News & insights
Commercial Conveyancing and Cyber Security: Beyond the Basics
For business leaders in the conveyancing sector, ‘Friday
Afternoon Fraud’, whereby cyber criminals intercept emails between a
conveyancer and client to steal funds intended for a property purchase, is now
a widely understood and recognised risk
to law firms and their clients. Indeed,
authorities and regulators have made great strides in providing detailed
guidance on avoiding cyber fraud in property transactions.
The Conveyancing Association, for example, published their ‘Cyberfraud
and Fraud Protocol For England and Wales’ which sets out
each of the cybersecurity threats with
practice guidance to mitigate them. This
guidance is particularly useful as it extends beyond just Friday Afternoon
Fraud with email interception. In this article, we will look at a range of best
practice security recommendations beyond the more basic measures implemented by
law and conveyancing firms. By doing so,
it is our aim to assist conveyancing businesses in
considering the whole range of interventions needed to protect both themselves
and their valued clients.
Make your network
watertight
There is no lack of information, technology, and software
available to experienced or would-be hackers, and they will use any means to
access your systems. However, many
businesses believe that because they are dependent on cloud-based business systems
or have very little in the way of physical IT infrastructure, cyber-security is
outside of their hands. Unfortunately,
this is not how the authorities or clients would view a cyber compromise. Ultimately you need to know of any
vulnerabilities within your systems which leave you open to a cyber hack. Central to this should be determining the
effectiveness of your network firewall – which acts as a filter allowing only
specified inbound and outbound network traffic to pass. This vital element of your firm’s cybersecurity needs to be well administered and
up to date with the latest firmware. Any
hacker worth their salt will have a list of the standard open-door
vulnerabilities (in the form of open ports) that many businesses commonly fail
to close. If you lack the necessary
in-house skills, it is valuable to consider having your systems ‘penetration
tested’ by a third-party IT security specialist. Encryption is also vital. Not only must you make sure the data on your
devices are encrypted (especially for any device leaving your office), but any
communication between your office and the outside world should be protected
(for example using a secure virtual private network – VPN). And from your clients’ (or potential clients’)
perspective, they will expect to see that your website is secure and encrypted
- as denoted by a padlock symbol on a web browser and an ‘https’ web address. If your
business does not put this in place, it may be seen as a glaring oversight by
those seeking to use your services.
System access security is also paramount. While most businesses implement password
policies, these often do not go far enough.
It is essential that user accounts are actively administered and ‘locked
down’ – including only allowing minimum security permissions and implementing a
strict standard for password changes and formats. Multi-factor authentication is also an
extremely effective deterrent, as this avoids the potential for password theft,
as an additional second, or third authentication mechanism is used to verify
the accessing user.
Potentially crippling malware attacks can be avoided by
locking down all devices to prevent the use
of USB devices or unauthorised software installation. In addition, mobile device management (MDM)
can be used to lock down the functionality of smartphones and tablets, which
can be easily compromised if used in their factory state.
Ultimately, the task of identifying vulnerabilities, spotting
signs of an active or previous cyber-attack, and removing threats requires expert
skills that you may not possess in-house.
If recruiting a full-time employee in this space is not an option, you
could consider seeking external IT security expertise on a fixed monthly fee
basis, or upskilling existing staff, for example through the National Cyber
Security Centre’s own ‘Cyber
Essentials Certificate’ programme.
Taking control
through robust policies and training
Looking beyond the technological aspects of
cybersecurity risk mitigation, it is essential to consider the biggest risk of all – your people. It cannot be emphasised enough how even the
smallest mistake, no matter how innocent and unintended, can cost a legal
practice their solid reputation. To this
end, it is important to have written standards and policies for every single
aspect of your cyber threat prevention methodology, and this must be regularly
updated and communicated effectively (on an ongoing basis) to all of your staff
without exception. To do this
comprehensively, you will need to take a 360-degree view of your organisation,
looking at each stakeholder in the conveyancing process, and how their role
needs to be fulfilled to eliminate risks.
It is also best practice to monitor for compliance with the policies in
place, as while your staff may know the theory of cybersecurity as it pertains to your organisation, because they aren’t being held to account for doing
so, you may remain at risk. An example of a cybercrime policy
is produced by the conveyancing regulator, CLC, which covers aspects including
IT systems, a ‘response plan’ to be actioned following a cyber-attack, and
prevention steps. While this provides a
solid starting point, there is nothing to stop your business expanding on this
to cover each stakeholder and providing more depth. By making your policy a centralised, version-controlled
document, with assigned owners, you can ensure it becomes integral to the cyber
protection of your business.
No room for complacency
According to HSBC UK, cybersecurity is now the highest priority
investment for the largest 50 law firms, such
is the danger of breaches to their
operations. And while not all businesses
have the spending clout of the biggest law firms, most conveyancers do not have
the operational complexity and scale of those organisations. The danger of not investing in cybersecurity, apart from those already
identified in this article, is that if the smaller businesses are not seen to
be protecting clients in the same way the big firms are, this will only serve
to drive clients away.
By taking an agile approach to ensuring you have the
necessary expertise, perhaps by contracting external IT specialists, or employing someone on a part-time basis to focus on
all aspects of your cybersecurity
strategy, you can reduce the cost overhead while actively controlling the risks
of a potentially destructive attack.
At Thames Water Property Searches we
call ourselves “the property search experts” for good reason. We are not only a
search supplier, but we also are a search producer of the CON29DW and a partner
of NLIS. Working closely with leading suppliers such as Lawyer Checker we
ensure that we not only sell the searches but fully understand the detail
within them, especially ensuring that your clients are secure when ‘cyber
security’ is concerned.
We understand complexity and take the time to support you with issues that may
arise offering that bespoke service which you normally only receive from the
smaller companies and at a premium. Here at Thames Water Property Searches you
get that service as standard, along with the trusted brand of Thames Water
knowing that we will always be here to support you. For
more information please contact us on 0845 070 9148 or email twps@thameswater.co.uk.
The cybersecurity risks faced by conveyancers is well established, but has your business thought beyond the basics? For detailed property searches, please contact Thames Water Property Searches on 0845 070 9148.