Unfortunately, there has been a further instance of a fraud being perpetrated against an unsuspecting client of a law firm reported recently.
Although the subject of national press coverage this is not an isolated incident – most firms will have a story about a very close shave with the cyber criminals. Unfortunately, an increasing number will have salutary tales of how they have been the victim of a fraud. The SRA reports regularly on an increasingly worrying number of attacks targeted by cyber criminals (as reported in the article). Of the nearly one in ten attacks resulting in money being stolen the largest sum stolen in one attack is said to be over £2m. Quite frankly neither the SRA nor the law enforcement agencies have a real handle on what well organised criminal gangs who are motivated by easy access to huge sums of money are up to and that is not intended as a criticism. Often it is simply a case of trying to educate the regulated community of the latest methodologies when the criminals have already moved on to a new way of attacking the firm. Sadly, all they can do is monitor the orderly closure of firm after a successful attack.
So these are worrying times for many firms. It is no longer sensible to sit with your head in the sand hoping that you will not become a victim. You should of course invest in the most appropriate IT security infrastructure that you can – this doesn’t mean spending whatever it takes but taking advice from a specialist (rather than your usual IT adviser) may help to close off some of the gaps and weaknesses the criminals seek to exploit.
GCHQ has commented that most cyber attacks and frauds can be prevented by adopting some simple measures. Arm yourself with as much information as you can about the methodologies in use by the criminals and then ensure that your staff are trained and clients are educated about how they play their part in protecting money and other assets.
Providing fraud warnings to clients in your client care material and in your email signatures is another step that can be taken to warn clients to treat email communication carefully and not to assume that it is anything more than an electronic post card that can be easily intercepted and changed. Many firms have already adopted this approach.
Your own staff also play a major role in combating the criminals and can be the weakest point in your defences. It can be the case that firms will have reasonably sophisticated IT security systems operational but a fraud attempt succeeds on the back of a member of staff who is caught unaware or unprepared and fails to notice or does not refer or escalate warning signs.
Finally, the article references a comment from an SRA spokesman suggesting that the firm’s professional indemnity insurer will cover the loss. This is often not the case and insurer’s will often dispute the claim particularly if they believe their insured has been culpable. Even if the claim is paid a claim for partial reimbursement may still be made against the insured firm particularly if the cyber security measures have been misrepresented says Risk & Compliance specialist Andrew McLauchlan at the PII proposal form.
Thank you to Andrew of SSB Compliance www.ssbcompliance.co.uk for this guest post. For more information please feel free to contact [email protected] or 07484 065 102