An occasional column on how to handle everyday IT challenges in your legal business
This week: keeping law firm and client funds safe from cybercriminals
Cyber-attacks can take many different forms. The most frequent cybercrimes – phishing scams – are conducted through simple methods and happen all the time. Such scams are designed to convince an end-user to provide a hacker with their username and password, so that the hacker can gain access to their PC, network or email account.
It is more likely that you or a member of your firm will fall foul to one of these phishing scams than a full-scale hacker attack. You must ensure that your firewall, intrusion detection application, and other hardware and software security devices are properly maintained, up to date and appropriate for your firm’s risk profile. But even the most complex security designs can be breached if a user unwittingly gives their credentials to a hacker.
So how can you avoid falling foul to a phishing scam and how can you mitigate the threat of cybercrime?
Here, we look at how your firm can adopt better password protection and avoid staff giving out their credentials unwittingly. We also look at how you can adopt new, or adapt current, business processes to add layers of protection and security when dealing with your clients, without overcomplicating your processes and making them unwieldy.
Managing your credentials
Don’t give them out. The simplest way for a hacker to break into your computer system is with your credentials. Never provide your credentials to a third party.
Don’t log into any websites or portals unless you know and trust them
Phishing scams will often involve the victim receiving an email with an attachment. Upon opening the attachment, the victim is asked to enter their username and password to download the contents. Don’t! You should never need to enter your credentials to download an attachment. If you are at all in doubt, contact the sender to verify the contents of the email. If the attachment is particularly sensitive, we would recommend asking the sender to upload the document to a portal or deal room site and provide you with access to it rather than sending it via email.
Don’t save your passwords
Most web browsers will ask you if you want to save your username and password. Don’t! Saving your credentials to your web browser will mean that anyone who gains access to your machine can gain access to all of the applications you use. You can also see a list of all usernames and passwords saved on the web browser in plain text. We recommend that you turn the save password or remember password setting off on all devices and all browsers.
Don’t write your passwords down
While you may not be giving out your credentials, writing them down and sticking them to your monitor is equally risky. Most corporate networks and email accounts will follow the same pattern, meaning that if someone has your password they can easily guess your username.
Use strong passwords
A great number of computer users still use weak passwords. Just as a hacker with your password can guess your username, a hacker with your username can guess a weak password. Your password should be at least eight characters long and should contains a mixture of upper- and lower-case letters, numbers and special characters. Don’t use initials or date of birth or anything that can be guessed.
Change your password
If you are given a password the first thing to do is to change it. You immediately reduce the number of people who know your password to just one person. You should also frequently change your passwords (every 90 days is a sensible time frame).
Use different passwords
It can be difficult to keep track of different passwords for different applications. However, this shouldn’t prevent you from having a different password for each application. Keeping passwords safe is not enough, however. Educating your staff about the risks throughout a transaction and adopting either all or elements of the following process will also greatly reduce your risk. Taking extra steps at appropriate times throughout a legal transaction can make a major difference to how likely it is you and your firm will be subject to cybercrime.
Tips to help prevent cybercrime:
- Within the engagement letter sent to any new clients, you should clearly set out that, as part of cyber-safety measures, clients will never be directly contacted by email or telephone regarding bank accounts, change of bank accounts, or any other financial information.
- Consider asking your client to break any large transfer into two amounts, sending an initial £1. Once that is confirmed, the remaining amount can be transferred shortly after.
- All communications with your client that request, or contain, any sensitive or financial information should either be via a) secure client portal, b) password-protected document such as a PDF, or c) sent via printed and franked letter. Never send by email or telephone.
- Use a third-party service such as a bank verification service or lawyerchecker.co.uk to validate bank accounts before making a transfer. Never accept changes of banking details at face value and always verify with the relevant parties directly before accepting any changes.
- Have an employee fraud training and awareness programme within the firm, and give regular updates of fraud trends and areas of risk. The programme should focus on compliance, fraud prevention and where responsibilities are held.
Craig Matthews and Adrian Jones are members of the Legal Software Suppliers Association