Don't forget 'people' risks
Michelle Garlick urges firms not to simply focus on technology when assessing their exposure to cyber threats such as email scams and ransomware
The SRA’s announcement in early March that up to 500 law firms had been targeted in a single email scam by fraudsters serves as a reminder that cybercrime remains one of the key risks for the legal sector.
That particular scam – an example of ‘phishing’ – saw firms receive an email purporting to be a request for their services. When they responded, a further email was sent with an attachment or links containing malware, which allowed the scammers to remotely access, infiltrate, and block access to the firms’ IT systems.
The risk and damage posed by cybercrime and the infiltration of IT systems can be huge. For a law firm which holds valuable client data, the use of ‘ransomware’ - in which scammers seek to extort money from businesses by locking them out of their IT systems until they agree to transfer funds – is a particular threat.
According to recent research from IT company Timico, more than 25 per cent of law firms that fall victim to ‘ransomware’ end up paying at least £5,000 to retrieve access to their systems, with 88 per cent of systems being down for a week or more.
Then there are the regulatory repercussions to consider. While it is not currently compulsory to notify either the Information Commissioner’s Office (ICO) or affected individuals of data breaches in all circumstances, that is going to change.
The introduction of the EU General Data Protection Regulation (GDPR) in 2018 is a major consideration for UK firms irrespective of Brexit. The regulations will apply to any data controller or processor which offers goods or services to, or monitors the behaviour of, data subjects in any EU member state. The GDPR will oblige all organisations to notify the ICO of any data breaches without undue delay and within 72 hours of becoming aware.
Clearly, a crucial step to defending against cyber-attacks is to ensure that you have adequate protective software and that it is up to date. Yet, too often firms put all of their focus on technology and don’t consider the risk associated with their people.
In reality, the weakest link in the chain of any organisation’s data protection policy is likely to be human. As in the recent example cited by the SRA, many cyber-attacks require an element of human error to succeed.
Simple mistakes like failing to lock machines and physical security compromises such as being tailgated in offices are all obvious threats, but so too is the risk of hackers gaining access to company data by more nefarious social-engineering tactics.
This risk will only grow as globalisation and technological advances mean more conversations are happening over digital channels, which creates opportunities for scammers to infiltrate organisations by impersonating clients or colleagues.
Key questions for firms to ask themselves are:
Have your staff been trained and kept up to date on the latest tricks used by scammers?
- Have you reviewed your policies and procedures to ensure they are clear on what to do should a suspected scam email be received and/or opened?
It is imperative that COLPs and COFAs in particular are aware of the threat of cybercrime and manage their risks accordingly. Ensuring that training is delivered to all employees, contractors, agency workers, and anyone else deployed on the premises and with access to personal data is important.
A useful step to undertake is to go through a cyber audit, in which your practice’s systems and policies are assessed against the risk of an attack. In addition, firms should also keep abreast of the latest security and scam updates offered by the SRA.
Michelle Garlick is a partner and head of the Compli team at Weightmans