Risk: Cybercrime – the hybrid worker prey

In 2020-21, Police Scotland recorded an estimated 14,130 cybercrimes, almost double the figure recorded the previous year. The risk of falling victim remains a constant threat to solicitor firms and their clients. As a panel solicitor for the Law Society of Scotland’s Master Policy insurers, I am still seeing cases of fraud perpetrated against solicitor firms and their clients all too regularly. The fraudsters are as sophisticated as ever, and the impact of these fraud incidents is devastating for the firms and their clients.

The volume of cyberattacks grew as a result of the COVID lockdown and the dramatic increase in the number of people working from home. As we come out of the pandemic, the shift to hybrid working continues to provide opportunities for criminals to exploit some of the vulnerabilities that flexible working brings.

Location, location, location

Hybrid working tends to mean more employees are working part of the week at home and part in the office, possibly using different devices for work, and working from different locations, not just one or two physical office locations. There are many benefits to hybrid working, but it means that there is more reliance on technology and so a higher risk of cybercrime. Businesses have to manage the risks hybrid working brings.

As soon as IT equipment leaves the office, data are at risk. Whether that is by accessing data on unsecure public wi-fi, viewing client data on public transport, or even having devices lost or stolen, the movement of employees between different locations means businesses are relying on their employees having a good awareness of cybersecurity issues and how their actions can expose them and the business to risk. Businesses are having to trust that employees’ home wi-fi networks are secure, their passwords are strong and changed regularly, their mobile devices are secure and that they have appropriate antivirus software, among many other security measures. There is more need now than ever for everyone working in a business to think about their own cybersecurity.

The human element

Human error is still the main cause of cybersecurity breaches. It is not enough for just the IT department or the firm’s IT consultants to think about cybersecurity. Everyone in a business needs to be thinking about it.

Phishing emails are still one of the most common tactics by cybercriminals to gain access to a business’s systems. Working from home may mean an employee is more susceptible to falling victim to a phishing email, perhaps for one of the reasons already mentioned, such as poor wi-fi passwords or outdated hardware. If an employee’s computer contains malware as a result of a successful phishing attack, the malware could be transmitted to the company, resulting in system disruption.

Payment instruction fraud, or email modification fraud, is still, in my experience, the most common form of fraud I am seeing perpetrated against solicitor firms and their clients. It is not, of course, the only form. This fraud is often able to be perpetrated after a successful phishing attack where the fraudsters place malware into the computer system, which can lie dormant until the right transaction comes along, usually a property or private client transaction involving payment of funds from one party to another. The email correspondence between the solicitor and the client is intercepted and altered, often with bank details changed to direct payment of funds to the fraudster’s account rather than to the genuine bank account of the firm or the client.

Absent appropriate measures, employees working from home can easily fall victim to these cyberattacks, giving the criminals access to the firm’s systems, and their clients’ data. While to err is human, it is not of itself an adequate line of defence to a claim from a client for a breach of GDPR or for loss from fraud.

Managing the risks: knowledge is everything

Hybrid working is here to stay, and training and educating all employees on cybersecurity issues is vital not only to prevent fraud but also in defending claims against firms for failing to protect clients’ interests.

Only when employees know what to look for will they be able to avoid the traps set by the cybercriminals. As a first step, employees need the training to understand which aspects of cybersecurity are their responsibility and what steps they need to take to manage that responsibility. Appropriate cybersecurity is essential, regardless of the employee’s location or the device they are using. The training and education of employees need to be regular and up to date. Cyberattacks continue to evolve, and our awareness must evolve with them.

Today, everyone in a business needs to understand the cybersecurity risks they may come across in their day-to-day work, and they need to know and understand how to act if they think their system or device has become compromised. Firms need to ensure they, or their IT specialists, provide regular training to their employees on all aspects of cybersecurity. In addition, firms will need to ensure they have robust policies in place to enable secure working from home, and critically also on fraud response to ensure employees have a good awareness of what to do if they do fall victim to a cyberattack. As with so many things in life, timing is everything and reacting quickly is essential in the worst-case scenario where there’s a successful attack.

Everyone wants to enjoy the many benefits of hybrid working, but homeworking needs to be safe and secure to minimise the risk of a cyberattack.