Tips on how to avoid cyber security risks from LLM graduate, writer at Ledger Insights and recent TWW guest, Nicole Pitches.
In January 2020 WFH was discussed little in the legal profession. In fact no one knew what those letters could stand for. Six months later, work from home (WFH) is a commonly accepted reality even for lawyers. WFH brings freedom: allowing additional family time, avoidance of the morning traffic and the boardroom swapped for Zoom. But freedom can also bring risks, one being cyber attacks and cyber security issues.
While Security and the Law are distinct topics, Law firms handle sensitive and confidential client data which must be kept secure. Not only is this important for your reputation, it is also a requirement under data protection regulations such as the GDPR.
The Wired Wig spoke to Nicole Pitches about whether there is a Law that governs cyberspace. We also had time for a chat around three ways to protect your firms against attacks. Here is a summary:
1. Secure your networks
An easy way for cybercriminals to gain access to your computer is through dummy networks.
Dummy networks can be common in public spaces such as co-working spaces, cafes, airports and restaurants. Therefore, if your firm has opted to become fully remote, it is important your employees understand the steps they should take too remain on a secure network.
Firstly, ensure your employees are working on a secure network by making it a policy to use a VPN when not in the office. This includes using a VPN in household networks too.
Secondly, to connect to this network your employees should need to use a strong password and two factor authentication (2FA). Strong passwords and 2FA decrease the risk of a exposing your client data.
2. Email awareness
“During the pandemic, cybercriminals have begun to send COVID-19 related information, in an effort to get individuals to click the links. In fact, clicks were up 32-35% in the peak of the pandemic.”
Thought it was odd that Lucy shared a link but hasn’t had a meeting with you for a few days? Train your employees on how to identify phishing emails including malicious attachments, spear phishing, credential phishing and wire transfer fraud.
Phishing attacks take the form of malicious emails, that seems as though they have been sent from a legitimate source, like a bank of government agency. Targets to these attacks may very well use and recognise these sources and then will fall victim to the attack, by clicking and downloading on malicious links or attachments. Often the phishing attack will target private information, such as credit card or social security numbers.
Cybercriminals may attempt to play with your emotions in an effort to get you to click on a link. Examples could include sending something along the lines of ‘Cure found for COVID-19,’ or even luring you with monetary gain such as ‘The government has established new tax refund programme for dealing with the coronavirus outbreak in its action plan. You are eligible to get a tax refund of 128.34 GBP’.
Overall, a tell tell sign is that in the email there is a sense of urgency and only a limited time to respond. The general rule is if it is too good to be true, the likelihood that it is a phishing attack is pretty high.
3. Scams (Office 365)
Something to watch out for in particular, is the Office 365 phishing scam. It is one of the most common phishing attacks and also used in the COVID-19 era.
Cybercriminals send a phishing email, which includes a link, referencing the workplace of the individual. The user will then be redirected to a phishing site that looks like the Office 365 login page, and if they enter their username and password, it will be sent to the cybercriminal, who can then see every email. They often do what is known as a ‘smash and grab’. This is where they will look for any invoices or similar payment documents and then change the wiring instructions so any money will be sent to them.
The solution is rather simple: multi-factor authentication (MFA). MFA adds an extra layers of security by requiring multiple credentials to be entered, such as a pin sent to your phone, or an extra security question. It is one of the most effective ways to greatly reduce the risk of business email scams.
It may require extra work to ensure all work devices are secure and employees follow a security conscious culture. However, security will only become more prevalent in the future.
The Wired Wig explains helps to plug in Digital and Technology Law into businesses. It explains technology concepts and informs business leaders and students how the Law could respond to innovation.