Embed Size (px)
Citation preview
Cybercrime
cpm21 (21st Century Professional Management) is a trading name of cpm21 Ltd.
Registered office: Ty Menter (Venture House) , Navigation Park, Abercynon CF45 4SN
Registered company number 7988356 (England and Wales)
Tom Horrocks
Tom Horrocks BA MBA – Associate Consultant
• Solicitor with 30 years PQE
• Partner in High Street Practice
• Senior Lecturer on the Legal Practice Course and accredited CPD provider
• Council Member then CEO of the regulator The Council for Licensed Conveyancers
• Director Compliance & Risk Management at two distance volume conveyancing companies
Mobile: 07825 565353
Email: [email protected]
2
3
CPM 21 – An Overview
Name: Wayne Williams
Title: Principal Adviser
Address:
cpm21
Ty Menter, (Venture House)
Navigation Park, Abercynon
CF45 4SN
Telephone: 07970 994180
Email: [email protected]
Web: www.cpm21.co.uk
Name: Paul Jones
Title: Senior Associate Adviser
Address:
cpm21
Ty Menter, (Venture House)
Navigation Park, Abercynon,
CF45 4SN
Telephone: 07796 363269
Email: [email protected]
Web: www.cpm21.co.uk
Consultancy & Training
• CPD and Competency based training
• Money Laundering training
• COLP/ COFA compliance support & training
• Professional Skills Course (PSC)
• Conveyancing Process Risk Review
• Compliance Audits
• Performance Management
• Strategic Planning
• LEXCEL 6/ CQS/ WIQS/ SQM
Our Firm – a target for cyber criminals – really?
“If there is a common denominator in every data
breach, it is the claim by victims that the attack was
‘sophisticated’…. Yet what is alarming is how
unsophisticated most attacks are…. the majority of
criminals are using basic tools off the shelf. ….While
it is easy to think of these attacks as the result of
sexy high-tech hacking, the main attack vectors are
still phising e-mails and infected websites distributing
malware.”
‘Time to strike back at cyber criminals’ by Nic Fildes
Raconteur – Fighting Fraud 1 September 2015 page 4
Cyber Risk – costs to the Firm
• Loss of income during business interruption
• Cost to restore IT network / recover data
• Ransom payments
• Cost of notification
• Damages claim for negligence, breach of contract,
breach of trust
• Compensation for service level complaint
• Reputational costs
Cyber Risk – costs to the Firm
• Theft from client account / interception of payments
made out of client account
• Regulatory fines and penalties
• Increased insurance premiums
Risk assessment for the Firm
Factors to consider – vulnerabilities at:
• User level
• Business level
• IT infrastructure level
Your staff – best defence or hackers best
friend?
The trick is not to be the weakest … 90% of
cybercrime is opportunism
Hackers – we’re not exploiting technical
weaknesses, we’re exploiting human weaknesses
If you need a record of your password, write it on a
piece of paper, it’s more secure than storing it on
your computer
Top security questions: mother’s maiden name, first
school, first pet, first car – if we can’t find the
information on Facebook, then we phone up
pretending to do a survey
‘Honestly hackers, my mother’s maiden name was Vegemite’
News Review, Sunday Times, 6 September 2015 page 6
Risk assessment for the Firm
User level
• Password protection
• Use of removable media – data sticks
• Suspect emails, email attachments and use of
personal email for work related matters
• IT security awareness training
Our Firm – a target for cyber criminals – really?
“We’re still in the era of low-hanging fruit where
tricking people into watching a video or clicking on a
link works…. Staff who take a tablet computer logged
into the company network home with them run the
risk of inadvertently opening the door to hackers.
Dave Palmer chief technology officer at Darktrace
notes repeated malware attacks on celebrity chef
Jamie Oliver’s website. ‘How many people are
thinking about cyber security when they look up a
recipe for fajitas?’ “
‘Time to strike back at cyber criminals’ by Nic Fildes
Raconteur – Fighting Fraud 1 September 2015 page 4
Risk assessment for the Firm
Business level
• Hierarchy of user privileges – restricted data access
• Software supported, virus and malware updated
• Remote working / in transit encryption policy
• Blocking access to inappropriate internet sites
Risk assessment for the Firm
Business level
• Information security violations - disciplinary policy
• Removing access rights of staff who leave, closing
redundant email accounts
• Response plan following cyber attack
Risk assessment for the Firm
IT infrastructure level
• Risk register – assessment, monitor & review
• IT security policies & procedures – creation,
implementation and review
• Disaster recovery plan and implementation
• Cyber attack insurance
A Tale of Two Attacks
Fraudster
Client Firm
A Tale of Two Attacks
Fraudster
Client Firm
CLC Code of Conduct
Outcome 1.3 Principle (h) You keep Client money safe
Outcome 2.3 Principle (f) You systematically identify
and mitigate risks to the business and to Clients
Outcome 2.3 Principle (i) You maintain proper …..
financial and risk management arrangements and
controls
Overriding Principle 5 Principle (o) You notify the CLC
of any material breach of this Code
SRA Code of Conduct
Principle 8 You must run your business …. with sound
financial and risk management principles
Principle 10 You must protect client money
Outcome 10.3 COLP and COFA must notify the SRA
promptly ….of serious financial difficulty
Replacement of client’s money
CLC Accounts Code 12.5 “You replace Without Delay
any shortfall to a Client or to a Client Account by
payment into Client Account”
funds stolen from client account is a breach of rules
1 and 7 SRA Accounts Rules 2011. The rules impose
absolute liability regardless of personal fault
Cyber Attack Response Plan
Notification and raising awareness - steps to be taken simultaneously:
• Action Fraud – National Fraud & Cyber Crime Reporting Unit
• All staff – vigilance
• All customers – vigilance & reputation management
• Domain Registrar – attacking the source
• Professional Indemnity Insurer
Response Plan
Notification and raising awareness:
• Regulatory body – COLP & COFA obligations
• Police, banks
• Investigation of cyber attack – what, why, how?
For more information on our legal management
consultancy services and training courses see:
www.cpm21.co.uk
