Contact Sales
Legal

Cybercrime - your staff are your first line of defence

The scale and impact of cybercrime continues to increase. Our new ‘home working’ environment during the Covid-19 pandemic has shone a bright light on the importance of secure behaviours and the role we all have to protect our oprganisations reputation from cyber-attack or data breach. Systems are more open to attack because of our human error, so it is critical that firms ensure they have the training, policies, controls and procedures in place to mitigate the risks of being targeted.

Cyber Security

Posted 03/02/2021

Our recent cyber panel discussion, held on Thursday 21st January, was a timely reminder of the obligations that firms have in relation to taking appropriate steps to protect client money and assets from the cyber-threats they face on a daily basis; the expert panel also provided a number of key takeaways that firms could use to better protect themselves.

Brian Rogers' Key Takeaways

Brian Rogers, Regulatory Director at the Access Group, discussed the various regulatory obligations firms have under the SRA Codes of Conduct, Data Protection Act, and Money Laundering Regulations to manage and mitigate the risks of being targeted by cyber criminals; he made particular reference to the latest anti-money laundering guidance published by the Legal Sector Affinity Group, which covered the use of technology and the cyber risks that were associated with this. He also made reference to the SRA’s latest report on how firms were dealing with the cyber threat, which showed some significant failings within the firms visited.

Brian’s key takeaways were:

  • Ensure you have appropriate cyber policies in place.
  • Communicate with staff when new cyber risks appear.
  • Keep details notes of how you manage any cyber incidents.

Nick Wilding's Key Takeaways

Nick Wilding, Cyber Awareness and Resilience Lead Consultant at the Access Group, presented the challenges law firms face from ‘human error’ – the mistakes any one of us can make in our busy lives, at home and at work. 90% of all successful cyber-attacks and data breaches occur because of the unwitting mistakes we make. He highlighted that firms of all sizes should regard their employees as their strongest defence against potential reputational loss and that effective training is a highly cost-effective tool to exploit as part of any firm’s business resilience.

Nick’s key takeaways were:   

  • Move beyond annual, tick-box training and adopt short, highly targeted, immersive and relevant training, little and often.
  • Use stories and real-life incidents to bring the risks to life at home and work – encourage your employees to share their own stories to help build their awareness and confidence to do the right thing.

Provide training that can demystify security and enable employees to choose their preferred learning style through multiple training techniques including tests, quizzes, eLearning, games, videos, pdfs and audio stories.

Neil Sinclair's Key Takeaways

Neil Sinclair, National Cyber Lead, Police Digital Security Centre, says “Every business must be putting security at the forefront of developing a digital footprint rather than it being an after-thought. Furthermore, it is a good time, with the workforce remote and/or at home, to make security a cultural “thing”, something that becomes totally relatable to home life and thus transferrable to office life. However, it remains very important that business owners retain control of the business’s data so to that end”. Neil’s key takeaways were:

  • Be rigorous in on-boarding & off-boarding personnel.
  • Make sure your back-up procedure is fit for purpose - on sight/off sight, cloud v server, high security -v- fast recovery.
  • With workforce now more remote, focus on endpoint security. Supply equipment rather than BYOD so you can monitor “who, what, when, where and how?”.

Brett Warburton-Smith's Key Takeaways

Brett Warburton-Smith, Partner, Lockton Companies LLP, gave an insight into the thoughts insurers had in relation to cyber risks and what firms could do to mitigate these; he also provided some background to the cyber insurance policies now available in the market. Brett’s key takeaways were:

  • Consider what a specialist cyber insurance policy could offer either by speaking to your insurance broker or a specialist in the industry
  • Deploy MFA across your network – this should be a minimum security standard for all organisations
  • Senior stakeholder sign off procedures for sending and releasing funds – minimum two pairs of eyes for all amounts over 5k or an agreed nominal amount

Based on the findings of the SRA in its last thematic review, it is likely that further reviews will be undertaken, but what the SRA may be planning to do should not be your only focus; you should also be acting in the best interests of your clients and insurers and protecting your firm’s reputation.

Just ticking compliance boxes will not protect firms from determined and sophisticated criminals!