Are you a cyber risk?

Previous articles on this page, and risk alerts issued by the Society and by Marsh, have flagged up external frauds experienced by the profession, many of which have been thwarted by the effectiveness of firms’ risk controls. Frauds, attempted and successful, have involved theft of client funds via online banking (Journal, May 2014, 38 and November 2014, 44), interception of email communications (November 2014 again), and identity theft/fraud (Journal, April 2014, 38). 

Most of these frauds have involved a systems breach in combination with some form of con trick. There is a clear relationship between cyber security or information security and the current experience of frauds and scams. Heightened awareness of the risks is a key factor for solicitors in minimising their exposure to these frauds, as is colleagues’ compliance with their firm’s information security and financial compliance procedures and disciplines.  

Cyber attacks – on humans

Cyber attacks can take many forms, examples of which are described below. It’s clear though that the weakest link in all cyber security is people. Cyber attackers and fraudsters take advantage of this by using methods such as social engineering – a non-technical method that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. 

Social engineering techniques need not be sophisticated: often the telephone is the most common tool used, whereby individuals are telephoned under false pretences as a means of obtaining useful information, PIN numbers, contact names etc. By far the highest risk of data loss, though, is from genuine mistakes made by employees, for example if emails are sent to the wrong recipient or a laptop/USB stick/paperwork is lost.

A cyber attack can disrupt business, cost money and cause reputational damage. Although cyber security is often viewed as an IT issue, all colleagues must play their part in defending themselves and their firms from attack, by knowing the issues and adopting best working practices to help minimise the risks.

Minimising the risks

Although cyber security is first and foremost a board-level responsibility, once the risks have been identified and policies and procedures put in place, all staff must adhere to these mechanisms to prevent and report any cyber attack. Relevant risk controls include:

• Always lock your PC when away from your desk
• Never write down passwords and leave them on view
• Do not open any suspicious email link or attachment
• Have adequate anti-virus/firewall protection
• Do not share passwords with colleagues for convenience
• Maintain a clear desk
• Beware of sending unencrypted CDs or USBs.

Email – what to look out for

Email poses its own particular risks, as evidenced by recent frauds and flagged up in risk alerts. 

Always consider the sender’s email address. Is it their usual email address? Do you know this person? 

Consider the subject line. Is the subject meaningful? Are there spelling mistakes? These are often hints that the email could be spam, or fraudulent. If so, do not open the email or attempt to access any link or attachment within it. This may install malware on the system. 

Interception of emails is also a very real fraud risk. This type of fraud/scam has already been used successfully against solicitors in 2015, leading to the loss of significant funds. Further information about this risk can be found in Marsh’s article, “Frauds and scams – raising awareness” (Journal, November 2014, 44). Points to bear in mind are: 

• Whenever a client provides bank account details/instructions for the first time (or changes details/instructions), it is essential that these are verified. 
• If the client has provided new details/instructions by email, when contacting the client for confirmation be sure to do this by a different form of communication, e.g. by telephone or by letter. This minimises the risk that a fraudster who has provided a fraudulent payment instruction is also in a position to provide false validation by intercepting your email request for confirmation.
• If bank account details need to be sent by email, if practicable send them by encrypted message with a password.

Be secure – wherever you work

It is also important to remember that cyber security is relevant whatever the working environment. Information immediately becomes more vulnerable when you are working remotely, especially as there is the risk of loss of equipment, or sensitive information being overseen or overheard. Always be aware of your surroundings and, above all, use common sense. Trains, hotels and coffee shops often provide free wi-fi. Information sent using unsecured wi-fi, though, can be easily compromised.

Best working practices should also be maintained if working from home. Points to bear in mind are:

• Do not discard sensitive documents in the bin. Instead, dispose of them as securely as you would if working in the office. 
• Do not use insecure networks. Avoid using personal email to send confidential information. Web-based email is particularly risky.
• Do not leave documents/files lying around.
• Store equipment safely. Homes can be broken into and laptops etc stolen.
• If using your own equipment, ensure that you have obtained approval from your employer first. Also make sure that the equipment complies with your employer’s security requirements in terms of adequate anti-virus/firewall protection etc.

Remember, cyber security is as much about people and their working practices as it is about IT and software. Always be aware of the risks, including how to mitigate them, and protect sensitive information/equipment/documentation regardless of the working environment. (The Marsh eModule on Information Security is available at www.marsh.co.uk/login/lawscot – login details are available from the risk management contact at each firm. If you need a reminder of these, please email Nada Jardaneh: nada.jardaneh@marsh.com).

Cyber attacks – some common terms

Social media exploitation – information is procured from social media platforms (e.g. LinkedIn, Facebook, Twitter) and used for social engineering purposes.

Hacking – an IT system is attacked remotely. 

Malware – malicious code (e.g. worms or trojans) that can capture data, which is then sent to the attacker or used to create a back door allowing an attacker access to systems.

Phishing/spear phishing – a con utilising email or fake websites whereby a link or attachment is used to obtain confidential information or install malware on the IT system.

Insider threat – colleagues misappropriating information or losing information by genuine mistake, e.g. email sent to the wrong recipient. 

Nada Jardaneh and Marsh

Nada Jardaneh is a former solicitor in private practice, who works in the Finpro (Financial and Professional Risks) National Practice at Marsh, a global leader in insurance broking and risk management.

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority.