This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Susanna Heley

Partner, RadcliffesLeBrasseur

The SRA's fraud focus

Feature
Share:
The SRA's fraud focus

By

In view of the risks posed to firms by online fraud, cyber security is an area in which we all need to be a little more tech-savvy, warns Susanna Heley

The Solicitors Regulation Authority’s (SRA) recent reminder to firms to be vigilant against fraud focuses attention on how fraudsters use social engineering techniques to obtain information from firms. This is not the first indication that the SRA is concerned about cyber security.

The increase in cloned websites and identity fraud affecting both firms and individual employees was a feature of last autumn’s risk update. The SRA also published information about the risk associated with cloud computing in November
2013 and online crime in February 2014.

Cybercrime is a common and persistent theme in the SRA’s risk resources and it is not just a local issue. Bar associations across Europe and worldwide are putting cyber security at the top of their agendas, not only in the fight against fraud and money laundering, but also because of concerns about ‘back door’ access to confidential client information stored in the cloud by state authorities and intelligence agencies.

Many firms in England and Wales, particularly smaller ones, will probably view the likelihood of the state being desperately interested in the local conveyancing market, clients’ wills, or civil and family disputes as fairly remote when weighed against the rather more immediate risk of fraudsters and money launderers cleaning out their client accounts. That view notwithstanding, firms must keep an eye on cyber security
in all its forms as there is a persistent risk to both client confidentiality and client assets within the firm’s control.

Easy targets

The clear message from the SRA’s most recent warning is that it is often individuals (rather than systems) that are the easiest targets for fraudsters. This generalisation holds true not only in circumstances where fraudsters are experienced at reading common clues which may be used to obtain answers to security questions and passwords, but also where individuals fall victim to the desire to have simple and easily memorable passwords shared between different online accounts.

It is undeniably true that
there has to be a balance struck between convenience and security. It is simply not possible to perform as our clients demand unless we make use
of mobile technology and online resources. It is very tempting to have our computers remember all of our passwords and so take away the need for us to do it. What happens, though, if a computer is stolen? Is the data encrypted? What if firms allow home working and staff have work product on personal computers?

We have to trust our staff to take sensible precautions, as we must trust in the security of online banking facilities. However, we must take any suggestion of fraud or breach
of confidentiality extremely seriously, and fraudsters can use our worries about such reports to manipulate us.

Cyber security policy

As fraudsters and money launderers make increasing use of sophisticated technology, we need to be increasingly wary of our reliance on technological confirmation of what we are being told. It is, for example, reasonably simple for fraudsters to fool caller ID into displaying
a familiar phone number. Telephone scams involving keeping lines open and hijacking calls have also been around for a while.

Firms dealing with controversial clients may find that they are the direct target
of hackers or denial of service attacks, and every firm’s cyber security policy will need to be tailored to meet the firm’s own online risk profile, just as every firm’s premises needs to be secured for that firm’s needs.

How, then, does a firm
go about setting a sensible cyber security policy? Is it just
about the latest technology
or must we ensure that staff are
updated regularly on the latest techniques used by fraudsters? Even the most sophisticated security can be undone by an individual inadvertently revealing access codes.

Firms should look to ingrain into staff the need to treat all unsolicited calls with scepticism, to use different passwords, to avoid simple or easy to guess passwords, and
to avoid using mobile devices when they can be overheard
or the screen can be viewed
by others.

Cyber security is an area
in which we all need to be a
little more tech-savvy. It is
an area of interest for the
SRA and a developing risk
area which is likely to impact
on professional indemnity insurance premiums. SJ

Susanna Heley is a solicitor at RadcliffesLeBrasseur