Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybercrime: managing the risk

Published byAndrew Carson Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybercrime: managing the risk"— Presentation transcript:

1 Cybercrime: managing the risk
Robert Loughlin and Debra Malpass, SRA Michelle Rosen, Brightstone Law Sian John, Chief Security Advisor, Microsoft

2 Today’s session Cybercrime and the impact on people and law firms
Four common types of cybercrime What we are doing to help Panel discussion: Keeping your firm safe: Debra Malpass, Head of Research and Analysis, SRA Michelle Rosen, COLP at Brightstone Law Sian John, Chief Security Advisor, Microsoft Your views, observations and shared experiences ROBERT Here is a quick run through of today’s this session, we have lots to pack in, and there will be opportunity for questions and contributions at the end. First I will talk a little about the impact cybercrime is having on firms and the wider public. After that, Debra will discuss the four types of cybercrime we see. Then back to me to let you know about the steps we are taking. And then it is over to our panel. We invited questions before the session and we will use these to flesh out some top tips and best practice. We will then invite you to share thoughts, best practice and top tips. You can also ask the panel questions.

3 £30.1bn 10,300 140,000 The solicitors and law firm market Collective
turnover 10,300 Firms 140,000 Individuals ROBERT The legal market is quite a significant one. We regulate over 140,000 practising individuals and over 10,000 individual law firms in a legal services market worth more than £30bn annually. And this market – your market is a success story - Legal services are a major export, with our laws being a routine choice for international business deals and with our courts enjoying a worldwide reputation for integrity and fairness. And the work you do helps people access justice at critical times, helps businesses flourish, and helps underpin the success and indeed survival of our economy. The market, however, also faces challenges. One of the challenges is how it modernises for the digital age, how it reacts to changing consumer behaviour and how it adapts to increasing use of technology. We all feel the benefit of business internet use. We can access information, communicate instantly, order goods from anywhere, while costs are lower. Going forward, increasing automation raises the prospect of more innovative, more affordable, more effective services. Yet those very benefits can also make law firms and their clients vulnerable to cybercrime. As I said, the information and money you hold for clients is an attractive target. So you need to make sure your firm has robust processes to protect yourselves, and your clients

4 1 in 10 2 out of 3 2 million Cybercrime - Impact on the public
people falling victim 2 out of 3 Online crime is now the most common crime in the country Large businesses detected a Cyber attack In 2 million Computer misuse offences in a year ROBERT Cybercrime is increasingly, nationally. It is now the most common crime in the country – with 2 million computer misuse offences and 3.6m cases of fraud last year – this is contrasted with around 1.2m criminal damage offences A couple of these key statistics jump out at me. One in ten people have been the victim of cybercrime and two out of three business too.

5 132 1 in 4 1 in 2 £12m Cybercrime - Impact on law firms
Reports of cybercrime in the last 12 months 132 1 in 4 Law firms say they have been targeted 1 in 2 Cybercrimes reported to us involve modification fraud Client money reported lost to modification fraud in 2016 £12m Client money reported lost to modification fraud in 2016 ROBERT Looking at the legal market, we also see this increase reflected. Around 2500 firms affected.. But.. 132 to reports to us last year with around half involving modification fraud. This shows you are preventing successful attacks and doing a good job. But does it show under-reporting too? 12m reported lost to these frauds.. But we do suspect some under-reporting in this area.. And information from insurers indicate the losses could be higher So now Debra, is going to cover four of the most common cybercrimes we see reports of.

