The SRA’s latest Cybercrime Thematic Review reports a “greater than ever” need for law firms to remain cybersecure. To find out how we can best support firms during these times, we spoke to Lawyer Checker’s Tom Lyes. Tom’s understanding of the challenges faced by Conveyancers enables him to provide expert advice and guidance from a fraud and cyber perspective in this area.
Have you noticed a shift in attitude towards Cyber Security in law firms, in recent years?
There has been a shift in approach: previously there was an “it won’t happen to us attitude”, whereas now we are seeing more firms take a proactive approach rather than waiting for the inevitable. This has been driven by a combination of things such as regulator education and insurers. There is still, of course, more room for improvement in this area. One of the major barriers to a shift in attitude is a lack of understanding from leaders and external IT support companies. The recent SRA Thematic review highlights this and says that: “13 external IT support companies either had a poor approach to cyber security or it was poor in parts” and with “some senior managers unable to answer simple cyber questions”. The report also comments on the fact that “an influential and visible leader will help set the tone, support decision making and outline expectations.” I see this a lot with clients that I work with, where strong leadership is essential in driving the shift in attitude.
In your opinion, which do you think is the bigger driver behind firms who are more proactive around cyber security: tighter regulatory requirements or fear of an attack?
Although regulatory requirements have helped raise awareness, I don’t believe they are a bigger driver than the fear of an actual attack and the knock-on impact this has. The regulatory requirements are still only optional such as CQS and Lexcel, both of which currently “recommend” Cyber Essentials. Going back to my point about strong leadership, I would like to see both made mandatory requirements.
Financial loss around client money is most people’s first thought, but the fear of what’s involved in an actual attack runs deeper than this in terms of the wider cost of cyber-attacks, for example, higher insurance premiums, lost time and damage to client relationships. These are every Managing Partner’s worst nightmare so it’s crucial that leaders drive this as they will be making the call to the insurer or else working out how they are going to replace stolen money. It’s no longer acceptable to rely on an IT provider or rest the issue on the shoulders of one employee.
On the last SRA thematic review of Cyber Security, it states only 73% of firms had reported incidents, and that seven significant incidents were not reported despite clear and significant breaches. From your conversations with law firms, do you have any insight into this reticence?
Once a breach has been diagnosed, the firm should have a protocol and documented procedure in place as to how they deal with the breach and whom they need to notify. What is happening in reality is that many firms are dealing with these on the fly and therefore key things such as reporting to the SRA are being missed. A good example of this is a firm who do not hold much in the way of cyber security knowledge internally but have an outsourced commercial IT provider. It’s unlikely that the commercial IT provider is going to prompt to them to remember to report this to the SRA. I also wonder if the expectation on the firm in terms of what to report is clear enough from the SRA? Some firms I speak to don’t even know that the SRA Scam Alerts even exist, for instance. Building this into processes and having documented procedures is the way forward in terms of reporting. The more the SRA learns, the more they can do to help, so it’s in the sectors favour to make sure reporting is up to scratch.
Do you think cybercrime is getting worse, or generally being more strongly reported?
Cybercrime doesn’t discriminate. No businesses are safe, with criminals targeting firms and transactions across all areas of legal sector although naturally conveyancing remains the most targeted area. The National Crime Agency state: “Cybercrime continues to rise in scale and complexity, affecting essential services, businesses and private individuals alike. Cybercrime costs the UK billions of pounds, causes untold damage, and threatens national security.”
The world we currently work in now brings new risks to the table, and it will take some time to understand whether remote working has an impact on this but, from a Conveyancing perspective, a busy market is a fraudsters paradise so now is the time to take this seriously, if you’re not already.
What would be your first port of call for strengthening a firm’s cyber security?
Most firms spoken to in the thematic review commented that staff was their greatest cyber risk. A confused, junior, or dissatisfied member of staff can enable and allow substantial, business-threatening cyber-security breaches, therefore strengthening and educating people should be a firm’s first port of call. This works two ways: if you get this right, staff can also be your greatest assets in terms of protecting you from cybercrime.
Firms should also look at making sure they are certified against Cyber Essentials or preferably Cyber Essentials plus. These are accreditations designed by the National Cyber Security centre to help firms build robust technical and procedural defences. The review from the SRA said, “We found that firms with Cyber Essentials Plus accreditation were more likely to have good policies and procedures in place and have taken effective steps to protect themselves from future cyber security incidents.”
At Lawyer Checker, one of the ways we view Cyber Essentials Plus from a law firm perspective is that you would audit your accounts, you would audit your files, why would you not audit your IT infrastructure? As an approved assessment centre for law firms we understand the infrastructure and should be a good fit for firms looking to achieve the accreditation.
After 6 years working for a top 20 Conveyancing business, Tom joined Lawyer Checker in early 2018. Tom currently works closely with law firms across the country with regards to their cyber security, funds transfers prevention and ID processes in order to help mitigate the risk of fraud.
Does your firm have a basic cyber security strategy in place? Read our latest article for the top 5 questions to ask yourself about the dangers of cyber crime.