Managing Cybercrime Risks for Small Firms
C
y
b
e
r
c
r
i
m
e
:
r
i
s
k
s
f
o
r
s
m
a
l
l
f
i
r
m
s
Rachel Clements
Regulatory Manager - Thematic Team
What did we do?
•
Analysis of the experiences of 40
firms we interviewed
•
Randomly selected from 458 reports
between 2016 and 2019
The immediate impact of attacks
Loss of 4m
client money
at 23 firms
394K paid
directly by
firms
Reputation
and
emotional
impact
Disruption,
time and
effort
Key risks
•
Phishing
•
Email modification
•
Ransomware
•
Polices and procedures
•
Support and training
Cybercrime attacks
Case study
•
T
y
p
e
o
f
a
t
t
a
c
k
:
V
i
s
h
i
n
g
•
T
a
c
t
i
c
:
P
s
y
c
h
o
l
o
g
i
c
a
l
M
a
n
i
p
u
l
a
t
i
o
n
•
F
u
n
d
s
t
r
a
n
s
f
e
r
r
e
d
:
£
1
.
2
m
Impact
•
£1.2m shortage and client matters halted
•
SRA Investigation
•
Policy excess charge – £2.5k
Cybercrime attacks
Ransomware
Policies, controls and technology
•
32% no disaster recovery plan
•
57% had not tested processes
•
20% no policy on USBs
•
20% no incident records
•
37% using Windows 7
•
55% using external USBs
•
E
v
i
d
e
n
c
e
o
f
I
T
s
u
p
p
o
r
t
o
v
e
r
-
r
e
l
i
a
n
c
e
P
eople training and support
88% of fee
earners could not
explain the term
‘ransomware’
60% of firms
viewed staff
as the
g
reatest
risk
20% of firms
had not
provided any
cyber training
A human firewall
•
A supportive ‘no blame’ business
culture
•
Regular training (free!)
•
Encourage regular scrutiny of
emails
•
Oversight and clear reporting lines
Your obligations
•
Rule 6.1 Solicitors Accounts Rules: Repay client money
immediately
•
5.2 & 2.9 Standards and Regulations - Monitor risks,
safeguard funds and assets
•
Know your reporting requirements from SRA and ICO
Keeping your firm safe
•
Controls: Plan for future threats
•
Provide training and support
•
Make cybersecurity BAU
•
A ‘no blame’ business culture
Further reading:
C
y
b
e
r
c
r
i
m
e
T
h
e
m
a
t
i
c
R
e
v
i
e
w
:
w
w
w
.
s
r
a
.
o
r
g
.
u
k
/
s
r
a
/
h
o
w
-
w
e
-
w
o
r
k
/
r
e
p
o
r
t
s
/
c
y
b
e
r
-
s
e
c
u
r
i
t
y
G
u
i
d
a
n
c
e
:
w
w
w
.
s
r
a
.
o
r
g
.
u
k
/
c
y
b
e
r
c
r
i
m
e
R
i
s
k
O
u
t
l
o
o
k
:
w
w
w
.
s
r
a
.
o
r
g
.
u
k
/
r
i
s
k
S
c
a
m
a
l
e
r
t
s
:
w
w
w
.
s
r
a
.
o
r
g
.
u
k
/
c
o
n
s
u
m
e
r
s
/
s
c
a
m
-
a
l
e
r
t
s
This comprehensive study delves into the various cyber risks faced by small firms, highlighting immediate impacts, key vulnerabilities, case studies, and strategies for prevention. Insights from interviews and analysis provide valuable information on cybercrime attacks, policies, controls, training gaps, and practical solutions to safeguard against financial losses and reputation damage.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Cybercrime: risks for small firms Rachel Clements Regulatory Manager - Thematic Team
What did we do? Analysis of the experiences of 40 firms we interviewed Randomly selected from 458 reports between 2016 and 2019
The immediate impact of attacks Reputation and emotional impact Disruption, time and effort Loss of 4m client money at 23 firms 394K paid directly by firms
Key risks Phishing Email modification Ransomware Polices and procedures Support and training
Case study Type of attack: Vishing Tactic: Psychological Manipulation Funds transferred: 1.2m
Impact 1.2m shortage and client matters halted SRA Investigation Policy excess charge 2.5k
Cybercrime attacks Ransomware
Policies, controls and technology 32% no disaster recovery plan 57% had not tested processes 20% no policy on USBs 20% no incident records 37% using Windows 7 55% using external USBs Evidence of IT support over-reliance
People training and support 20% of firms had not provided any cyber training 60% of firms viewed staff as the greatest risk 88% of fee earners could not explain the term ransomware
A human firewall A supportive no blame business culture Regular training (free!) Encourage regular scrutiny of emails Oversight and clear reporting lines
Your obligations Rule 6.1 Solicitors Accounts Rules: Repay client money immediately 5.2 & 2.9 Standards and Regulations - Monitor risks, safeguard funds and assets Know your reporting requirements from SRA and ICO
Keeping your firm safe Controls: Plan for future threats Provide training and support Make cybersecurity BAU A no blame business culture
Further reading: Cybercrime Thematic Review: www.sra.org.uk/sra/how-we- work/reports/cyber-security Guidance: www.sra.org.uk/cybercrime Scam alerts: www.sra.org.uk/consumers/scam-alerts Risk Outlook: www.sra.org.uk/risk
