Cyber Crime accounts for nearly 50% of all reported crimes and cost UK Businesses an estimated £30bn in 2017. With 43% of businesses reporting a cyber attack or breech last year the movement of criminal activity from the physical to the cyber world shows no sign of abating.
Against this threat firms have a duty of care to :-
- Protect privileged client information
- Ensure the business can operate
- Protect brand value
- Protect staff welfare
In order to do this most firms have embarked on a program to increase their cyber security (the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorised access).
With the tightening of technology based security the attackers are moving from “old school” hacking where they seek to gain access to solutions via direct connection to your network to social engineering hacking where they seek to trick people into providing the access and by-pass the security solutions by using intelligent “scams” based on data harvested from various sources.
This change of approach has put staff members into the forefront of cybercrime activity. In a recent survey 91% of IT Professionals highlighted “users” as a major vulnerability with 62% believing this to be the largest threat. This is borne out by the fact that 72% of data breeches are directly attributable to staff receiving fraudulent emails and 67% of targeted attacks are aimed at junior members of staff.
It has to be accepted that human behaviour is the biggest risk to a firm’s security but it should also be recognised that staff members are now under a constant attack from organised cyber criminals and therefore need education and protection from social engineering hacking.
Types of activity
There are four types of activities which cyber criminals are seeking to undertake :-
Steal data
In these attacks, criminals are either looking to find specific information for a specific reason or are collecting information which will be useful for future attacks.
For example, emails and passwords collected from one cyber attack can be used later for “intercept” fraud or used to gain access to other services. Data is often shared on the dark web and used several years after it was first gathered.
In other cases, attackers are looking to find out data for personal interest (such as Gary McKinnon who hacked the US military claiming he was looking for proof of UFO cover-up) or for business reasons.
There have been several cases of Law Firms discovering “unexplained” devices inserted into PCs which have been found to have been collecting information from the network.
Steal Funds
In these attacks, criminals are seeking to extract money from their target. There are two common frauds which most law firms see on a regular basis
- The “conveyancing intercept” is an example of a fraud where the criminals seek to divert funds during a conveyancing transaction. Often for this fraud the criminal has been silently monitoring emails for years to until they pick-up key words relating to a property transaction.
- The false “Invoice” scam where false instructions are sent to the finance team from a senior person.
There is also a growing theme of “Money by menaces” style fraud
- Firms are hit by an “encryption locker” (aka “ransom ware” and have to pay the perpetrator to regain access to the data. There have been several high-profile cases of firms paying the “ransom”.
- Members of staff receive targeted personal threats. Often this relates to information gathered elsewhere or threats of release of embarrassing pictures or information. They are coerced into assisting with the targeted crime.
Disrupt Operations
Often hackers want to gain notoriety or cause disruption to businesses by bringing systems down. Sometimes these are individuals doing it for “fun” but often there are groups of people, known as “Hacktivists” who have a stated aim to cause disruption.
For example, there are teams of anti-capitalist activists trying to disrupt the stock market and banking systems.
These attacks are typically “denial of service” where the business can not operate due to their systems not being available or a general disruption to business caused by viruses or ransomware.
Embarrass
Sometimes hackers aim to cause embarrassment to their target. Often this a tactic used by the hacktivist campaign groups but equally is can fall into the “Money with Menaces” category.
Types of threat
There are two basic types of threats
Crimes which target Networks or Devices
In this scenario the attackers are seeking to collect information from network devices, propagate a virus or ransomware or to undertake a denial of service attack.
Crimes which target individuals
In this scenario the attackers are targeting individuals either to gain access via them (as a weakness) to the Network or to undertake a fraudulent action.
Where the attacker is trying to gain access to the network they normally are seeking to get the target to inadvertently run software which will give them the access they need.
How do they do it
1. Email remains the most widely used method of trying to trick members of staff into either running software or undertaking a desired action.
- Phishing: the use of fake emails that look legitimate in order to induce individuals to reveal personal information, such as passwords and credit card numbers. (aka “the Nigerian Prince”)
- Whaling: a type of phishing attack directed at higher level executives or employees with permission to instruct finance to make payments. It is called Whaling because the big fish is targeting instead of the little fish. It normally comprises of an email from a Partner/CEO to someone in finance instructing immediate payment.
- Email Interception: the use of fake emails to “intercept” a business transaction (“change of bank details”)
- Malicious Links: normally distributed by email or fake websites.
- Malware: software written to compromise your network or steal your data. It can be activated by clicking on links in emails or opening email attachments.
- Ransomware: where a hacker enters your computer and accesses your files, locking you out of them. The hacker then demands a ransom (usually money) before he will give you your files back.
2. There is a growing number of “spoof” websites which look exactly like the real website but contain code to provide the desired access to the accessing PC.
3. USB keys are often used to trick people in to running software which is pre-installed on them. The US Government planted USB’s in car parks of government buildings. 60% of people who picked them up put them into their computer and 90% of those allowed the “auto run” to install on their computer.
Hackers have been known to leave USB’s in coffee shops in financial districts.
