Client confidentiality is not a new thing – it has always been there – it is a core professional responsibility.
However, in an ever increasing IT focused world, the dangers and potential risk of cybercrime are getting bigger and more commonplace. No surprise then that cybercrime is one of the eight risks cited in the SRA’s Risk Outlook 2015/16.
The Information Commissions Officer (ICO) recognises that paper files containing highly sensitive information are a ‘high risk’ when it comes to security and potential data loss (loss of paper, need for archiving, not way to encrypt such data, etc.) (read more), and although the sensible use of IT can help to eliminate some of these risks, other risks then become apparent.
The SRA and ICO are keen to promote the use of IT as a means to protect clients, but warns against becoming complacent with such systems and controls for fear that a cybercrime attack could damage a firm’s reputation, as well as put off existing and potential clients.
Good risk management is a necessity. But with 45% of law firms suffering from an information security incident in 2014, and law firms spending less on average than any other sector on internal audits, especially information security audits, it is not difficult to see why this is becoming such a problem in the legal world.
For some firms, the risk of cybercrime is more prevalent, particularly if the firm:
- deals with client money,
- deals with a large amount of client data,
- represents high profile clients,
- is involved in high-value litigation,
- is holding information that could be targeted for reasons of espionage.
As the current trend demonstrates, cybercrime is becoming much more of a threat to modern day businesses. Worryingly, some law firms think of themselves to be too small to be targeted, but unfortunately this is not the case. The ICO reported that data breaches increased by 9% in the last quarter of 2014, with solicitors and barristers being the fourth most commonly targeted group.
More sophisticated scams are the reasons behind some of the cybercrime we are currently seeing, including:
- details used from hacking are being used to impersonate a bank or the client. Now referred to as the ‘Friday afternoon’ scam as this is when firms are likely to be holding vast sums of money,
- details used from hacking are being used to impersonate the firm to clients to, for example, modify bank account details. This example demonstrates the growing link between cybercrime and the rise of bogus firms,
- some attacks use ‘ransomware’ to encrypt data and demand payments.
The Government Communications Headquarters (GCHQ) suggest that 80% of cybercrime attacks would not happen if some simple, basic guidelines were followed. These include educating employees of the following points:
- avoid guessable passwords,
- do not send from email from personal email accounts,
- do not open attachments unless you are sure what it is.
This message is enforced by the government’s Cyber Streetwise campaign.