With many lawyers currently working from home, and with many firms reviewing whether they can implement more widespread remote working – even after lockdown comes to an end and we can return to “normality” – the issue of cybersecurity has inevitably yet again reared its ugly head. As if those working under these difficult conditions did not have enough to worry about, cybercriminals and fraudsters have decided to add to their woes by using the situation as an opportunity to exploit vulnerabilities and weaknesses that have arisen from the need to move outside the safer confines of the office environment.
Just because we are living through difficult times does not mean that law firms can afford to be relaxed about cybersecurity and the confidentiality of the data that they hold and process. It is essential, therefore, that they take account of new vulnerabilities and take appropriate steps to ensure that these do not impact upon their work.
Action Fraud has reported a 400% increase in coronavirus-related fraud reports since March with malicious email attachments, false government grant phone calls and CEO impersonation scams being key among the scams undermining businesses as a result of the COVID-19 pandemic. Criminals have also been gaining access to businesses devices and networks, and everything stored on them, by:
- including malicious attachments on emails;
- exploiting operating systems vulnerabilities; and
- using links to malicious websites.
There have also been reports of thefts of data and money being stolen by the use of ransomware and tax refund frauds. Many fraudsters have been impersonating genuine businesses so as to enable them to defraud customers and clients, with the resulting reputational damage and potential loss of business. Add to this the emotional and mental impact on the owners and employees of targeted businesses and just how serious an issue cybersecurity is, will be easy to see.
Unfortunately, law firms are particularly vulnerable to this new crime wave. With many having little in the way of resources to invest in complex cybersecurity, and numerous firms handling sensitive data and large sums of client money, it is vitally important that firms and their employees are extra vigilant during lockdown, especially where staff are working remotely. The SRA have reported that:
The large numbers of lawyers working from home, possibly for the first time, are an attractive target for criminals who will not hesitate to exploit vulnerabilities wherever they can.
What Should Firms Be Doing?
So, what should firms be doing to preserve cybersecurity and ensure that they do not become victims of scams, hacking and other attempts at fraud?
The watchword and overall plan must be increased vigilance. There is always a danger that because they are working from the comfort of their home, partners and staff will perceive a greater sense of security than if they were working in an office environment. Indeed, this is something that many fraudsters are specifically exploiting.
It is vital that everyone is conscious of the risks posed by cyberthreats and are aware that there is a danger that they will be targeted by fraudsters who will pretend to be someone else in an attempt to gain access to data or client funds.
In particular they should be wary of:
- Phishing attempts – fraudsters impersonating others or using malware programmes to gain passwords, login details or other sensitive data;
- Government grant/tax refund scams – contact by imposters offering COVID-19 government grants or a tax refund with a view to gaining access to data or being paid fees for making bogus claims. Be aware here of contacts made not just by email and telephone but also through text messages, social media posts and other messaging systems;
- Invoice scams – these arise where someone claims to be a regular supplier and that their bank account details, or payment arrangements have changed. Often this may be accompanied by a claim that an invoice from previous months remains outstanding. In all cases do not hurry to make changes or payments. Instead, use your existing contact details to contact the person or organisation and check that the request is genuine.
- Partner/CEO impersonation scams – this relies on the employee’s willingness to do what they are asked by directors, partners or senior managers. Usually, an employee will receive a phone call or email from someone claiming to be a senior member of staff requesting the urgent supply of information or that an urgent payment is made. Sometime, the fraudster may even have hacked into a staff email account or used spoofing software to appear genuine. In all cases, check with the person, or another manager, before acting on the request.
- Tech support scams – be especially careful of offers to maintain, optimise or repair IT and other technology. This will often be an attempt to gain computer access or get hold of passwords and login details. Always be suspicious of cold callers as genuine companies will never call out of the blue and ask for access to your system or details of logins or financial details.
Make sure that all staff know that if they think they have been the victim of a scam that they must let a director/partner or manager know as soon as possible or, if it is a personal issue should contact their bank immediately and report any suspicious activity to Action Fraud https://www.actionfraud.police.uk or by calling 0300 123 2040.
One of the main ways in which cyber criminals gain access to devices is by exploiting weaknesses in the software and applications that you use. Most IT providers try to keep on top of IT security by releasing regular updates designed to fix any weaknesses. However, this will only ever be of use if firms and individuals take steps to update software and operating systems on a regular basis. This applies as much to your PC or laptop as it does to your phone or tablet.