4. The “Dark web” is full of databases of email addresses and passwords which have been gathered from previous leaks. This information is then used to find vulnerabilities during other hacking activities. For example if your username and password was collected during the Talk-Talk data breech it could be used by a different hacker to try to access your email or Facebook account.
Hackers can be very patient and it is often years between the original leak and the subsequent attempt to undertake fraud. Equally there are occasions where hackers have been found to have been monitoring email traffic for years before they undertake any action.
Who’s Doing it?
There are seven identified groups of cyber threat sources: –
- Nation states or national governments
- Terrorists
- Organised crime groups
- Hacktivists and hackers
- Hacking for Fun
- Hacking to steal
- Hacking to disrupt
- Industrial spies
- Business competitors
- Disgruntled Employees
In a law firm context some of these may seem to be a little over the top but as detailed earlier a litigation firm discovered “un explained” devices inserted into PCs which are thought to have been planted by a 3rd party via the cleaning staff.
The biggest risk is disgruntled employees, especially those with enhanced permissions the network. This is particularly prevalent in law firms with fee earners leaving with precedent banks or client lists.
What can we ask Staff to Do?
There are three areas where staff can help protect themselves and the firm :-
Data Security
- Keep PC/Mac’s secure
- Log off and shut down personal computers (PCs, Macs & Laptops) when not in use or outside office hours.
- Ensure all PCs, laptops & mobiles are secured with a password protected screen saver with the automatic activation feature set at 30 minutes or less.
- Keep devices secure
- Secure and store out of sight any portable equipment such as laptops, mobile phones, and tablets such as iPads, in a locked drawer or cabinet when not in use.
- Secure and store out of site any data media, such as CDs, when not in use. If they contain highly sensitive or confidential data, they must be locked up or encrypted.
- Keep your PC safe
- Scan media such as data disks, CDs, DVDs and other portable storage devices for viruses and malicious software from unknown or 3rd party sources from a machine that is not connected to the network, before accessing them.
DO NOT
- Download and run files or open email attachments from unknown, suspicious or untrustworthy sources. These files may contain viruses and malicious software.
- Use USB ports on your desktop computer or laptop for connecting non-IT approved devices, such as USB flash or disk drives, cameras, mobile phones, etc.
- Copy data onto your Personal PC.
Email Security
Always look out for fraudulent email. Viruses, malware and ransomware are often delivered via e-mail which often looks to have been sent from an authentic source but there are often tell-tail signs.
The main points to double check in all e-mail messages are:-
- Is the message from an unknown person/e-mail address or company?
- Is there a suspicious E-mail address e.g. the display name does not match the e-mail address?
- Is there an attachment(s) on unsolicited or unexpected messages even if from apparently internal or official e-mail addresses?
- Does the message have a generic salutation?
- Does the message contain any links?
- Is the message requesting you take urgent action, open attachments or follow links?
If you receive an e-mail with one or more of the above characteristics, it should be viewed with suspicion.
Unsure about an email?
- Do Not open any attachments or click on any links
- Delete the message or contact the Helpdesk for advice
- Never forward the message on to another person
- Think before you click!
Password Security
Passwords are the bane of modern life but remain one of the major weaknesses with an estimated 3% of people still using “password” for their password!
All precautions must be taken by the owner of a password to safeguard its confidentiality. You should treat passwords like your personal bank pin code and good practice suggests you do not:
- share your passwords with anyone, including colleagues, even when going on holiday.
- Write passwords on a pad / sticky notes in your work environment.
- Reveal your password over the phone to anyone
- Include your password in an email
- Use the same password for work and personal use
- Use the same password for different systems
Given the number of systems we use on a day to day basis it is easy to end up in “password hell”. However, it is also advised not to use a “password database” app as several of those have been hacked or are false harvesting applications.
Instead we would recommend that you have a different password for each major system which holds important data and a more common password for sites with less important information (e.g. BBC iPlayer)
Good Practice
Create a password based on a song title, affirmation, or other phrase and swap letters for special characters or numbers for example :-
- Phrase: This May Be One Way To Remember
- Password: TmB1w2R! or Tmb1W>r~
- Song Title: You’ve (You Have) Lost That Lovin’ Feeling
- Password: Y’h1tlf!
- Phrase: To be, or not to be, that is the question
- Password: T60n2btit?
We would recommend that you DON’T
- use words found in a dictionary
- use common usage words
- Names of family, pets, friends, co-workers, fantasy characters (e.g. Superman1), etc. Computer terms and names, commands, sites, companies, hardware, software (e.g. IBM1).
- Words related to the name of the firm or any derivation.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above preceded or followed by a single digit (e.g., secret1, 1secret)
Have you been got?
There is a very useful website “Have I been pwned” (https://haveibeenpwned.com/) which is a database of email addresses which are known to be hacked or involved in a data leak.
Ask staff to check their email addresses regularly on this site and to change passwords immediately if their email address exists.
Regular Updates
Most firms will have appropriate procedures in place but there should be a regular staff briefing to update on the scams which are currently active and the activity you are seeing as a firm.
Staff need to be able to report any cyber threats they experience especially those which are of the coercion nature. Firms would be advised to setup a notification process for such occurrences and to treat employees as vulnerable to such activities.