Cyber criminals stalking legal profession

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.legalfutures.co.uk/latest-news/sra-cyber-criminals-stalking-legal-profession

The legal profession is one of the sectors of the economy most frequently
the subject of data breaches and increasingly the target of scams and
attacks by cyber criminals, according to the Solicitors Regulation
Authority (SRA).

Meanwhile, the authority has revealed that it took regulatory action on 300
occasions last year in relation to the misuse of client money, and received
an average of 118 reports on the subject each month.

In its 2015/16 risk outlook, the regulator highlighted research published
by the Information Commissioner’s Office at the end of June, which placed
solicitors and barristers fifth out of more than 40 sectors for data
breaches, ahead of general business, lenders, and central government.

The SRA said cybercrime attacks included those using ‘ransomware’, through
which hackers encrypt data and demand payment for it to be released back to
the firm.

Another scam is to use details gained from hacking the firm to impersonate
a bank or client, often targeting conveyancing firms on a Friday afternoon
when they “are likely to be holding significant amounts of money”.

A further scam connects cybercrime and bogus firms, for example when
criminals use modified bank details to steal money. The SRA’s spring risk
outlook revealed that more than 700 reports of bogus law firms were made in
2014, an annual increase of more than 25%.

Cybercrime was “an increasingly prevalent threat to modern business
practices”, said the latest risk assessment, quoting the City of London
Police Commissioner, who said in April 2015 that cybercrime could be
“bigger than the drug trade”.

Solutions to data breaches need not be expensive, the SRA stressed:
“Government Communications Headquarters (GCHQ) estimate that 80% of
cyber-attacks could be prevented if businesses follow simple guidance. They
point to basic guidance, such as educating employees to avoid guessable
passwords, not opening attachments in unsolicited e-mails and not using
personal e-mail to send and receive work-related documents.”

The SRA identified eight areas of priority risk altogether. In addition to
IT security and bogus firms, these were money laundering; improper, abusive
litigation; lack of independence; lack of diversity, misuse of client
money; and poor service, particularly for vulnerable people.

The regulator said reports of potential money laundering and breach of
anti-money laundering regulations, due to inadequate systems and control
over the transfer of money, affected a wide range of law firms and
“continue to rise”. It said that in the last year it had received 184
reports.

In relation to the misuse of client money, the SRA said it took some sort
of regulatory action on almost 300 matters, ranging from monitoring to
referring individuals to the Solicitors Disciplinary Tribunal. In 2014, the
Compensation Fund paid out some £24m, including to clients whose money was
misused.

The regulator warned that the misuse of client money could result from even
a brief lapse in supervision, with serious consequences: “We have also seen
cases where a firm’s lack of appropriate supervision of just one individual
has caused harm both to clients and the ongoing viability of the firm when
client money was misused.”

Accompanying its explanation of why a lack of a diverse and representative
profession was a priority risk – including that diversity improves the
administration of justice – the SRA added a case study to illustrate how an
inclusive approach can also deliver a commercial advantage. It involved a
firm which, after recruiting a disabled solicitor, started to offer
services aimed at disabled clients, leading to business benefits.

The section on abusive litigation – the misuse of legal proceedings to gain
an unfair advantage or benefit for a client, or the solicitor – covered
ground dealt with by an SRA report on the subject earlier this year.

Risk associated with a lack of independence included reference to research
on the pressures facing in-house counsel, published in April by Professor
Richard Moorhead at University College, London.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!