All firms must ensure that they upgrade their own operating systems and software and that they check to make sure that staff working from home (and possibly using their own devices) are also working from the latest versions. In particular, they must ensure that they use up to date anti-virus software on all desktops, laptops, servers and other devices and that if need be, they pay for anti-virus software for staff and ensure that it is installed and kept up to date.
It is difficult to over-emphasise the importance of strong passwords and effective password management to cybersecurity. A password is often the key to so much that is sensitive and confidential and not using a strong password – or worse still, telling someone else what a password is – is the same as either leaving a door unlocked or handing over the key.
It is vital that passwords are strong. Fraudsters regularly use programmes that can run through the most common 10,000 passwords in only a few minutes, trying each of them until they gain access. Trying to protect vital information with the password “password,” or even “password123”, is utterly ineffectual – as would be other common passwords including “HarryPotter” or “Football”.
What is more, having the same password for all of your applications is dangerous as access to one account will become access to them all. You should, therefore, have different and very strong passwords for different accounts. This especially applies to an email account since if that is hacked the fraudster immediately gets access to all of your other passwords simply by resetting them and having a reset link emailed to the account which they can now access.
Ideally, passwords should be made up of a random selection of letters (upper and lower case), numbers and symbols and should be a minimum of 8 characters (more if possible) long. If you cannot remember such passwords then either use a password protection programme such as Lastpass, Dashlane or 1password or alternatively use three random words such as “hammerspiralcostume” possibly separated with a symbol or a dot “collect.attitude/cabbage”.
Finally, in relation to passwords, if a service offers you two-factor authentication, use it, as this will give you an extra level of protection online and will almost completely prevent fraudsters from gaining access to your accounts – even if they have your password. Two-factor authentication works by requiring you to provide a second piece of information which is normally randomly generated, for example a code that is texted to your phone or one that you generate using a dongle (as with bank accounts) or an app such as Google Authenticator.
Maintaining the integrity of the data that you store and use is also an important factor in cybersecurity and to help you achieve this you should make sure that you backup that data.
When you are working from an office environment then it is likely that the data you use is stored on a server which is backed up on a regular basis. Working from home you may lose that facility and so you may need to make sure that you carry out your own backups.
There are a number of reasons why this is a good idea. For example, a common form of cybersecurity risk is that of the “ransomware” attack. Here, the fraudster does not steal data – they simply make it inaccessible by the user until that user has paid a sum of money to the attacker. If you are affected by such an attack you have three options – lose the data, pay the ransom or use an uncompromised version of the data contained in a backup. Ensuring that your data is backed up and stored separately will mean that you can effectively ignore such attacks.
Aside from fraud and hacking, data is always at risk from error on your part or from loss or theft of a device. Keeping a backup makes sense so that data remains secure.
Those working from the confines of an office can often rely on secure firewalls to keep information safe from hacking and fraud. Those who are remote working do not necessarily have that same level of cybersecurity.
It is vital therefore that firms look at the network utilised for communicating with staff, how files and information is accessed and whether the channels used are secure. They should consider, if they have not already done so, implementing virtual private networks (VPNs) as an essential part of any remote working strategy. This will allow users to access securely resources such as email and file servers using an encrypted, authenticated network connection.
Firms should also look at any Cloud-based services used by staff and ensure that these are secure when accessed from home. This includes making sure that passwords are maintained and that logins are not compromised.
Other security factors
Not all issues relating to cybersecurity and confidentiality are so directly linked to IT and cybercrime as those issues detailed above. Many of the vulnerabilities that those working from home face come from far more mundane sources. These include:
- Inadvertent breach of confidentiality from family members or other occupants of a house having access to confidential data;
- Loss or theft of devices from the house or from vehicles;
- Power outages causing data to be lost or corrupted;
- Hardware failure – possibly from the use of old and outdated equipment;
- Negligence or mistake – something easily encountered when children are possibly demanding attention at the same time as work needs to be undertaken. It would be easy to email the wrong information to the wrong person due to the stress of the moment.
These are unusual times and require that everyone be more vigilant and more aware of the problems that might arise. It is easy to assume that we are “all in it together” and that somehow goodness will prevail. The research and the experiences of others indicates that is sadly not the case and that there are those who will do whatever they can to exploit the current situation for their own benefit. Make sure that you are not one of their victims.