SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!

Solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality, client money, and to overall compliance with SRA regulatory arrangements.

Whilst the SRA has stated that being hacked, or falling victim to malware, is not in itself a crime or necessarily a failure to meet their regulatory requirements, they do expect firms to take proportionate steps to protect themselves and their clients' money and information from cybercrime attacks while retaining the advantages of advanced IT. If a law firm does lose client money or information to cybercrime the SRA will consider whether there has been a breach of the Code of Conduct. When deciding whether to take action against a firm, the SRA have stated that they will take into account whether the firm had adopted reasonable systems and controls to protect against the risk.

With the SRA already receiving around 40 reports of confidentiality breaches each month, it is important that all solicitors and firms take care to understand the threats and how to avoid them. I therefore today wanted to talk about the types of cyber threats that exist and some of the more sophisticated modern ways that law firms can manage their risk around data breaches and cyber-crime.

In order to mitigate the risks, it is important firstly to understand the different types of cyber-attack that exist. These broadly fall into two categories: commodity attacks and bespoke attacks.

Commodity Attacks

Commodity attacks are where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it. These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.

So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.

We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.

As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who he targets and as such commodity attacks tend to be widespread.

Bespoke Attacks

While the vast majority of cyber security attacks are commodity attacks, a small number are bespoke attacks. These are very different, as they are attacks where cyber criminals target one or more individual companies for a specific reason e.g. to steal IP, or cause reputational damage.

Again cyber criminals will start by using commodity attack tools to find out if there is an easy way to compromise your system. In many cases this will provide a route in, but if not, then the cyber criminals will take time to research your organisation, your security, individual employees, social media activities and much more through a wide range of digital reconnaissance and sometimes physical reconnaissance measures and then develop bespoke hacking tools to attempt to breach your defences. These types of attacks are carried out by much more sophisticated and determined cyber criminals.

So how can Law Firms manage their risk around Cyber Threats?

Well putting yourself into the mindset of the cyber-criminal is a really good starting place. He or she is going to be looking for known vulnerabilities in your system where they can get in. These vulnerabilities are a constantly moving target, because software updates are coming out from software application vendors, operating system vendors like Microsoft and security software vendors the whole time. So the scary reality of the situation is that while your data may be fully protected at 9am this morning, by 10am you may be vulnerable.

So the key here is to be constantly, in real-time, scanning your system for vulnerabilities, using the same tools that the cyber-criminal is using. This way you see your network through the eyes of the hacker and can pre-empt his next move. Of course, the quantity and skillset of human resources required to do this manually would be cost prohibitive for most small and medium sized firms. However, we are now working with law firms to implement automated real-time unified security management systems which carry out just this function. So rather than a vulnerability scan being carried out on the network say once a year (which provides a useful benchmark, but only tells you that your data is secure at that one moment in time), these systems carry out a continuous vulnerability scan on your system, all day, every day. Such continuous vulnerability scanning allows risks to be highlighted immediately, and reported back in real-time to our Security Operations Centre. Working with our clients we then ensure these latest security loopholes are closed down immediately and that thus your firm is kept one step ahead of the cyber criminals.

I hope this article has given you some useful insight into the approach of cyber criminals and the ways you can minimise your risk of becoming a target of a cyber-attack or data breach. If you would like to find out more about this topic, or you would like information on our continuous vulnerability scanning solution or indeed if you would like to arrange a one-off vulnerability scan of your network to see how your cyber defences currently measure up, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when it will be my pleasure to speak with you.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Risk Management in Law Firms: Protecting your Firm from Cyber Crime

With a recent news release from the SRA revealing that cyber crime is rapidly escalating, with almost double the number of cyber thefts being reported in the first quarter of 2017 compared with the same time last year, and triple the amount of money being stolen, I today wanted to talk about pragmatic approaches to minimising your firm’s risks of being targeted by cyber criminals.

Cyber crime is now prolific, with law firms unfortunately being a natural target due to the large amounts of confidential information and high value financial transactions that they are dealing with. Indeed according to the SRA, in the last year (April 2016 to March 2017) they have seen cases involving around £11m of losses.

Property transactions are a particularly high risk to client money, but cyber criminals also target inheritance money and law firms’ own money too.

In addition to SRA compliance breaches and subsequent action, any such event can also cause massive reputational damage to a law firm.

So how can law firms protect themselves from these cyber threats?

Firstly, I would say that it is vital that a joined-up approach is taken to cyber security management, as in the ever evolving threat landscape, it is nowhere near enough to just be relying on one or two technical measures like some anti-virus software and a firewall. Rather the firm’s cyber security strategy must involve senior partners, as well as technical personnel, and be formulated as an integrated suite of risk management measures encompassing business processes, technologies, staff training and procedures.

I would also recommend that as a starting point, law firms look at the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

1. Boundary firewalls
2. Secure configuration
3. User Access control 
4. Malware protection (including ransomware) 
5. Patch management 

We are already in the throes of working with several of our clients to implement Cyber Essentials, which they see as having a plethora of business benefits including assisting with regulatory compliance, demonstrating care of personal data for GDPR compliance purposes, demonstrating to clients and potential clients that they are safeguarding their data and their money, and ensuring that their firm’s risk of suffering costly downtime and/or reputational damage is minimised.

Additionally, the government already requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, and it is clear to me that these types of accreditations and requirements are only set to continue and grow, as they inevitably percolate all the way up through the supply chain. Indeed the SRA Cyber Security roundtable this spring also recommended that firms should consider the benefits of this scheme in protecting themselves from cyber-attacks.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, or you would like to find out more about the Cyber Essentials scheme, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/