The emergence of new and disturbingly effective methods of cyber-attack during the last 12 months demonstrates the alarming ingenuity of the criminal gangs responsible, and why the cyber-risk controls your firm may have in place may no longer be secure.

As methods of attack continue to evolve – and they most certainly will – so must our defences and controls.

Warning reminder

Recently, there has been an increase in occurrences where fraudulent transactions have taken place in transferring funds from solicitor and client bank accounts. Funds have been intercepted and transferred into fraudulent accounts via email attacks.

Whatever their area of practice, solicitors should remember the following:

• Do not send bank details by email. It is imperative that the individual setting up the transfer verifies the details received via a telephone call. It is also important that this individual verifies the telephone number being used.
• Do not send sensitive information via email.
• If a scenario does not seem right, be overly cautious. Do not rush financial transfers or divulging passwords: make a telephone call to a known number to confirm details.

Action plan to help prevent and deal with Cyber Security attacks

1. Get organised and develop a plan for when a cyber-attack happens. The plan should include roles and responsibilities. Agree a security response strategy aligned with your business and IT strategies. Have a list of names and numbers available to call when attacked.
2. Be prepared. Have a formal incident management plan that is documented to deal with a cyber-attack. Plans should include all aspects of the business.
3. Decide what you are willing to risk. Establish your risk exposure, monetary wise, which will help establish the level of investment required for prevention. What could a most likely cyber-attack cost your business? How much will it cost to prevent this?
4. Focus on awareness. Most attacks take advantage of human error via phishing emails, phone call and other forms. Establish an awareness programme in your firm for all staff and third parties to detect a potential cyber-attack. This should include policies for email security, online banking procedures, mobile device usage, incident reporting procedure and installing/managing security technologies such as encryption.
5. Implement basic protection. Ensure your IT system is up to date with regards to virus protection/ firewalls/malware protection. Research and implement a technical security standard such as ISO and implement technical protections for antimalware, firewalls, patch management, secure configuration, removable media, remote access and encryption.
6. Be able to detect a Cyber-attack. Establish a security monitoring capability to detect an attack that creates an alert emailed to when the firewall is experiencing suspicious activity.
7. Test regularly to ensure you have the technical ability to respond to sophisticated attacks.
8. Keep refreshing the plan. Repeat the risk assessments on a regular basis and comply with new regulations and standards. Understand that the threats are constantly changing so you need to constantly review and update your risk assessment and your response levels.

Further Law Society information

Practitioners can contact a member of the cybersecurity team or visit the website Cybersecurity section.

The Technology Committee previously published the following articles:

• Cybersecurity mitigating the risks
• Secure email systems and encrypting email attachments

You can also watch the latest Small Practice Information Sessions covering this issue:

• Cyber Security - “Risk to Client Funds”(24 March 2021)
• Cyber Security update and Risk Management tips(10 March 2021)

eNewsletters

This article originally appeared in the 30 March Member eZine. For more information, and to subscribe, visit eNewsletters.