We recently had the pleasure of hosting a fraud and cybercrime webinar with expert barrister Adam Richardson of 1 Essex Court.
The session was very interesting, enlightening and practical. And to be honest, quite scary in parts – although Adam was at pains to stress he wasn’t trying to scare-monger.
Context – fraud and cybercrime at an industrial scale
Law Firms are constantly under attack. Two weeks ago Premier Property Lawyers, and other conveyancing firms in the Simplify Group, had their systems compromised.
This hack alone has caused chaos to thousands of property transactions, putting many completions in jeopardy.
And it’s just the latest in a string of cyber attacks of law firms.
These incidents give rise to technical and regulatory issues with the SRA, ICO and law enforcement. Not to mention the huge issue of dealing with all of the clients. Quite a horrific situation for all involved.
What follows is an overview of the rest of Adam’s talk. COLP Insider newsletter subscribers get access to the recording.
Background to Adam’s talk
Cybercrime is up and the number of instances detected is just the tip of the iceberg.
The biggest vulnerability is smaller devices, like tablets and mobile phones. People forget to put security in place or use VPNs. Default passwords on routers and printers are often left in place, which allows easy access to hackers.
It is estimated that by 2025 cyber crime will cost the global economy $34trillion.
There are an estimated 6.4 billion fake emails in the world per day.
For law firms, hacks are not just about targeting client money, the attackers also want the confidential data. This may lead to a financial attack later down the line, but may not. Around 80% of attacks on law firm are after data.
Adam says the current legislation is simply not up to the job. It is out of date and has not kept pace with technology and modern methods of attack.
The Computer Misuse Act 1990 was brought in when Prince Phillip was hacked as there was no current legislation to prosecute under. It is still in use today and is very broadly drafted.
Ironically, police officers are mostly prosecuted under the Act e.g. when an officer accesses the police database for personal reasons.
Wider enforcement under the Act is difficult for several reasons, including:
- detection (where in the world is the criminal?)
- age of the hacker (the average age is 15)
- cyber criminals’ knowledge of the law
- hackers have the most advanced equipment they don’t have to respect the same privacy and data protection rules as law enforcement
The audience was reminded that GDPR Principle 7 requires firms to put in place appropriate technical and organisational measures to meet the requirements of accountability. In other words, protecting your firm against cybercrime is not a choice.
Trending types of cyber attack
The ‘Man in the Middle’ attack is the classic tactic, and we see it a lot in attacks on conveyancing firms.
The attacker gets into the system (usually through some form of email attack) and sits in wait. During the course of the transaction they hacker has access to all the back and forth between the client and their lawyer.
They strike when the transfer money is being sent. This might be by sending the client false banking details in a doctored invoice. By the time the client has paid the fraudster and everyone has realised what has happened, it is too late. The money has gone, outside of the jurisdiction.
Other types of hacks on law firms include:
- Broken Access Control – where software needs a patch or the plugin is insecure.
- Crypto-graphical Failure – where the encryption for the data is not working as it should.
- Injection – entering a line of code into a web form, tricking a website to cough up access to the main database.
- Insecure Design – such as lack of 2 factor authentication.
- Security Configuration – not changing default passwords.
- Vulnerable and Outdated Components – these vulnerabilities very quickly become known in hacker communities.
- Identification and Authentication Failure – login hacking.
- Software and Data Integration Failures – integrations (when two systems ‘talk’ to each other) can introduce new vulnerabilities.
- Security, Logging and Monitoring Failures – when an attack in progress is halted but not logged logged, the target does not know how to fix the issue.
- Serverside Request Forgery – similar to Man in the Middle attack, but here the Hacker offers ‘free wifi access’ in a public space, giving them free reign over the target’s data.
For more information, see the OWASP Top Ten.
What to do if you are hacked
- Identify the data or assets lost/compromised/accessed. Establish whether compromised data is sensitive.
- Call a specialist lawyer (Adam or others in his field) straight away.
- Apply for a freezing injunction, if necessary – this can be done within an hour with the help of the specialist. It needs to be done quickly if the stolen assets are to be safeguarded.
- Determine if you need to report to the ICO and SRA.
- Begin the process of technical recovery.
- Consider client and reputation management issues.
- Review how the attack happened and what lessons can be learned.
Most importantly, time is of the essence. You must act fast.
Prevention is infinitely better than cure
- Have in place robust systems and policies, such as an IT policy that requires all patches to be applied immediately and for all data to be backed up frequently.
- Review your vulnerabilities – you may need an expert to help. Almost all of the hackers’ strategies capitalise on human error. Risk can be corrected through training.
- Change your default passwords. Chillingly, websites like this show live feeds from unsecured CCTV cameras.
- Improve the complexity of your passwords. Although this make remembering your login details more challenging, a password manager can help.
- Ensure your firewalls are effective. This can stop a Denial of Service Attack, where a website is simply bombarded with access requests until it falls over.
- Regular backups are essential. In the event of a ransomware attack, backups help you get back your data with minimal loss without paying the ransom.
- Get an expert in to test your systems every year or two to find any vulnerabilities.
- Make cyber security part of compliance, because it is a requirement of both the SRA and ICO.