The SRA’s fraud focus
In view of the risks posed to firms by online fraud, cyber security is an area in which we all need to be a little more tech-savvy, warns Susanna Heley
The Solicitors Regulation Authority’s (SRA) recent reminder to firms to be vigilant against fraud focuses attention on how fraudsters use social engineering techniques to obtain information from firms. This is not the first indication that the SRA is concerned about cyber security.
The increase in cloned websites and identity fraud affecting both firms and individual employees was a feature of last autumn’s risk update. The SRA also published information about the risk associated with cloud computing in November 2013 and online crime in February 2014.
Cybercrime is a common and persistent theme in the SRA’s risk resources and it is not just a local issue. Bar associations across Europe and worldwide are putting cyber security at the top of their agendas, not only in the fight against fraud and money laundering, but also because of concerns about ‘back door’ access to confidential client information stored in the cloud by state authorities and intelligence agencies.
Many firms in England and Wales, particularly smaller ones, will probably view the likelihood of the state being desperately interested in the local conveyancing market, clients’ wills, or civil and family disputes as fairly remote when weighed against the rather more immediate risk of fraudsters and money launderers cleaning out their client accounts. That view notwithstanding, firms must keep an eye on cyber security in all its forms as there is a persistent risk to both client confidentiality and client assets within the firm’s control.
The clear message from the SRA’s most recent warning is that it is often individuals (rather than systems) that are the easiest targets for fraudsters. This generalisation holds true not only in circumstances where fraudsters are experienced at reading common clues which may be used to obtain answers to security questions and passwords, but also where individuals fall victim to the desire to have simple and easily memorable passwords shared between different online accounts.
It is undeniably true that there has to be a balance struck between convenience and security. It is simply not possible to perform as our clients demand unless we make use of mobile technology and online resources. It is very tempting to have our computers remember all of our passwords and so take away the need for us to do it. What happens, though, if a computer is stolen? Is the data encrypted? What if firms allow home working and staff have work product on personal computers?
We have to trust our staff to take sensible precautions, as we must trust in the security of online banking facilities. However, we must take any suggestion of fraud or breach of confidentiality extremely seriously, and fraudsters can use our worries about such reports to manipulate us.
Cyber security policy
As fraudsters and money launderers make increasing use of sophisticated technology, we need to be increasingly wary of our reliance on technological confirmation of what we are being told. It is, for example, reasonably simple for fraudsters to fool caller ID into displaying a familiar phone number. Telephone scams involving keeping lines open and hijacking calls have also been around for a while.
Firms dealing with controversial clients may find that they are the direct target of hackers or denial of service attacks, and every firm’s cyber security policy will need to be tailored to meet the firm’s own online risk profile, just as every firm’s premises needs to be secured for that firm’s needs.
How, then, does a firm go about setting a sensible cyber security policy? Is it just about the latest technology or must we ensure that staff are updated regularly on the latest techniques used by fraudsters? Even the most sophisticated security can be undone by an individual inadvertently revealing access codes.
Firms should look to ingrain into staff the need to treat all unsolicited calls with scepticism, to use different passwords, to avoid simple or easy to guess passwords, and to avoid using mobile devices when they can be overheard or the screen can be viewed by others.
Cyber security is an area in which we all need to be a little more tech-savvy. It is an area of interest for the SRA and a developing risk area which is likely to impact on professional indemnity insurance premiums.
This article was first published by Solicitors Journal and is reproduced by kind permission. You can read the original article by clicking here.
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.