Cyber security good practices – Tips for working from home or the office
In the first half of 2020, law firms advised the Solicitors’ Regulation Authority that nearly £2.5m of money held by them had been stolen by cybercriminals – that’s over three times the amount reported in the first half of 2019. The impact of lockdowns means that firms have become even more dependent on technology. The number of threats have grown, leaving many firms vulnerable to cyber security attack. In the first two months of national lockdown alone, there was a 337% rise in phishing scams.
Quite frankly, the last thing firms need is a client security breach and with it, the threat of financial penalties, not to mention reputational damage. Without the right protections in place, lawyers – who handle highly sensitive information and significant amounts of money – are sitting ducks for cybercriminals.
We’ve put together a few tips for cyber security good practice that you might like to share with your staff, which are designed to help you prevent fraud and scams whilst enabling you to continue to deliver legal services online as safely and securely as possible.
Manage your credentials
Don’t give them out. The simplest way to for a hacker to break into your computer system is with your credentials. Never provide your credentials to a third party. No reputable firm will ask you to disclose your username and password to any service they provide and most certainly would not ask you to disclose your username and password to any services they do not provide.
Don’t log into any web sites or portals unless you know and trust them
Often phishing scams will involve the victim receiving an email with an attachment. Upon opening the attachment, the victim is asked to enter their username and password to download the contents. Don’t! You should never need to enter your credentials to download an attachment sent to you. If you are at all in doubt contact the sender to verify the contents of the email. If the attachment is particularly sensitive, we would recommend asking the sender to upload the document to a portal or deal room site and provide you with access to it rather than sending it via email.
Choose a strong password
The most frequently used passwords are 123456 and password. Others often used include QWERTY and abc123. For passwords that require eight characters the most common one is unsurprisingly 12345678.
Most of us appreciate the importance of strong passwords. Make sure your staff use a mixture of numbers and letters, both upper and lower case. Introducing special characters can greatly improve your password strength. Passwords should be a minimum of eight characters long, making them too complicated can actually be equally as dangerous as using simple passwords.
The least secure password, no matter how complex, is the one you can’t remember so instead you choose to keep on a post-it note by your monitor. Even the most inept hacker will be able to get into your machine if you provide them with your password. Common sense is normally the best way to keep your data safe.
For more information on how to keep your work secure be sure to read our top five tips for password security.
Locking your device and clean screen policy
The same applies to the physical security of your equipment. Introduce a clean screen policy and ensure no machines are left open and susceptible to unauthorised intrusion. A clean screen policy instructs all your firm’s employees to lock their computers when leaving their desk and to log off when leaving for an extended period of time.
This ensures that the contents of the computer screen are protected from prying eyes and the computer is protected from unauthorised use. You can very quickly and easily set up your machine to lock after five minutes of inactivity. Educating your staff on potential threats will also help them consider how they behave and what risks are exposed by their behaviour.
Secure Hosted Services
Restrict physical access to your hardware and backups, and ideally utilise secure Hosted Services for critical data and applications, as the levels of cyber security provided by such suppliers will be far in excess of that available to any one individual firm. This way your data will be safe and secure and will also be replicated and backed up. You should also know where these data centres are located, and your software provider should be more than happy to arrange for you to visit them if you so wish to do so.
SRA regulation requires that:
“where you outsource legal activities or any operational functions that are critical to the delivery of any legal activities, you ensure such outsourcing is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;” Clause 7.10 (b).
It is of paramount importance that not only can you trust your software provider but that they also consider your responsibilities and factor this into their product and service.
With the proliferation of emails comes new threats to your firm. Again, by following sensible precautions you can mitigate these risks. The first is to ensure that your email provider uses both anti-spam and anti-virus protection. It’s often recommended to use two different anti-spam and anti-virus products to reduce the risk even further of rogue emails getting to your mailbox.
Although anti-spam and anti-virus filters will help greatly, they will not be 100% accurate and some unwanted email will still make its way to your computer. It is therefore critical that you do not open emails from unknown senders or emails that appear suspicious. Only open attachments if you trust the sender and are expecting to receive an attachment from them.
