidentiality, how sensitive data should be handled, when it can be shared with others, how to properly identify sensitive data, and how to destroy it when it is no longer required.
- c. Threat awareness
- Provide a brief overview of issues that could arise in everyday work and in particular the specific threats that could be especially problematical for the firm and how to avoid them.
- d. Threat response
- Deal with what to do if a threat is detected and how it should be reported and actioned.
- e. Passwords
- Use the policy or process to explain briefly the importance of secure passwords and of not disclosing them, how to store them and when and how to change them. You might wish to refer to a separate password policy, password guidance and/or include a brief summary of the do’s and don’ts.
- f. Emails
- Address the importance of following proper procedures when using email – possibly by reference to a separate email policy – including issues such as only opening email attachments from trusted sources, blocking junk, spam and scam emails, the importance of deleting and reporting suspicious looking emails, storing emails and what to say and not to say in an email.
- g. Browsing
- Highlight the dangers of browsing websites that could contain damaging materials and the need for ensuring that browser security is kept up to date. Again, this might go in a separate document or policy.
- h. Physical security and clean desk requirements
- On a more general level you might wish to address wider confidentiality issues such as:
- the importance of not allowing unauthorised people to see potentially confidential information,
- not leaving confidential information on a desk where it can be seen by unauthorised persons,
- the need for a clear desk routine,
- closing down devices when not in use,
- locking screens that are unattended, and
- not allowing clients and the public into rooms where confidential information is visible to others.
- i. Data out of the office and on removable devices
- Cover issues such as taking information out of the office, storage of data on portable devices such as memory sticks, the use of personal devices for work related matters and the dangers of wi-fi hotspots.
- j. Management of technology
- When and where devices such as a business laptop can be used away from the workplace, how and where to store devices when they are not being used, the need to report the theft or loss of a work device and the need to keep software and other devices up to date.
- k. Social media and internet access standards
- When it is appropriate to use social media, which social media channels are appropriate for employees to use at work (and possibly even at home) and what may, and may not, be said on social media. This could also form part of a separate Social Media Policy.
- l. Managing incidents
- How to respond to a cyber incident and the actions, roles and responsibilities when faced with a cyber-attack. A separate cyber-incident procedure or guide may also be of help as may contact details for who to tell if an incident is suspected.
- m. Sanctions for breach
- Last but not least, staff and partners must be made aware that cybersecurity is important and that failure to abide by the policies and procedures will be regarded as a serious matter which could lead to dismissal.
Other issues that could be covered include Bring Your Own Device (BYOD) procedures, the use of email addresses for private emails, browsing for personal use and working from home.
There isn’t a great deal that can be said here about the need to review and audit physical systems because the processes adopted by the firm will be dictated by the complexity of any systems used, how they are maintained, who is responsible for maintaining them, the resources that the firm has available to do so and the extent to which they are used.
The type of issues that the firm will need to consider will be:
- The existence and effectiveness of firewalls and unified threat management devices
- The use and effectiveness of anti-virus and anti-malware programmes,
- The existence and use of end-point security (i.e. protecting the firm’s network when accessed via remote devices such as PCs, laptops or other wireless and mobile devices),
- The use of secure browsers and secure email systems,
- The implemention of Virtual Private Networks (VPNs) or cloud-based security system, and
- The effectiveness of any third parties used to maintain the firm’s IT systems.
Training and Awareness
None of the policies and procedures put in place by the firm will be of any use unless partners/directors and staff are aware of them, what they require, how they protect the firm, what they are protecting the firm from and the consequences of failing to comply.
Firms must, therefore, ensure that they provide all partners/directors and staff with the necessary information and resources required to enable them to ensure that security is preserved.
This can only really be dealt with effectively by training and information dissemination. If staff have not been trained in cyber risk awareness, then the firm will never be truly secure, no matter how many hardware solutions you put in place. Most phishing cases, for example, depend upon the gullibility of a person, not the failure of an element of the firm’s physical security.
Training should be provided across the board – from partners to reception staff – and should address not just the technical and IT risks but also general requirements as to confidentiality and the safe use of data.
Training should be repeated regularly and should be a key element of all new staff inductions.
Finally, comes the issue of review. Putting in place a solution and then forgetting about it is not a sensible option in a sector which is changing at the speed of the IT sector. All of the firms systems need to be reviewed on at least an annual basis including the risk assessment, policies and procedures.
The firm needs to look at what, if any, IT/security related problems have arisen and review these in the light of the provisions in the policies and procedures. Where gaps in the effectiveness of the policies and procedures are found the firm needs to take steps to plug those gaps and, if they involve personnel ensure that any additional training that is required is provided.
- [i] https://www.sra.org.uk/sra/how-we-work/reports/annual-review/annual-review-2017-18.page
- [ii] https://www.sra.org.uk/risk/outlook/priority-risks/cyber-security.page
- [iii] https://nationalcrimeagency.gov.uk/who-we-are/publications/178-the-cyber-threat-to-uk-business-2017-18/file
- [iv] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_-_Main_Report.pdf
- [v] https://www.logicforce.com/2018/11/02/cyber-security-scorecard-q4-2018/
- [vi] Outcome O (1.2) – https://www.sra.org.uk/solicitors/handbook/code/part2/rule1/content.page
- [vii] https://www.sra.org.uk/solicitors/handbook/code/part3/rule7/content.page