6 Cybercrimes and frauds
Hacking Modification CEO Fraud Ransomware DEBRA Hacking means the exploitation of vulnerabilities in an IT system to gain unauthorized access. The Panama papers leak was the result of hackers exploiting flaws in a law firm's system. Hacking can be as simple as guessing a weak password. Repeated use of a password across different websites can help hackers But more technical hacking relies on finding faults in programs that make it possible for hackers to gain access that they should not have: We know hackers try and gain administrator accounts on systems so they can access and alter everything We also know they target older unsupported systems.. Which means systems that are no longer updated by their provider… Such as Windows XP. Ransomware is a type of malware… a harmful computer program often referred to as a 'computer virus'. Again they will target system vulnerabilities such as an unsupported older software.. In these cases the ransomware scrambles files and will not release them until a ransom is payed – often in bitcoin The NHS had an issue with this in the summer and major law firms have been attacked too. Keeping your software up to date and keeping back up files is the best way to protect against this. modification fraud, as Robert said, is the most common type of cybercrime we see. It is also commonly known as Friday afternoon fraud. This fraud involves criminals accessing and altering the client's s to the solicitor or vice versa. The aim is to alter bank details, in order to redirect completion funds to the criminal rather than the client. It does not occur only on Fridays, but that is a time when many completions take place. It also potentially buys the fraudster time over the weekend before the crime is detected. Banks or insurance will not necessarily reimburse the losses in these cases, remedies are offered on a case by case basis, specific to the facts. In these cases, it is hard to know whether the solicitor or the client was hacked, or to establish how the criminals identified their targets. It is worth specifically considering how to address this. Conveyancers and others who hold and transfer large sums of client money are at the most risk. And this accounts for the majority of the 12m reported lost last year. And finally CEO fraud. This is a business risk, that will not necessarily impact your clients but could have severe consequences for your business. And it is so simple. Hackers either obtain access to your system or impersonate an from your CEO. They send an to the accounts department requesting a money transfer to be done ASAP. The accounts department don’t question the boss.. And send the money on to the criminals account. The in particular shows the role human error can play in being vulnerable to cybercrime. During the panel session shortly we will discuss some top tips for tackling these issues, but for now I will hand back to Robert, to discuss what we as regulators are doing…

7 keeping information and money safe
Guiding and informing IT Security: keeping information and money safe ROBERT Thanks Debra, and I know that all sounds like quite scary stuff!… but as we will discuss there are some very simple steps that you can take to make it so much harder to become a target. So here is what we are doing… in addition to sessions like today we try to be thought leaders in this area.. last December we launched a must read paper on keeping information and money and safe. Through analysing the risk we are able to feed the stories and issues back to you to raise awareness and encourage best practice.

8 Protecting client money
Guiding and informing Information Security Protecting client money ROBERT This summer saw the release of our fifth annual Risk Outlook, which is regularly updated with information and top tips. The two key chapters on information security and protecting client money include a great deal of information about cybercrime and how to protect yourself.

9 Responding through reform
Consulted on more flexible client account rules including permitting use of third party managed accounts We are talking to Professional Indemnity Insurers about the increasing number of cyber-related claims to inform our review of solicitors professional indemnity insurance ROBERT We also look to respond through reform. We hope that reforms to the accounts rules, including permitting the use of third party managed accounts, can help law firms manage the risks to client money – making changes to how money transfers are executed. We will also be looking again at Professional Indemnity Insurance - we need to make sure that the protections in place are fit for the digital age and address the risks clients and firms face.

10 Enforcement Solicitors and regulated firms must report loss of client money or information to us A proportionate approach – looking at the facts Recent regulatory settlement agreements: formal rebukes and costs ROBERT Finally, where there has been serious misconduct we will take action. Solicitors must report losses of informational and money, to us. Even if it is replaced. But we will be proportionate: we understand that quite often it is the firm themselves that is the victim of crime.. However, we expect reasonable steps to have been taken. When we do receive a report about cybercrime, we will aim to take a constructive approach in dealing with the firm. This will particularly be the case if the firm: is proactive and lets us know immediately has taken steps to inform the client and as a minimum make good any loss shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again. When this does not happen we will take action. In two cases this year we have fined and rebuked firms for transferring money to criminals. In these cases they did not have systems and controls in place to prevent the fraud, having failed to confirm with the client that an asking to change payment details was genuine. In one case it was really quite clear that the was not from the client. In the other case a firm delayed in both reporting the matter to us and in remedying the loss. So now we turn to the panel. We have set out the risks and issues and hopefully they will be able to share with us there insights in how to tackle cybercrime.

11 Cybercrime: managing the risk
Panel discussion Robert Loughlin and Debra Malpass, SRA Michelle Rosen, Brightstone Law Sian John, Chief Security Advisor, Microsoft ROBERT Panel discussion Michelle, please introduce yourself and any brief perspectives on today’s debate. Microsoft Other Panel questions: Starting with modification fraud… what can law firms do to prevent this? Prompts for answers Not accept changes of bank details by or on day of transaction Send £1 to account first and check Train staff and make them aware of the risk How can they increase the awareness of this risk with clients? Warn clients of the risk earlier Put it on footers etc What about more broadly, thinking of ransomware, hacking etc…. What are the top three things a COLP should focus on to stay cyber-safe? Keep software updated and don’t use unsupported software – go online to easily check software status. Know your client procedures and stick to them Understand where you keep your data, how often it is backed up and how accessible it is.. Practice disaster recovery. Train staff – human error such as not updating passwords, giving away information on the phone or social media can leave your front door open. We know that timely reminders can help staff spot scams and protect your firm. They are the first line of defence! Let the managers and owners “own” the issues.. It is not an IT issue or even a compliance issue, it is business critical and leaders need awareness raising, training and governance around this

