A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.
The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.
The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.
While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:
Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;
Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;
Ransomware - a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.
Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.
The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;
“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”
As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:
Implementing processes to verify (via independent means) invoices and account details for money transfers;
Using ‘cooling off’ periods for changing account details for high value transactions;
Encouraging a culture where suspicious transactions are queried;
Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;
Monitoring user access of systems;
Keeping software, and especially operating system (OS), up to date;
Control what software and applications you choose to allow into your firm; and
Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.
All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.
UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here: https://www.ncsc.gov.uk/cisp. The NCSC or the Law Society can sponsor your organisation, as appropriate.
The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.
As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently. According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.
A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:
changes in business processes,
when major new policies are being developed, changed or implemented differently,
following identification of weaknesses,
the introduction of new computer systems, and
after an incident of fraud.
Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls can contact us at firstname.lastname@example.org to find out more. An initial call is always free.