Working from home is the order of the day and there is every reason to believe remote working will become a permanent fixture in the UK business world. But a key issue for law firms and for every individual lawyer and staff member who is remote working is the associated cyber risk – particularly for the more traditional law firm.
The reality is, since the lockdown measures were implemented, all businesses including law firms have had to make huge changes to facilitate the smooth transition from running operations from physical premises to enabling lawyers and staff to work effectively from home. This has involved a significant sea change in approach, both in forms of communications and in understanding among employees from top down.
At the same time, clients have had to be brought with them. They will still need (or want) their legal issues to be dealt with. But client expectations are not always easy to manage – and the need for social isolation and the current lockdown means some clients’ expectations will be heightened while others will be less demanding as, for instance, their house move is stalled or their court hearing is postponed.
Firms undergoing such changes must ensure they carry out due diligence as normal. If you fail to do so, you risk breaching your regulatory duties and you also risk a cyber attack. As Law Society president Simon Davis said recently, cyber criminals and fraudsters are “circling like vultures”.
Firms have been warned in recent weeks of a very clear and present danger of cyber attack because of the pandemic and the vast increase in remote working. In late April, the Solicitors Regulation Authority (SRA) warned firms to be extra vigilant around cyber security amid growing reports that cyber criminals are capitalising on homeworking lawyers (among other targets). In response to the pandemic, the SRA updates its information for firms on the heightened cyber risks on 9 April 2020.
Recent figures illustrate the dangers. In April, Google reported that it was blocking more than 18m coronavirus-themed scam emails every single day. Meanwhile, the UK’s National Cyber Security Centre (NCSC) reported a staggering 400 per cent increase in cyber-attacks across all businesses here in the UK during the first two weeks of lockdown.
Specialists are also warning that cyber criminals are becoming increasingly sophisticated and targeted. In one case involving a law firm target, criminals attempted to create a standing order for £4,000 a month from the firm’s client account.
Criminals are taking advantage of remote workers using their home wifi and their increasing exposure from using personal devices for large volumes of legal and other work that they would not normally due. There is the risk of being overlooked, of hacking into web cams, cameras and Zoom meeting interlopers during the lockdown.
There’s also the added risk of being exploited through your email inbox: there are many reports of phishing emails purporting to request login details and other confidential information on the pretext of covid-19 disruption and of fraudulent ‘special offers’ that are too good to be true. The NCSC gives useful guidance on how to identify phishing emails, for instance, those addressed to ‘valued customer’ or ‘colleague’ or contains what the NCSC calls a “veiled threat” to act urgently or to click immediately.
So if you receive an email asking for information, take a cynical approach and be slow to respond. Avoid clicking on any attachments or links in the body of the email unless you are absolutely certain you know what it is, who the email is from and you are sure it is legitimate.
As SRA chief executive Paul Philip says: “Cybercrime is a priority risk for the legal sector and it’s not going away during the Covid-19 pandemic. Criminals are always looking to take advantage and they know that security arrangements are likely to have changed as people move to homeworking.”
The Law Society has also launched a new cyber security campaign which includes providing firms with revised guidance on preventing frauds and scams, offering online training and advice on how to safely deliver legal services online and how to utilise effective legal technology during the crisis. Davis said the Society will continue to raise awareness of the dangers of online fraud during the crisis and how to prevent it.
It is for data controllers to take the necessary steps to make sure personal data continues to be held securely – undoubtedly a particular challenge in the context of mobile devices being used for work purposes at home. Notwithstanding the urgency of the lockdown and its strategic and logistical challenges, there remains the regulatory expectations to ensure systems are secure and appropriate processes and procedures are in place.
The SRA has made it clear that firms are still expected to comply with their regulatory obligations during the pandemic, even if it will take a “pragmatic and proportionate approach” to its compliance approach in the event of a breach – whatever such a vague proposition means.
Regular compliance checks should be undertaken. Firm leaders should also consider engaging with the NCSC’s Exercise in a Box. This could be considered as the cyber equivalent of Exercise Cygnus (the pandemic simulation exercise carried out by NHS England in 2016).
To find out more about protecting your firm from cyber attacks, money laundering and more, take a look at our newest Mandatory Skills Webinars here.