IT Security: Keeping information and money safe

26 December 2017




This report highlights the ever growing risk of cybercrime. We all need information technology, so we all need to be aware of the threats.

 

Introduction

We all know that cyber security is an ever growing risk – and cybercrime is now in fact the most prevalent crime in the UK. We all need information technology, so we all need to be aware of the threats.

Cybercriminals are not just after money but are looking for sensitive information too, so the legal services sector is an obvious target. In the last year we have had reports of around £7m of client money being lost to such crime. And I know from my regular conversations with law firms and insurers that this is an area of serious concern for many of you.

It is the job of firms to take steps to protect themselves and their clients, but we want to help. Cybercrime risks evolve rapidly. That is why we provide regular updates on this area - most recently in our July risk outlook. This report builds on that, offering legal professionals a practical, up-to-date guide on how to manage your online security - from cloud computing to the latest cybercrime trends.

Protecting yourself – and your clients - from threats requires constant vigilance. The most commonly reported attack against law firms is email-modification fraud, which not only relies on weaknesses in systems but also on deception. It shows that while antivirus systems are important, well trained and well informed staff are even more so.

We recognise that no defence is perfect, but if you lose client money or information, you need to report these cases to us. We will take a constructive and engaged approach, particularly if you are taking steps to make good any losses to the client, and are looking to learn from the incident. The section in this report on regulatory responsibilities will help you with what you need to do.

After all, there is a bigger picture here. We all need to know what is happening, what the latest cyber attacks are and how we can avoid being caught out. By updating us we can update everyone else. We can all work together to keep the legal sector as safe as possible, protecting firms and protecting your clients.

The facts

  • £1 billion was lost to business from online crime (2015-2016)
  • £2.3 billion was lost by global businesses from email fraud (2013-2015)
  • 75% of cybercrime reports to us are Friday afternoon fraud
  • £1.57 million was paid by businesses in ransoms (2016: Q1)
  • 43% of all cyber attacks are aimed at small businesses
  • 9 security breaches in 2015 featuring more than 10million personal records being exposed

Sources: Action Fraud, CRN, FBI, Symantec

Paul Philip

Chief Executive

Open all
  1. DDoS attacks use a large network of computers to make access requests to a system, overloading it and forcing it offline.
  2. See for example Why move to the cloud?, Salesforce, 2015
  3. What happens when data gets lost from the cloud, Cloud Computing News, 2015
  4. Code of practice for cloud service providers, Cloud Industry Forum, 2016; International standard for information security management systems (ISO/IEC 27001 2013), ISO/IEC, 2013
  5. Improving regulation: proportionate and targeted measures, SRA, 2015
  6. Sending personal data outside the European Economic Area (Principle 8), Information Commissioner’s Office, 2016
  7. EU-EU Privacy Shield, European Commission, 2016
  8. Internet security threat report 2016, Symantec, 2016
  9. Gwapo’s professional DDoS service, Daily Motion, 2014
  10. DDoS, the cloud and you, The Register, 2016
  11. Internet security threat report 2016, Symantec, 2016
  12. Business email compromise: the 3.1 billion dollar scam, FBI, 2016
  13. 13. Technically, a virus is one specific type of malware, capable of distributing itself to other systems. Most malware actually in use is of the ‘trojan horse’ type, installed by deception on just one system without the ability to infect others. In practice, these terms are used interchangeably.
  14. Exploit kits as a service: how automation is changing the face of cybercrime, Heimdal Security, 2016
  15. The infection could be intentional or accidental. Leaving an infected memory stick in the carpark of the target business, for staff to pick it up and connect it, has been a repeated and successful tactic used for both cybercrime and espionage purposes.
  16. Ransomware 101: what, how and why, Trend Micro, 2016
  17. Cryptowall ransomware raised $325m, IT Pro, 2015
  18. Posing as ransomware, Windows malware just deletes victims’ files, Ars Technica, 2016
  19. Kansas Heart Hospital hit with ransomware: attackers demand two more ransoms, Network World, 2016
  20. Some sources use ‘cracking’ to refer to the use of hacking for criminal purposes, and reserve ‘hacking’ for benign activities such as penetration testing.
  21. Why cybercriminals are targeting law firms, D Magazine, 2016
  22. Sharing your password, Indiana University, 2016
  23. Over £1bn lost by businesses to online crime in a year, Action Fraud, 2016
  24. Data security incident trends, Information Commissioner’s Office, 2016
  25. Flipping the economics of attacks, Ponemon Institute, 2016
  26. Corporate espionage: the reason law firms are a big hacking target, Lexblog, 2015
  27. State sponsored cybercrime: a growing business threat, Dark Reading, 2015
  28. Benchmarking trends: as cyber concerns broaden, insurance purchases rise, Marsh Risk Management Research, 2015
  29. SRA publishes data ahead of insurance consultation, SRA, 2016
  30. Interpol arrests business email compromise scam mastermind, Trend Micro, 2016
  31. Why cybercriminals are targeting law firms, D Magazine, 2016
  32. Known as ‘SQL injection’: see The security flaws at the heart of the Panama Papers, Wired, 2016
  33. New Hampshire company pleads guilty to hacking into a competitor’s computer system for commercial advantage, FBI, 2015
  34. New Hampshire company pleads guilty to hacking into a competitor’s computer system for commercial advantage, FBI, 2015
  35. Kansas Heart Hospital hit with ransomware: attackers demand two more ransoms, Network World, 20165
  36. Outcome 4(5), SRA Code of Conduct 2011
  37. Outcome 7(4) SRA Code of Conduct 2011
  38. Outcome 7(2) SRA Code of Conduct 2011
  39. Guidance on the use of monetary penalties, Information Commissioner’s Office, 2016
  40. Flipping the economics of attacks, Ponemon Institute, 2016
  41. Basic advice is available from many antivirus vendors, and detailed post-incident response assistance may be available through your insurer or IT services provider in some circumstances.
  42. Internet security threat report 2016, Symantec, 2016