If you are unsure then err on the side of caution and telephone the sender to confirm the email and the attachment are legitimate. Never send emails that contain personal information, passwords or usernames. Any organisation who may require this kind of information will have policies in place to request this information and will not simply request it via email. Again, if in doubt, err on the side of caution.
In the new world of agile and home working there are even more opportunities for cyber fraud, as criminals move to capitalise on changes to ‘usual’ security arrangements due to remote working. By turning these next tips into habits for everyone at your practice, you should be able to eliminate the chance of cyber fraud.
Switch off visual/voice activated devices
Voice activated devices, such as Amazon’s Echo and Google’s Nest, are designed to record and store audio only after they detect a word to wake them up – but testing by Northeastern University and Imperial College London found that the devices can be inadvertently activated between 1.5 and 19 times a day.
It would be wise to err on the side of caution and advise your fee earners to switch off any kind of visual or voice enabled device, to be certain that sensitive client information isn’t picked up.
Share information with clients and colleagues using encrypted methods
You’ll likely be communicating with clients in many different ways, so it’s vital to ensure that all channels you’re using are encrypted and secure, such as Osprey’s client portal.
What is encryption?
In simple terms, encryption takes readable data and alters it so that it appears random. Although encrypted data appears random, the encryption process takes a ‘key’ and logically randomises the data, meaning that it can be decrypted using the same key when it needs to be accessed again.
It goes without saying that, as a legal professional, it’s your duty to keep client information confidential, which isn’t easy without encrypted channels.
For video calls with clients and colleagues, we’d suggest using Microsoft Teams.
It works exceptionally well for intra-company communication, and also allows for easy to use video calls and screen-sharing with clients and third-parties.
When it comes to document sharing, ensure that your emails, as well as your client portal, are encrypted. Support for encrypted emails is patchy right now, so we’d recommend using a cloud-based client portal like Osprey’s, which allows you to share, and receive, files in a safe way. In addition to your encrypted connection, it virus-scans all files as they are uploaded to ensure all parties remain safe.
Other points to consider
- Simplify your calls with a system such as Microsoft’s 365 Phone System. Being a cloud-based telephony service for your home-working law firm, it offers greater security and advanced functionality over traditional phone systems. We’d be happy to get you up and running;
- Use a password manager to create and safely store complex and secure passwords;
- Enable two-factor-authentication wherever possible, which adds a further layer of protection;
- Be aware of what data is important and be extra vigilant when storing or sending anything remotely; and,
- Encourage your team to communicate and be open. If they suspect they’ve spotted a potential security risk, ask that they inform you as soon as possible.
Tips to help prevent cybercrime:
- Within the engagement letter sent to any new clients you should clearly set out that as part of cyber safety measures clients will never be directly contacted by email or telephone regarding bank accounts, change of bank accounts, or any other financial information. Also provide a senior contact name that your client should speak to if they have any concerns or questions about fraud.
- Ensure that procedures are in place that certify the entire firm complies with the above
- If cyber safety is taken seriously consider asking your client to break any large transfer into two amounts, sending an initial £1, once that is confirmed the remaining amount can be transferred shortly after.
- All communications with your client that requests, or contains any sensitive, or financial information should either be via a) secure client portal, b) password protected document such as a PDF, or c) sent via printed and franked letter, never by email or telephone.
- Use a third party service such as GB Group’s Bank verification service or lawyerchecker.co.uk to validate banks accounts before making a transfer. Never accept changes of banking details at face value and always verify with the relevant parties directly before accepting any changes.
- Consider having an employee fraud training and awareness program within the firm, give regular updates of fraud trends and areas of risk. The program should focus on compliance, fraud prevention and where responsibilities are held. The responsibilities should include what to do in the event of suspected fraud. Adopt security measures from the ground up and ensure all members of staff are part of this process.
- Consider having a set of fraud mitigation warning flags, and where a transaction falls into the following categories you should undertake additional checks:
- No estate agent is involved in the sale of the property.
- The transaction involves a relative.
- The transaction is under a Power of Attorney.
- The property has recently changed hands.
- The property is funded through other parties.
- The purchase contract involves payments to other parties.
By arming your fee earners with the right, secure tools and encouraging them to think about being cyber security aware, there’s no reason why your firm can’t continue to provide high levels of client service from anywhere.