by Jacqui Nelson* (pictured)
In the recent PEXA settlement email fraud, the hacker discovered an email conversation between a conveyancing firm and a client. The hacker intervened and changed the settlement bank details, and then sent the false details to the conveyancer.
It is probably the case that no technology can ever guarantee that hacking will always fail. There is the well-known adage that the same type of thinking that created a problem cannot be used to come up with the solution. With these types of problems, tech security is at best a defence against malicious hacking. Only with the additional use of manual best practices can the circle of defences be completed.
First let’s consider the minimum tech security defences and then the type of manual practices that could be combined with them.
1. End to end encryption
Using tools that facilitate end to end encryption ensure that only a sender and intended receiver(s) are able to read the content. The content can be in the form of email, attachments or messaging.
2. Digital signature
Digital signatures can be used to verify that the messages received are coming from true identities. Digital signatures introduce sophisticated mathematical techniques that the sender and receiver can both perform on the transmitted data. Users are assured that performing identical formulas on identical data should produce identical results at both the sending and receiving end. If the recipient’s results do not equal the sender’s results, this indicates that the message may have been tampered with en-route.
3. Two-factor authentication
Two-factor authentication can be used to prevent malicious access to an account and can be used to verify a user’s identity when logging on to a service or performing a password reset. Two-factor authentication that introduces biometric data into the equation that are extremely difficult to falsify such as fingerprints or facial-recognition are preferred.
1. Undertake a security audit on workflows
To understand the cybersecurity risks facing the firm, it’s important to fully evaluate all the systems and processes being used. Follow each workflow and look at where the data being used could potentially be compromised. View processes in the light of the GDPR and NDB regulations.
Importantly, undertake assessments from a business rather than technical perspective. This is important because responsibility for any data breaches rests with senior management and the board. Evaluate what impact a data breach would have on operations and the potential long-term effects it could have on the firm.
2. Check your security tools
Another important step is to fully evaluate the security tools and processes that are currently in place. Determine whether they are providing sufficient levels of protection and whether there are any remaining gaps that still need to be filled.
Take time to determine whether people can circumvent existing security measures and potentially put data at risk. If evidence is found, further measures should be put in place to prevent these practices.
3. Evaluate existing communication channels
Carefully determine all the communication methods and channels being used, both internally and externally. Evaluate how files are being shared between staff members and with clients or other external parties.
Staff could potentially be using insecure file sharing services, such as Dropbox or Google, which could increase the chances of data loss breaches. Measures need to be put in place to ensure that only secure channels are used at all times.
4. Educate staff
Research shows that the vast majority of all data loss incidents are caused by human error or ignorance. This could be anything from clicking on an infected email attachment to leaving an unencrypted laptop computer in the back of a taxi.
Conduct regular cybersecurity education sessions for all staff to explain to them the types of risks being faced and the practical steps they need to take to reduce vulnerability. When staff understand why they should handle data in secure ways they will be much more likely to comply, thereby lowering the chances of a successful cyberattack.
5. Find an email alternative
Email has become entrenched as a widely used business tool, but it remains a very insecure way of exchanging sensitive data. A much more effective approach is to Implement a secure file sharing platform through which data files can be shared.
Ensure all staff are trained in the use of the new platform and have a clear understanding of why it should be used in place of more traditional email-based workflows. The platform can also replace other insecure practices such as loading files onto a USB key.
6. Check where data is stored
It is also important to have a clear understanding of where critical data files are being stored. While most are likely to be on internal servers, some could be kept on cloud-based platforms or systems owned by external parties.
With data sovereignty becoming an increasingly important issue, it is vital to know geographically where data is being stored at all times. If any locations are deemed to be insecure, their usage should be immediately halted.
The bottom line
The PEXA settlement email hack could have been avoided by the simplest technology of all: a phone call between the conveyancer and client to verify bank account details. Security technology might have prevented an email hack but a manual process at the right moment would have closed the circle of defences and picked up the breach.
The problem of course is that manual process interventions slow down the workflow and can disrupt a scheduled settlement, especially if someone unexpectedly becomes unavailable at a critical time.
Legal practices need to adopt better security technology and also implement new processes. However, it may also be time for clients to play their part in taking these issues more seriously and to bear the cost of any inefficiencies and failures on their part.
*Jacqui Nelson is Managing Director of Dekko Secure. Dekko is designed as a business-oriented solution, that provides secure file sharing, secure mail and secure chat as a single platform. DekkoVAULT is a file sharing and storage solution that gives companies peace of mind and flexibility around securely sharing unlimited size files. https://dekkosecure.com