THE CONVEYANCER’S GUIDE TO CYBER SECURITYWhat you need to do to protect your clients and your firm from cyber criminals

WHAT’S THE REAL RISK OF E-CONVEYANCING?The benefits of e-conveyancing are well documented. However, with these benefits come significant risk, as recent email hacking cyber-attacks clearly demonstrate. In more than one case, security breaches have resulted in hackers stealing over $250,000 of sale proceeds. It is reasonable to assume this is only the beginning as cyber criminals penetrate further into the conveyancing process. Yet despite these concerning and recorded events, taking preventative action does not appear to be a priority for some.

A recent flash poll on our website emphasised that security is becoming a higher priority for practitioners; 30% stated they were ‘extremely concerned’ about it, and 50% said they plan to implement new security measures in the next 12 months. In the past 24 months, our clients reported hacking as the most commonly encountered security threat, followed by malware attacks and email interception.

In addition, research from the Law Society of Western Australia and Edith Cowan University found that one in three law firms aren’t investing in regular cyber security training. The research also showed that while 79% of legal professionals are concerned about cyber security, just 21% have confidence that their firm would be able to handle a cyber-attack.

The reality is that as the industry fast tracks to e-conveyancing and e-settlement, you must be cyber vigilant to protect your clients, your firm and your reputation.

To assist you to safely transition to your digital future, InfoTrack has sourced best practice preventive measures from some of the country’s leading authorities.

Are you covered?

As noted by the Law Society of NSW in a recent post, Lawcover insures against e-conveyancing fraud with Lawcover’s professional indemnity insurance (PII) policy covering third-party losses arising from an alleged e-conveyancing error, where the lawyer is at fault.

In addition, Lawcover’s group cyber risk policy protects a law practice’s costs and expenses arising from a cyber event (as defined in the group cyber policy) and loss of business income directly arising from a cyber event.

However, it warns that law practices need to be aware of, and prepared for, the risks of email impersonation fraud and follow steps to avoid becoming a victim or an unwitting participant in fraudulent activity. Further information is available in Lawcover’s Cyber Fraud Guide.

Hacking

29.8%

25.9%

3.1%

8%

9.9%

23.3%

Data breaches

Money laundering

$$

WHAT WERE THE MOST COMMON SECURITY ISSUES FACED BY PRACTITIONERS IN THE PAST 24 MONTHS?

*Results from a 2018 poll of InfoTrack website visitors

CRITICAL STEPS IN YOUR DEFENCE STRATEGYThe key to protecting your business and your clients is to build a solid foundation for a security program. We advise clients to:

1) Nurture a security culture in your organisation

Security culture needs to filter throughout your organisation. It can’t be solely up to your IT department and must come from the top down. You should include it as part of your induction and regular training programs so that all employees are aware of the possible threats and the best way to protect against them. It should be a part of your everyday business practices and all staff should feel equally responsible for it.

The Law Council of Australia has published an excellent document on protecting your client’s data Your Firm, Their Data. In it they provide some key questions to ask yourself when reviewing your firm’s practices in respect of data protection that are outlined below.

1. Is your company and client data located in a secure environment that contains robust mechanisms to prevent unauthorised access and secure dissemination of data?

2. Do you have a robust back-up and data retention policy that is strictly enforced?3. Are the terms and conditions of your use of cloud technology (for example: Dropbox, one-cloud,

Azure) compatible to your professional responsibility regarding information handling?4. When a crisis arises what steps can be taken to retrieve data and how long will it take?

2) Verify any and all communications

Never be complacent when it comes to communications. As professionals, you often deal with sensitive information and high-value transactions. You need to be especially cognisant of the threat of interception and be able to spot red flags and unusual communications.

Always pay close attention to the sender, language used, type of request and appearance of the communications. If there is anything unusual, flag the communication and do not respond or provide any information until you’ve verified with the sender in another way.

3) Educate yourself and others on tactics used to steal information

Cyber threats are constantly evolving but there are core methods used and ways to protect your business against them. Stay up to date on the latest trends and ensure you regularly educate yourself and your employees around any new threats and security measures.

Some key Australian websites to help you keep updated include:

https://www.scamwatch.gov.au/ https://cybersecuritystrategy.homeaffairs.gov.au/ https://cyber.gov.au/ https://www.acorn.gov.au/

4) Protect your mobile devices and accounts with secure practices

There are a number of ways you can secure your devices and accounts; optimise your passwords for security, encrypt your devices, log out of sessions, use multifactor authentication, etc. These are simple initiatives that can make a big difference and should be implemented across your organisation.

In Your Firm, Their Data the Law Council of Australia asks:

1. Have you adequately secured you mobile device in case of loss or theft? Do you use a password? Does your device auto lock, requiring you to re-type your password to gain access, if left unattended? How long does it take before auto lock engages?

