CYBER SECURITY - HOW GOOD ARE YOUR DEFENCES?
THE BIG PICTURE
Cyber Security is a hot topic in the business world generally and in the legal profession specifically. For many small and medium sized law firms, they are in catch up mode with regard to their use of technology and the safeguarding of the data they hold in digital format. The expectation with larger law firms is a higher level of sophistication in this area but any law firm must be vigilant in its awareness of cyber threats and robust in the arrangements taken to counter cyber threats.
Some estimates have suggested that the value of online crime in the UK is around £27bn.
From the insurance perspective, there are suggestions that some insurers are losing their appetite for the solicitors’ indemnity insurance market because of the threat of cyber-crime. For example, Elite Insurance recently pulled out of the market altogether saying the level of cyber-attacks on law firms has increased the risk of insuring them. With some insurers considering whether they are willing or even able to take many cyber-crime hits, it is thought in some quarters that they will lobby the SRA to exclude some of these type of claims from the minimum terms and conditions of the indemnity insurance policy.
Cyber threats are real and ongoing and law firms are regarded as potentially easy targets for cyber criminals hacking into their systems to gain inside information. Some security experts say particularly on “big ticket deals”, even large law firms are seen as the weak link on security and if larger more sophisticated firms are seen as a weak link, arguably the small and medium sized law firms must be even softer targets for the cyber criminals.
We may see a more challenging renewal season this year with cybercrime coming to the fore in the minds of the underwriters. QBE, which insures around 10% of the firms in England & Wales, recently announced that it will be looking closely at firms’ anti-cybercrime plans when setting premiums and other insurers are likely to take a similar line. Insurers have already been taking a keen interest in the Disaster Recovery [or Business Continuity] Plans of law firms and there is no doubt that a data breach can be defined as a potential “disaster”.
REGULATION & COMPLIANCE
There are regulatory obligations that must ensure that law firms take all of this seriously and comply with the requirements imposed by the SRA. Principle 8 says that a law firm must “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles” and Principle 10, states that regulated firms have a responsibility to 'protect client money and assets'. The threat of cybercrime activity against a firm and its information assets must be included on the Risk Register together with the arrangements in place to mitigate that threat.
The Compliance Officers [COLP & COFA] and Money Laundering Reporting Officer [MLRO] in all law firms must be fully aware of the threats of cybercrime activity against their firm, have effective arrangements in place to deal with those threats and enforce compliance with those arrangements throughout the firm. Remember, that your defences can only be as good as the weakest link within them.
HOW CAN WE PROTECT OUR DATA FROM CYBER CRIMINALS?
There is a wide variety of guidance materials available on how to protect yourself against cybercrime and we provide further advice on these in the full article which you will find on our website which you can find by following this LINK but another good reference is the Government’s, industry backed, Cyber Essentials Standard together with www.cyberstreetwise.com. But a starting point is the get the basics right and can include:
that you receive automatic software updates and do not ignore them when they
appear. They are usually addressing the latest security issues.
Make sure individuals in the firm do not ignore updates that appear on their
screen, if you want them to respond to them. The author has observed
common practices of ignoring software updates on PC networks.
most common password used in the legal profession is……. ”password”!
Strong passwords contain upper and lower case letters and numbers and are not
easily linked to the person using the password. They should also be changed
regularly and not advertised. Do not write your password on a post-it
note and stick it on the edge of your screen!!
survey has suggested that unwanted or spam emails account for around 75% of all
emails received by organisations [Trustwave – Global security Report 2013]. Not all
suspicious emails are found in the Spam or “Junk E-mail” folder. Everyone
should be vigilant when looking at any incoming email wherever it appears
particularly those from unfamiliar senders and/or with attachments. Be
wary with any emails, even from a familiar sender, that are asking you to take
action e.g. provide information, transfer funds etc. If it is suspicious
– do not open it!
devices come with anti-virus software preloaded. If not, action must be
taken to ensure that protection is in place. Thereafter, the software
must be kept up to date [new virus threats are added all of the time] and
ensure that devices are scanned regularly for viruses.