Does cyber risk impact the practitioners’ environments?

June 1st, 2016
x
Bookmark

By the financial forensic unit of the Attorneys Fidelity Fund

With the evolving use of technology, and the evolving need for use of technology, all players in all industries find themselves at one point or another confronted by cyber risk. The Institute of Risk Management (IRM) defines ‘cyber risk’ as ‘any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems’ (www.theirm.org, accessed 5-5-2016).

While in the past some organisations could survive without the use of any kind of information technology (IT), nowadays organisations find difficulty or even impossible to exist, let alone survive, without any form of engagement with IT. It is for this reason that as part of the high risks identified, in almost all industries, cyber risks is on top of the risks list. While businesses have seen and embraced the benefits of using IT, criminals have also seen and embraced the opportunities that present themselves as risks to businesses, which are brought about by innovations. The same innovations are used to circumvent the benefits for legitimate businesses. Practitioners are not immune from such risks and could easily find themselves victims of cybercrime if no measures are taken.

Cybercrime has no colour, no age restriction, no gender and everyone is at risk. Anyone who uses technology, irrespective of the instrument used, be it a desktop, a laptop, a tablet or a smartphone may be at risk. The first step to dealing with cybercrime is to acknowledge that you are at risk. You may like to believe that you are careful enough, and maybe you are, but is everyone around you, everyone that shares your IT resources and/or equipment, as careful? Some people think cybercrime attacks only happen to people who are tech savvy. The truth is, even the less technologically advanced people can fall victim to cybercrime attacks. If you make use of a smart device, laptop, desktop, tablet, or any other form of computer equipment which accesses e-mails, Internet, etcetera, you are potentially a victim to cybercrime. It therefore becomes important that as a business person you protect yourself and your business from cyber-attacks. These attacks do not give notice, once it hits, you are doomed, and therefore, you have to be on guard. It becomes crucial that as a practitioner you identify all potential events that can make your business susceptible to cyber risks. Readers are urged to also read the articles ‘Find the problem before it finds you’ (2015 (July) DR 29) and ‘Technology a necessary tool’ (2016 (March) DR 15).

Data storage

Practitioners are in possession of personal, business and financial information by virtue of their business. This information, in more cases than not, resides on computers. Criminals work tirelessly trying to get into practitioners’ records to get information about their clients, be it for a specific purpose or just for the fun of it, yes, some do it for fun just to prove a point. Irrespective of the motive, the practitioner is expected to protect and keep the information at his or her disposal confidential. Access to client information may result in breach of confidentiality, which may result in problems for the practitioner and the firm. Some of the information is onsite at the practitioner’s offices and some is offsite as backed up information. The Protection of Personal Information Act 4 of 2013 (POPI) specifically deals with issues of divulgence of personal information to other parties without the consent of the owner of that information. Should information or data relating to clients and stored by the practitioner find its way to the wrong hands, the practitioner and the firm may find themselves facing the might of the law.

Here are some of the measures that practitioners may put in place to protect and ensure confidentiality of client information:

Practitioners need to ensure physical security of computer equipment and access controls. Computers are physically secured if kept in places where not anyone and everyone can have access but only authorised persons. Access controls are present where authorised persons can be identified to log into the computers and specific software and applications. Computers can identify authorised persons in various ways ranging from unique passwords, to finger or thumb prints, to lock patterns, etcetera.  Should the form of access identification be a unique password, it is important that rules are built into applications on how authorised persons should create their passwords. These passwords should be strong enough to avoid being easily cracked by criminals.  An example of a strong password could entail that it is has at least one capital letter, numerical number and some special characters with a minimum number of characters. Having a strong password may not necessarily be enough, but there is a need for the password to be changed periodically. Staff have a tendency of sharing passwords among themselves. It is in the practitioner’s interest to ensure that staff are trained and made aware of the risks of sharing passwords and what impact it could potentially have on the firm and on them individually should information or data pertaining to the clients of the firm leak and it is discovered that their passwords were used.

While all staff at a firm may have access rights to systems and/or applications, it may differ depending on the levels of the employees or the need to have access to the information. Some access may be limited to viewing rights, while some may extend to amending rights, all this goes with responsibility. Breach of confidentiality should be avoided through cautious assignment of access rights to approved individuals, rendering access to information only for a purpose for which it is intended and for the duration of time the information should be used.

