Lawcovernotes March 2019

The threat from within People - the first line of defence when it comes to cyber security in legal practice Solicitors face continued attacks from cyber criminals who target legal practices because of the money and information they hold. While system breaches or other malicious cyber-attacks are a very real threat, more often than not the real danger comes from within a legal practice. People, due to lack of knowledge or awareness, are usually the weakest link in cyber security, which is then exploited by cyber criminals. For this reason, it is critical that staff understand common forms of cyber-attacks, how to recognise them and what to do in the event of an attack. Inform Staff should be aware of the different types of cyber-attacks they are likely to face in everyday legal practice. At a minimum staff should be aware of: ^ ^ Malware - malicious software such as viruses, worms, Trojan horses, spyware and adware designed to perform a variety of functions including stealing, deleting or encrypting sensitive data ^ ^ Ransomware - encrypts or locks valuable data. Cyber criminals demand payment for the encryption key to restore access to data ^ ^ Phishing - an attack through legitimate looking emails, which may have links infected with malware or links that attempt to gather personal and financial information from recipients ^ ^ Digital identity theft - digital identity is the body of online data information that uniquely describes an individual, organisation or electronic device. It includes unique identifiers, such as an email address, username and password used to prove a person’s identity. Cyber criminals often use phishing emails as a method of stealing personal and financial information. 14. V I G I L A N C E 1. VIGILANCE � Adopt a less trusting and more critical mindset as requests by email regarding money transfers may be fraudulent � Develop secure anti- cyber fraud policies for managing emails, especially requests for money transfers or for change of bank account details 3. VERIFY � When an email contains instructions to transfer funds into a specific account, verify the identity of the sender, be it a client, another lawyer or perhaps a real estate agent - call the sender of the email by telephone, using a credible number such as from the original instructions (ie: NOT contained in the suspect email) - confirm the email is from the expected individual and request confirmation of the valid account number and perhaps one other valid piece of information to confirm their identity 2. INFORM � Your staff of the policies and ensure they understand and follow them � Your clients that you will never change your account details by email and that they should inform your office in the event they receive an email indicating otherwise I N F O R M V E R I F Y