12 Over to you Questions? Comment/observations
Any best practice to share? ROBERT Invite questions, top tips and observations….. If slow…some questions What top tips do you have for protecting against modification fraud.. As COLPs, how do you sell the importance of cyber-security to your firms?

13 Find out more: Thank you Risk Outlook www.sra.org.uk/risk
IT Security Paper /information-security-report.page ROBERT CHAIR Closing remarks Slides and video of today available on the website.. Please share with colleagues Talk to the team about risk outlook and grab a copy.. You also have a leaflet in your delegate packs directing you to risk outlook online Take a look at our paper on IT security and share it widely. Thank panellists and audience

Download ppt "Cybercrime: managing the risk"

Similar presentations

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
FRAUD, ONE OF THE FASTEST GROWING SEGMENTS OF OUR INDUSTRY Joseph Bajic, Chief Compliance Officer and Vice-President, Compliance.

FRAUD, ONE OF THE FASTEST GROWING SEGMENTS OF OUR INDUSTRY Joseph Bajic, Chief Compliance Officer and Vice-President, Compliance.
The way to avoid being trap into cyber crime. What is cyber crime? The Department of Justice categorizes computer crime in three ways: 1. The computer.

The way to avoid being trap into cyber crime. What is cyber crime? The Department of Justice categorizes computer crime in three ways: 1. The computer.
James McQuillen. Data protection Act 1998 The main aim of it is to protect people's fundamental rights and freedom to a particular right to privacy of.

James McQuillen. Data protection Act 1998 The main aim of it is to protect people's fundamental rights and freedom to a particular right to privacy of.
Session 7 Compliance failure policy. 1 Contents Part 1: COLP and COFA duties Part 2: What do we have to comply with and why does it matter? Part 3: Compliance.

Session 7 Compliance failure policy. 1 Contents Part 1: COLP and COFA duties Part 2: What do we have to comply with and why does it matter? Part 3: Compliance.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Session 1 An introduction to compliance. 1 Contents The compliance maze OFR and SRA Handbook Cost of compliance COLP and COFA Compliance arrangements.

Session 1 An introduction to compliance. 1 Contents The compliance maze OFR and SRA Handbook Cost of compliance COLP and COFA Compliance arrangements.
Session 13 Cyber-security and cybercrime. Contents  What’s the issue?  Why should we care?  What are the risks?  How do they do it?  How do we protect.

Session 13 Cyber-security and cybercrime. Contents  What’s the issue?  Why should we care?  What are the risks?  How do they do it?  How do we protect.
Classic Connections: Innovative Methods for Making Education Work.

Classic Connections: Innovative Methods for Making Education Work.
Outline of this module By the end of this module, you will be able to: Identify the benefits of using social networking to communicate with family and.

Outline of this module By the end of this module, you will be able to: Identify the benefits of using social networking to communicate with family and.
WILLIAM FARR SCHOOL SIXTH FORM INDUCTION SUBJECT CHOICES FOR SEPTEMBER 2016.

WILLIAM FARR SCHOOL SIXTH FORM INDUCTION SUBJECT CHOICES FOR SEPTEMBER 2016.
Cyber security. Malicious Code Social Engineering Detect and prevent.

Cyber security. Malicious Code Social Engineering Detect and prevent.
Law Firm Data Security: What In-house Counsel Need to Know

Law Firm Data Security: What In-house Counsel Need to Know
Legal Ombudsman Darren Cox Ombudsman

Legal Ombudsman Darren Cox Ombudsman
Technology and Business Continuity

Technology and Business Continuity
Risk Outlook James Dipple-Johnstone Paul Hastings Dr Debra Malpass

Risk Outlook James Dipple-Johnstone Paul Hastings Dr Debra Malpass
Creating your online identity

Creating your online identity
Managing risk – it’s good for business!

Managing risk – it’s good for business!

Similar presentations

Ads by Google