A Global Pandemic – A Globally vulnerable workforce

Published 7 August 2020

We are in unprecedented times. Countries are emerging from enforced lockdowns across the world, and vast numbers of individuals are working from home. The new norm is likely to be with us for some time. A number of law firms have already indicated that they will reduce office space in favour of extended home working practices. We have seen more and more cybercriminals harness this opportunity to entice individuals into parting with secure logins and exploit organisations’ extensive reliance on remote desktop protocols.

The nature of the pandemic itself and the risks that it presents are truly global and for law firms it does present a number of key risks.

Additional distractions

Working from home in this unprecedented period comes with additional distractions. We have seen many videos of parents managing their laptops with one hand and their children with the other. Numerous junior lawyers are swapping their structured office workstations for make-shift desks. With these distractions, and a general hype around the unknowns of COVID-19, has come a new wave of cyber risks.  

Without direct supervision or peer review, employees may be responding to emails that appear to come from legitimate sources (such as clients, colleagues and third parties). The desire to keep delivering an efficient standard of service has meant that those emails may not have been scrutinised as they ordinarily would. In some cases this has led to losses at law firms due to failures to verify standard requests for payment which contain fraudulent bank details or fraudulent payment instructions.

Rise in scams and fraud

There have been numerous COVID-19-related scams as fraudsters prey on individuals working from their seemingly safe home environments.

The pandemic has created new opportunities for ‘social engineering fraud’ which relies on the trust of unsuspecting individuals who follow links in emails or texts from ostensibly legitimate organisations. In the UK, fraudsters have taken advantage of law enforcement agencies’ powers to fine individuals for breaching the lockdown, and more recently in advising individuals to quarantine using the Government’s track and trace system.  Many have fallen for scams along these lines: “A car matching your registration was seen on Smith Road at 18:04 on 16 April in breach of the government’s lockdown rules. Follow this link to prove your travel was essential or you will be liable for a £50 fine.”

Some messages have been threaded to a previous genuine text messages from the Government  making the phishing text appear legitimate.

It is likely that this will increase with track and trace systems, and reports of restaurant visits that are already being followed by spam messages a few days later are now more prevalent. Once users click those links or open an attachment, malware is downloaded, and threat actors gain unauthorised access to the employee’s computer system, and possible their employers’ network.

We regularly assist clients in responding to business email compromise scams which usually contain an element of invoice fraud, where a member of the accounts team’s email account has been compromised. This usually features a last minute change of bank details. Firms will need to stay alert as we predict that they will see a significant rise in attempts to redirect payments. 

Remote access exposes weaknesses

Ideally, firms would conduct business through company-issued devices and secure VPN. However, a number of firms have faced difficulties in obtaining the requisite number of devices and have requested employees connect through a less secure vector. From an information security perspective, corporate devices should only be used for work related matters and a number of safeguards are employed by law firms’ IT teams to ensure that this is the case. Personal devices do not permit such a degree of user privilege limitation, allowing individuals to download and install software on their own devices as they choose.

With the introduction of widespread remote working, it is especially important that clear data breach polices are in place and that these are easily accessible. Employees need to be clear about their own firm’s security practices and their obligations to report any security breaches promptly so that they can assess whether the breach is caught by the GDPR. Data protection laws oblige organisations to ensure the confidentiality, integrity and availability of personal data, and this is presenting a particular challenge for all organisations at this time. Whilst some leniency may be shown by regulators, the laws will still apply. Failure to comply could result in both further action by the ICO and potentially a fine.

Summary

Individuals come to law firms as trusted advisors and so there are serious reputational issues associated with any breach. Cybercriminals are exploiting the uncertainty of the pandemic and utilising it to their advantage to defraud individuals and companies alike, in addition to deploying malware across networks. This in turn puts confidential client data at risk, and may result in significant costs for law firms as they deal with a fraudulent transfer, publication of data or litigation from clients for their failure to deal with the same. A global legal workforce of professionals working from home provides a fertile environment for these risks. Organisations need to ensure that their employees are even more alive to the risks, and that they have a robust breach response plan in place to tackle any security gaps.