How should you invest within information security?
We provide a summary of another key risk factor within the SRA Risk Outlook 2016 and what this means for your firm.
Implementing and maintaining a secure database within the legal sector is probably the most significant risk within a firm, as the sensitive data you have access to is of great value to any fraudster or criminal. Just one simple hack can lead to the transfer of bank details, addresses, contact details, as well as age and capacity of individuals – meaning that your most vulnerable clients can become prime targets.
According to the Solicitors Regulation Authority (SRA) within the latest Risk Outlook, a quarter of all law firms have been a victim of cyber attacks with 10% of those experiencing money losses as a result. Focussing specifically on the impact on conveyancing, a recent Experian report states the level of mortgage and property fraud accounts for 6% of all fraud cases and has increased by a massive 50% within the last year. So with the wide coverage of these issues, even in national news – why is the sector not taking charge?
Human error seems to be the key catalyst for information security issues across the board, with unauthorised file transfers being a concern for nearly a third of IT professionals worldwide. The 2016 report from information security company, Trustwave, claims nearly all security breaches can be stemmed back to human error and cross-departmental security should be prioritised in order to combat this.
Information security – overview
There are great debates as to the correct and most effective ways to store data, and whether you have a paper-based or digital system, both come with associated benefits as well as risks. The SRA say that paper systems leave firms vulnerable, as physical files can be lost and require complex systems to manage – making human error a more significant issue. In contrast, during the Society of Licensed Conveyancers (SLC) Spring Roadshow in London, which heavily focussed on cybercrime, Tom Horrocks of compliance consultants CPM21 advised paper as being safer at storing information than digital due to the nature of how each system can be hacked. In order for criminals to access paper files, they would need to infiltrate the office or storage facility where they are kept, whereas cyber hacks can be achieved remotely.
Another threat to your firm is the rise of bogus law firms. This means that information about your firm itself is also vulnerable to fraudsters. In just 4 years, the number of reports regarding bogus firms has doubled, with the SRA saying they now receive over 700 per year. Identity cannot just be taken from an individual, but an entire business can be recreated, from email signatures to unsolicited phone calls, to websites that mirror yours almost perfectly and leads users to click harmful links and obtain false contact details.
Paul Tucker, Business Development Manager at Lawyer Checker, said:
“A robust risk management process must underpin your due diligence. It is no longer enough to simply perform the due diligence out of necessity and not follow up on any red flags that may arise. The courts will not find this acceptable and neither will your professional indemnity insurers.
“Social engineering involving the manipulation of targeted individuals taking into account; invoice fraud, phishing and vishing can all be used as way to exploit that all important data being held within databases.
“Lawyer Checker’s award-winning Account & Entity Screen is a service that firms can make use of in the fight against bogus firms and fraudsters. We provide due diligence on all results that appear as Infrequent or Unknown, we also offer appendix literature to be used within risk policies to ensure clarity for how staff should react to these results.”
Information security – actions
Invest. It makes sense that heavy investment, money as well as time, is pumped into the area of your practice that can potentially cause the greatest losses. Monetary value should certainly be a factor within the strategy, but losses can also include the loss of a positive reputation and loss of client retention. If your clients are put at risk, the associated value is more than just profit.
Train and implement. Although your members of staff in most cases should and can be trusted with any valuable information, both new and existing employees must on some level be considered a threat. This doesn’t mean everyone internally is necessarily a potential criminal, but figures show people are at high risk of being the cause of data loss or breaches.
Track your business. Marketing and gaining brand advocates are fantastic ways to boost awareness of your service provision and reputation. However, inbound marketing isn’t enough and you should be aware of any mentions on social media, various websites and within other collateral as your business name (or even employees’ names) may be used fraudulently.