By Legal Futures’ Associate Thames Water Property Searches
For business leaders in the conveyancing sector, ‘Friday Afternoon Fraud’, whereby cyber criminals intercept emails between a conveyancer and client to steal funds intended for a property purchase, is now a widely understood and recognised risk to law firms and their clients. Indeed, authorities and regulators have made great strides in providing detailed guidance on avoiding cyber fraud in property transactions.
The Conveyancing Association, for example, published their ‘Cyberfraud and Fraud Protocol For England and Wales’ which sets out each of the cybersecurity threats with practice guidance to mitigate them. This guidance is particularly useful as it extends beyond just Friday Afternoon Fraud with email interception. In this article, we will look at a range of best practice security recommendations beyond the more basic measures implemented by law and conveyancing firms. By doing so, it is our aim to assist conveyancing businesses in considering the whole range of interventions needed to protect both themselves and their valued clients.
Make your network watertight
There is no lack of information, technology, and software available to experienced or would-be hackers, and they will use any means to access your systems. However, many businesses believe that because they are dependent on cloud-based business systems or have very little in the way of physical IT infrastructure, cyber-security is outside of their hands. Unfortunately, this is not how the authorities or clients would view a cyber compromise. Ultimately you need to know of any vulnerabilities within your systems which leave you open to a cyber hack. Central to this should be determining the effectiveness of your network firewall – which acts as a filter allowing only specified inbound and outbound network traffic to pass. This vital element of your firm’s cybersecurity needs to be well administered and up to date with the latest firmware. Any hacker worth their salt will have a list of the standard open-door vulnerabilities (in the form of open ports) that many businesses commonly fail to close. If you lack the necessary in-house skills, it is valuable to consider having your systems ‘penetration tested’ by a third-party IT security specialist. Encryption is also vital. Not only must you make sure the data on your devices are encrypted (especially for any device leaving your office), but any communication between your office and the outside world should be protected (for example using a secure virtual private network – VPN). And from your clients’ (or potential clients’) perspective, they will expect to see that your website is secure and encrypted – as denoted by a padlock symbol on a web browser and an ‘https’ web address. If your business does not put this in place, it may be seen as a glaring oversight by those seeking to use your services.
System access security is also paramount. While most businesses implement password policies, these often do not go far enough. It is essential that user accounts are actively administered and ‘locked down’ – including only allowing minimum security permissions and implementing a strict standard for password changes and formats. Multi-factor authentication is also an extremely effective deterrent, as this avoids the potential for password theft, as an additional second, or third authentication mechanism is used to verify the accessing user.
Potentially crippling malware attacks can be avoided by locking down all devices to prevent the use of USB devices or unauthorised software installation. In addition, mobile device management (MDM) can be used to lock down the functionality of smartphones and tablets, which can be easily compromised if used in their factory state.
Ultimately, the task of identifying vulnerabilities, spotting signs of an active or previous cyber-attack, and removing threats requires expert skills that you may not possess in-house. If recruiting a full-time employee in this space is not an option, you could consider seeking external IT security expertise on a fixed monthly fee basis, or upskilling existing staff, for example through the National Cyber Security Centre’s own ‘Cyber Essentials Certificate’ programme.
Taking control through robust policies and training
Looking beyond the technological aspects of cybersecurity risk mitigation, it is essential to consider the biggest risk of all – your people. It cannot be emphasised enough how even the smallest mistake, no matter how innocent and unintended, can cost a legal practice their solid reputation. To this end, it is important to have written standards and policies for every single aspect of your cyber threat prevention methodology, and this must be regularly updated and communicated effectively (on an ongoing basis) to all of your staff without exception. To do this comprehensively, you will need to take a 360-degree view of your organisation, looking at each stakeholder in the conveyancing process, and how their role needs to be fulfilled to eliminate risks. It is also best practice to monitor for compliance with the policies in place, as while your staff may know the theory of cybersecurity as it pertains to your organisation, because they aren’t being held to account for doing so, you may remain at risk. An example of a cybercrime policy is produced by the conveyancing regulator, CLC, which covers aspects including IT systems, a ‘response plan’ to be actioned following a cyber-attack, and prevention steps. While this provides a solid starting point, there is nothing to stop your business expanding on this to cover each stakeholder and providing more depth. By making your policy a centralised, version-controlled document, with assigned owners, you can ensure it becomes integral to the cyber protection of your business.
No room for complacency
According to HSBC UK, cybersecurity is now the highest priority investment for the largest 50 law firms, such is the danger of breaches to their operations. And while not all businesses have the spending clout of the biggest law firms, most conveyancers do not have the operational complexity and scale of those organisations. The danger of not investing in cybersecurity, apart from those already identified in this article, is that if the smaller businesses are not seen to be protecting clients in the same way the big firms are, this will only serve to drive clients away.
By taking an agile approach to ensuring you have the necessary expertise, perhaps by contracting external IT specialists, or employing someone on a part-time basis to focus on all aspects of your cybersecurity strategy, you can reduce the cost overhead while actively controlling the risks of a potentially destructive attack.
At Thames Water Property Searches we call ourselves “the property search experts” for good reason. We are not only a search supplier, but we also are a search producer of the CON29DW and a partner of NLIS. Working closely with leading suppliers such as Lawyer Checker we ensure that we not only sell the searches but fully understand the detail within them, especially ensuring that your clients are secure when ‘cyber security’ is concerned.
We understand complexity and take the time to support you with issues that may arise offering that bespoke service which you normally only receive from the smaller companies and at a premium. Here at Thames Water Property Searches you get that service as standard, along with the trusted brand of Thames Water knowing that we will always be here to support you. For more information please contact us on 0845 070 9148 or email twps@thameswater.co.uk.