Lawcovernotes July 2019

6. A legal practice is vulnerable to both ransomware attack and business email compromise (BEC). The majority of claims on Lawcover’s group cyber risk policy have involved BEC, with email used to trick a legal practice into paying funds into a fraudster’s bank account. The policy’s incident response team at Colin Biggers and Paisley, in consultation with cyber security experts Zirilio, have developed the following top five tips to help a law practice minimise the risk and impact of cyber-attacks. 1. Ensure regular software updates and patching occurs Every legal practice, regardless of size, should have business security and anti-virus protection software installed on each device within their computer network. In ageing systems, security flaws can leave the network and systems exposed to malware or other forms of attack. Regular software updates and patching are critical to remove security flaws. 2. Conduct an annual security audit Annua l secur i ty audi ts are recommended to identify potential weaknesses in existing IT security systems. Testing includes: ^ ^ Penetration testing, which simulates attacks by hackers ^ ^ Awareness testing, which simulates scams to ensure staff are following protocols ^ ^ Security review, to assess adequacy of existing security software ^ ^ Ensuring that back-up systems and protocols are functioning effectively 3. E n s u r e mu l t i f a c t o r authentication (MFA) is enabled Multi factor authentication (MFA) is a multi-layered defence system that requires more than one form of authentication to verify a user’s identity before allowing them to login or perform certain types of transactions. MFA can be incorporated into most essential business programs and is an existing feature on systems like Office 365. MFA is a simple but effective measure that can boost your security significantly. See the MFA article on page 2 . 4. Confirm account details over the phone before processing funds transfers The most perpetrated form of cyber- attack against legal practices are BEC frauds. These are online scams where a cybercriminal impersonates a client, vendor or employee of the law practice and issues fraudulent transfer instructions to induce the transfer of funds or sensitive information. This issue is particularly prevalent in conveyancing matters or other instances where the legal practice does not regularly transfer funds with the third party. BEC frauds rely on an individual within the legal practice to execute the funds transfer. A simple measure to limit the risk of a BEC fraud is to ensure that the transfer details have been confirmed over the phone with the issuer. It is important to use contact details not contained in the suspicious email, but rather use existing contact details taken directly from the relevant party. In most instances a simple call to confirm the requested payment and that the account details are correct will suffice. Topfive tips to reduce cyber risk Simple measures to reduce risk could save you in the long term