Cyber Security - How Good Are Your Defences?
THE BIG PICTURE
Cyber Security is a hot topic in the business world generally and in the legal profession specifically. For many small and medium sized law firms, they are in catch up mode with regard to their use of technology and the safeguarding of the data they hold in digital format. The expectation with larger law firms is a higher level of sophistication in this area but any law firm must be vigilant in its awareness of cyber threats and robust in the arrangements taken to counter cyber threats.
Some estimates have suggested that the value of online crime in the UK is around £27bn.
From the insurance perspective, there are suggestions that some insurers are losing their appetite for the solicitors’ indemnity insurance market because of the threat of cyber-crime. For example, Elite Insurance recently pulled out of the market altogether saying the level of cyber-attacks on law firms has increased the risk of insuring them. With some insurers considering whether they are willing or even able to take many cyber-crime hits, it is thought in some quarters that they will lobby the SRA to exclude some of these type of claims from the minimum terms and conditions of the indemnity insurance policy.
Cyber threats are real and ongoing and law firms are regarded as potentially easy targets for cyber criminals hacking into their systems to gain inside information. Some security experts say particularly on “big ticket deals”, even large law firms are seen as the weak link on security and if larger more sophisticated firms are seen as a weak link, arguably the small and medium sized law firms must be even softer targets for the cyber criminals.
We may see a more challenging renewal season this year with cybercrime coming to the fore in the minds of the underwriters. QBE, which insures around 10% of the firms in England & Wales, recently announced that it will be looking closely at firms’ anti-cybercrime plans when setting premiums and other insurers are likely to take a similar line. Insurers have already been taking a keen interest in the Disaster Recovery [or Business Continuity] Plans of law firms and there is no doubt that a data breach can be defined as a potential “disaster”.
REGULATION & COMPLIANCE
There are regulatory obligations that must ensure that law firms take all of this seriously and comply with the requirements imposed by the SRA. Principle 8 says that a law firm must “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles” and Principle 10, states that regulated firms have a responsibility to 'protect client money and assets'. The threat of cybercrime activity against a firm and its information assets must be included on the Risk Register together with the arrangements in place to mitigate that threat.
The Compliance Officers [COLP & COFA] and Money Laundering Reporting Officer [MLRO] in all law firms must be fully aware of the threats of cybercrime activity against their firm, have effective arrangements in place to deal with those threats and enforce compliance with those arrangements throughout the firm. Remember, that your defences can only be as good as the weakest link within them.
HOW CAN WE PROTECT OUR DATA FROM CYBER CRIMINALS?
There is a wide variety of guidance materials available on how to protect yourself against cybercrime and we provide further advice on these in the full article which you will find on our website which you can find by following this LINK but another good reference is the Government’s, industry backed, Cyber Essentials Standard together with www.cyberstreetwise.com. But a starting point is the get the basics right and can include:
- Download software updates
Ensure that you receive automatic software updates and do not ignore them when they appear. They are usually addressing the latest security issues. Make sure individuals in the firm do not ignore updates that appear on their screen, if you want them to respond to them. The author has observed common practices of ignoring software updates on PC networks.
- Use strong passwords
The most common password used in the legal profession is……. ”password”! Strong passwords contain upper and lower case letters and numbers and are not easily linked to the person using the password. They should also be changed regularly and not advertised. Do not write your password on a post-it note and stick it on the edge of your screen!!
- Delete suspicious emails
One survey has suggested that unwanted or spam emails account for around 75% of all emails received by organisations [Trustwave – Global security Report 2013]. Not all suspicious emails are found in the Spam or “Junk E-mail” folder. Everyone should be vigilant when looking at any incoming email wherever it appears particularly those from unfamiliar senders and/or with attachments. Be wary with any emails, even from a familiar sender, that are asking you to take action e.g. provide information, transfer funds etc. If it is suspicious – do not open it!
- Use anti-virus software
Many devices come with anti-virus software preloaded. If not, action must be taken to ensure that protection is in place. Thereafter, the software must be kept up to date [new virus threats are added all of the time] and ensure that devices are scanned regularly for viruses.
- Train your staff
Of course there is a human element to cyber security, after all, there are often people at both of ends of cybercrime activity. Therefore, staff training must be a critical element of your cybercrime defences. Everyone in the firm must be aware of the threats and realities of cyber security together with the policies and procedures they are required to follow [and the tools at their disposal] in order to mitigate the threat of becoming a victim of cybercrime. As any defence is only as strong as its weakest link, those responsible for cyber security in their firm must be confident of the effectiveness of any training they have provided to everyone involved in the firm.