The sensitive personal data that’s collected – addresses, names, financial information or property deeds, and the large sums of money handled make conveyancers a prime target for hackers.
In fact, cybercrime remains one of the biggest threats in the legal industry, and it makes up 75 per cent of the crime reported by UK law firms. Recent high profile cyber attacks have seen a huge impact on law firms and conveyancers – they’re unable to access emails and case management systems and their customers have seen big upheavals and delays to their house moves.
Incidents like this show the threat to all conveyancers is real – no matter your size – and should be actively putting in place measures to avoid and prevent it.
What are the risks?
Cyber threats remain a major risk for law firms in 2024, and the type of threats now include multi-factor faking, QR code phishing, ransomware attacks, surveillance attacks using mobile phones, and even cyber attacks on AI systems.
The development of new technology has given cyber criminals licence to carry out even more sophisticated attacks. The Solicitors Regulation Authority (SRA) highlighted that criminals are likely to carry out voice phishing or impersonate solicitors using voice-modification software. Automated ransomware attacks can also find weak points in your systems, and AI tools like ChatGPT, can make false documents more convincing.
How can it impact you?
It goes without saying that a cyber attack can have serious consequences for any conveyancer or law firm. Property transactions are already stressful and expensive for clients but a hack on top of this is likely to undermine their trust, especially if it means they miss out on buying their property, or they suffer financial loss.
Clients’ property moves may get delayed or cancelled meaning they will miss out on purchasing their next home, with the knock-on implication of paying costly rents or finding alternative accommodation. They could also suffer financial loss if their transaction details are stolen and used for fraud, identity theft and property ownership issues if their records are compromised by hackers.
Conveyancers affected by cyber attacks can also find themselves suspended or restricted by lender panels, disrupting their entire service and operation. The reputational damage, loss of trust from clients, and negative coverage on social media and in the press would be difficult for any law firm to come back from quickly.
Cyber attacks are also expensive. In 2021, conveyancing giant, Simplify, had a cyber-security breach when an unauthorised party gained access to its system and files. It cost the firm £7m and its clients launched a class action suit against them. Luckily, insurers compensated the firm for the damage, but the firm did lose business and was running at a reduced capacity for 10 weeks.
Firms can also be fined by the information commissioner’s office (ICO) if it’s found that they didn’t have adequate security measures in place.
Under the UK General Data Protection Regulation (GDPR), firms can also be fined up to £17.5m or 4% of their global turnover if there is a data breach, and it’s found they infringed the regulation.
The same risks and rules apply to businesses of all sizes. Smaller firms may not have extensive IT teams, but they still need to implement robust security measures because the damage and financial fallout of a cyberattack could bankrupt them.
Strategies and prevention tips
Naturally the first step for firms, given the constant risk of cyber attacks, is to embed security practices into their staff training and work culture to ensure everyone is aware of the risks and equipped to prevent them.
Collaboration and transparency is critical, so if you suspect a malicious email has been sent, a plan needs to be communicated at speed across the team. Given that your team is the first line of defence in preventing a hack, they should be trained on your cybersecurity processes to empower them and build their knowledge.
Before digitalisation, employees were required to shred confidential documents and keep them in locked filing cabinets to ensure sensitive materials were secure. In the digital age, it’s vital that employees don’t overlook basic best practices like weak or shared passwords. The latest advice says a sequence of three unrelated words works best, and letters, numbers and special characters should be included. You could use a password manager, and two-factor authentication is essential.
Office screens should be cleared or minimised if not in use, and employees should only have access to information that is relevant to their work. With remote working, there are extra security measures to consider. All devices used should be secure, installed with antivirus software and firewalls, and employees should be careful not to discuss sensitive information if they aren’t alone. The Wi-Fi network used should also be secure with a strong password and network encryption, or a VPN ensures that information is private and can’t be tracked.
Software updates will also help to prevent vulnerabilities in your system which hackers could exploit. Your internal IT team will normally continuously monitor processes, create and update risk assessments, and check that security best practices are being upheld.
What to do in the event of an attack
Firms are required to notify affected clients, the SRA and the ICO in the event of a cyber attack, and follow their guidance to reduce the impact. You should already have a robust incident response plan to minimise downtime, help you recover, and avoid any further damage.
This plan will outline how you plan to remove the threat, back up your data and how you will communicate the incident to those concerned. A cybersecurity team should be appointed consisting of IT and cybersecurity professionals, as well as communication, HR, and executive leaders. Getting legal advice is essential so that you know where you stand and so you are complying with regulations.
The attack must be contained, and you might have to shut down services, disable accounts and systems, and encrypt data that could be attractive to hackers. You will need to deploy cybersecurity professionals to investigate the attack, how it happened and what you should do next.
After the attack, you should review your strategy and identify any areas which failed, and which worked well. You should update your plan based on what you learnt, and use it to improve your response.
All of these measures are simple things law firms and conveyancers can do to protect themselves and ensure they are prepared in the unfortunate event of a hack. Just taking these small steps could have a huge impact in preventing a cyber attack and protecting your business, your reputation, your clients and their confidential information.
