Cybercrime – do not think it will not happen to your business.

Cybercrime is the use of a computer network to commit crime. It takes many forms and like any other crime may have many motives; just as someone may kill for money and another may kill through hatred; cybercriminals have acted for financial gain, for example when, in 2015, Russian hackers stole over £600 million from about 100 financial institutions Worldwide. Other cybercriminals work to expose perceived & actual wrongs and just for thrills, the leaking of details of users of the Ashley Maddison site is a prime example.

The size, like most crime is unknown – so much is undetected and unreported. The dark figure of crime.

It is critical that businesses protect themselves, even more so in regulated industries where failure to have protections in place can have disastrous consequences.

Whilst there are laws in place to make such activity a crime, catching hackers is no easy task. The Computer Misuse Act 1990 creates various offences of gaining unauthorised access to a computer system, using or copying data, using a system without authority with intent to commit a crime and unauthorised acts with intent to impair a computer. Additionally, there are offences of theft, fraud, blackmail or harassment which may also be committed, depending on the actions of the hackers and their intentions.

Nevertheless hackers are usually very adept at concealing their identities and can be very hard to trace. Watergate today, would not have involved a break in. It could have been done from anywhere in the World. Hackers may operate from jurisdictions which have little interest in cooperating with UK law enforcement, or use hijacked computers accessed through Trojan horse programs, bots, proxy servers or a range of other, ever evolving methods.

Irrespective of the offences which they may commit, cybercriminals will continue. In the cases of the more sophisticated ones, they are often far more adept than law enforcement agencies, or simply out of reach. Thus it is the targets who need to do what they can to protect themselves.

It never feels good to tell potential victims that they are to blame if they do not take precautions – If someone wants to leave their window open, the crime is the fault of the burglar and not the homeowner, however the harsh reality is that there are burglars and they will look for easy targets – it is exactly the same with cybercriminals. Moreover, where you are responsible for data of third parties, then you should make damn sure that your windows and doors are locked and bolted.

This is particularly true for regulated businesses; financial institutions, solicitors’ practices and accountancy practices are examples of organisations which routinely hold very sensitive data and clients’ money. This is a serious responsibility and regulators have very little sympathy with regulated businesses who do not take seriously their duties to protect client data and money.

Using solicitors’ practices as a example, the SRA has issued repeated warnings about the prevailing of cybercrime in the industry and the repeated targeting of law firms. They have been numerous reports of  Firms receiving calls pretending to be banks to obtain sensitive information, such as account passwords and of emails between firms and clients being intercepted, leading to client funds being paid into the criminals’ accounts.
Scammers have also been reported as sending emails accounts staff purporting to be from a senior member of staff such as a managing partner, requesting payment of funds to an account. Unwary account staff may consider they are simply following orders for transferring money straight into the hands of criminals.

Where law firms fall victim to a scam, the Law Society has published a practice note (http://www.lawsociety.org.uk/support-services/advice/practice-notes/protecting-your-firm-if-you-fall-victim-to-a-scam/ ) on what must immediately be done:

• Inform your bank
• Inform the police at the National Fraud and Cyber Crime Reporting Centre
• Inform your professional indemnity insurer.
• Inform the Solicitors’ Regulation Authority

It would also be appropriate to notify the Information Commissioner’s Office of the data breaches.

Additionally, where client funds have been targeted you will need to inform your client that your systems failed and their money has been stolen. The Partners will need to repay that money immediately.

If, for example, the cybercriminals used fake emails and were able to work their way into a conveyancing transaction, the loss of client money which would have to be immediately repaid could be several hundred thousand pounds or more. Hopefully the firm’s insurance will cover cybercrime (increasingly they do). Partners will not be able to wait until an insurer has determined whether they will cover the loss, repayment must be without delay.

If it transpires that the law firm had no systems in place or very weak systems to protect client data and money and the law firm fell victim to a scam, the SRA and perhaps the insurers may take a far harder line. We can all fall victim but making it harder for scammers will greatly reduce risk for the business and for its clients.

Scammers increasingly target law firms which concentrate on transactional work such as conveyancing and corporate transactions. Using methods such as phishing to steal information, criminals also take tremendous advantage of the very faceless way in which business is now conducted. Many law firms will handle a conveyancing transaction electronically, without ever speaking to the solicitors on the other side of the transaction. This creates vulnerability and presents real opportunities for cyber criminals. Simple actions such as checking that the law firm on the other side of the deal is not a bogus law firm and telephoning the law firm to check that the bank details which have been provided for completion monies are correct, will greatly reduce risk.

Above all else, training of staff is the most important protection regulated business can put in place.

Vigilant accounts staff will check the veracity of unusual payment requests. Trained conveyancing staff will make absolutely sure that monies go where they should. Diligent corporate lawyers will insist on meeting clients face-to-face. It is easy to be distracted with the very important day-to-day business of any regulated company however if you do not take the time to ensure that you and your clients are protected, it may only be a matter of time until you face disastrous consequences.