The practitioner should also implement robust legal mitigating measures against breach of confidentiality. These may include incorporating confidentiality clauses in contracts such as employment contracts or other business contracts. Where practitioners have engaged third parties that interact with the firm’s information systems, the practitioner must get comfort over the following:

  • Adequacy and sufficiency of physical and management controls of third-party service providers.
  • Are third-party staff adequately trained in information and data privacy and protection?
  • Are there third party employees or staff vetting and monitoring mechanisms where sensitive and confidential data is in place?
  • Practitioner may request a cyber risk management policy from the third parties.

Readers are encouraged to also read the article ‘Outsourcing by legal practitioners’ (2015 (Sept) DR 28).

Communication systems

Communication is an integral part of the function of practitioners. In today’s world there is electronic communication between the practitioner and the clients. Cyber risk existence may be demonstrated in the form of misleading and incorrect statements on e-mail, websites or any other Internet-based platforms and may lead to compensation claims and loss of reputation by the practitioner. The practitioner should be alert to the use of social networking sites by staff. Staff may post unwarranted statements on the social media related to the firm’s business matters. This may require of firms to have robust policies in place regarding use of computer equipment and social networking sites at the firm. Where staff are found to be using computers in contravention of the policies, a strong message should be sent to the rest of the staff through actions taken against the perpetrators in order to serve as deterrent mechanism.

Some practitioners and/or firms also make use of Electronic Fund Transfer (EFT) systems to transact on the accounts, and this method of transacting has proved to be very efficient. During the transaction, systems communicate with other systems and hackers can intercept that communication and gain access to funds illegally.

The Attorneys Fidelity Fund (the Fund) has recently introduced a portal used by the provincial law societies to issue Fidelity Fund Certificates to practitioners. Practitioners access the system via the Internet from any device, wherever they are. A huge amount of information about the practitioners and firms is stored on the portal and security of the portal is vital. Professional hackers have tested the system for potential flaws that may result in hacking and ensured that the portal is secured. Practitioners should equally ensure security on their side as they interact directly with the portal.

Online hacking and activism

Some practitioners may have websites or other information technology applications linked to their internal information systems. Practitioners need to be aware of cyber-attacks that may be perpetrated over the interfaces between internal applications and the website. An example would be phishing. ‘Phishing’ is defined as an ‘act of illegally gaining access to a computer, stealing private information and then utilising that information for harmful activities. … popular through various e-mail frauds and Internet related activities’ (www.thelawdictionary.com/phishing, accessed 19-5-2016). There may be financial implications associated with online activism as attacks perpetrated through phishing of sensitive and confidential client information may render the firm’s information systems unavailable.

One of the risks that is emerging from online activism is the use of malicious programs that encrypt data and information pertaining to client and use of malicious e-mails or short messages demanding payment for decryption or release of the information. Practitioners may be faced with financial losses as a result of online hacking and activism and need to be aware of the adverse impacts of online hacking and activism on the practitioners operations and information systems. In order to curb occurrence of these incidents, the practice may consider the following:

  • IT security controls that focus on the secure isolation of practice critical information and data.
  • Practitioner information system intruder detection.

IT hardware

Cyber risk arises in an environment where there is also hardware components such as computers, mobile tablets and mobile phones. Practitioners should consider the risk of damage or loss to the hardware component. Practitioners must ensure that all devices used in furtherance of the practitioner’s operations are physically and logically controlled. No unauthorised parties should have access to the devices carrying sensitive and confidential client information.

Practitioners need to maintain a high level of sensitivity of areas within the practice that are susceptible to cyber risk. A continuous review of the emergence of cyber risk is critical to the rapidly changing IT and communications era to prevent attacks on the firm’s information assets.

Conclusion

Practitioners should always ensure that they understand the environment that they operate under and have the necessary controls in place to deal with uncertain events that may present themselves. Cyber risk management is not a one-time or once-off event, but a continuous battle that for as long as you make use of computer devices you have to be aware of. It hits when you least expect it and, therefore, requires that at no point should you relax your controls. Cyber risk is a reality and its results can be very devastating and it should never be undermined.

The financial forensic unit of the Attorneys Fidelity Fund in Centurion.

This article was first published in De Rebus in 2016 (June) DR 24.

X
De Rebus