2. Who has access to the data you carry around on your phone or portable device?3. Can that equipment or the mechanisms that allow it to work be used to transmit sensitive data or

create security breaches? Information transmitted over public Wi-Fi networks can be accessed by others, for example.

4. Should it be required, can you remotely find or control the device to enforce security policies? That is, can you erase the data remotely

6 ACTIONS YOU CAN TAKE TO PROTECT YOUR FIRM

Gabor SzathmariCTO and Cyber Security Expert at Iron Bastion

The key to protecting your business and your clients is to build a solid foundation for a security program. We advise clients to:

1) Protect your email service with two-factor authentication

The most effective way of preventing a business email hijacking is to have two-factor authentication (2FA) protecting your email. Two-factor authentication is an extra layer of security that requires you to key in a one-time PIN when logging in to an email account every once in a while, or when the login request has come from a new device, browser, or location.

This may sound tedious, but it is a powerful security measure to prevent hackers from hijacking your mailbox and using it to reset passwords on cloud services such as PEXA. Services like G Suite and Office 365 already support 2FA features for free, they just need to be turned on and configured for your email service.

2) Tune your email service to preventing email impersonation attacks

Cybercriminals often rely on two distinct email spoofing techniques for taking over email. Criminals will typically pose as a person of authority from the your organisation and lure you into clicking on web links. Often this leads to fake login pages, opening file attachments containing malware, or giving away passwords and sensitive information.

The good news is that you (or your IT staff) can make changes to your email service to reduce the risk of email-based impersonation attacks.

3) Make sure you’re using the right anti-virus software

You should ensure you are using the right anti-virus suite and that all your devices have an up-to-date antivirus software installed. Better antivirus products can not only protect your computer from viruses, but they can also safeguard you from phishing and ransomware attacks.

Sadly, many IT service providers do not deploy the right antivirus for your business needs. They often resell products that come in heavily-discounted software bundles or offer the best resale margin, rather than picking a product that provides superior protection based on independent software testing.

Ensure that every device in your business has an antivirus product and that the product features include phishing protection, safe browser plugins, ransomware protection and sandboxing.

4) Invest in anti-phishing protection for your email service

To prevent cybercriminals from luring your employees into email account hijacking, your incoming emails should be pre-screened for phishing attempts.

You should be aware that neither built-in spam filters in Office 365, G Suite nor previous generation anti-spam services feature advanced anti-phishing techniques to pre-screen emails for phishing. Hence, these old technologies will leave your firm unprotected from today’s cyber-threats.

Anti-phishing services, on the other hand, feature techniques like Machine Learning and Artificial Intelligence (AI) algorithms to identify phishing attempts. Special algorithms look for the specific red flags indicating a phishing attempt, such as typical wording and text semantics, invalid digital signatures, and poor sender reputation. File attachments are also analysed in safe environments for

known and unknown threats, and embedded hyperlinks are modified to perform real-time analysis (and block) any malicious URL when the recipient clicks on them. These technologies are only available in anti-phishing services that were specifically designed to protect organisations from phishing threats.

Advanced anti-phishing protection is available as an add-on to and works in conjunction with your existing email service. You can buy software services or on-premise products to pre-screen your emails for phishing.

5) Use managed web browsing protection

More sophisticated cybercriminals may try to outsmart these advanced anti-phishing technologies used in business email by targeting staff through their private email and instant messenger accounts instead.

Free email providers such as Gmail, Yahoo Mail, etc. do not have advanced anti-phishing protection that your corporate email service may have. Criminals may also try to contact your employees via Facebook Messenger, WhatsApp or iCloud Messenger. These services are not capable of identifying and blocking these targeted attacks on your employees, but you can protect your staff with what is known as a DNS firewall, which can be set up on all your employee devices, protecting them even when they are not in the office.

DNS-based web browsing protection services can block your employees from accidentally visiting websites hosting fake login pages or hosting malicious password-stealing software and malware. Web browsing protection services are not only for big businesses, services such as ours are available for even a sole practitioner protecting a single device. We suggest subscribing to such as service to get comprehensive protection for your business.

6) Educate your employees with phishing awareness training

Phishing is not merely a technology problem but is a human problem too. The last line of defence are your employees. Hence, they need to be vigilant and trained to identify phishing attempts.

In covering the human element, phishing simulation is an effective way to test and train employees’ cybersecurity awareness and susceptibility to social engineering tactics, spear phishing and ransomware attacks. With the right tools, you can simulate a phishing attack against your own business. You can then identify vulnerable employees (i.e. those who fell for the attack) and train staff with appropriate education. There are both free and paid security awareness training materials available to your staff to help them recognise and respond to phishing attempts.

E-CONVEYANCING – SHOULD WE, OR SHOULDN’T WE?

Marissa DimarcoSolicitor Director, Property and Commercial at Osborn Law

The recent cyber-attack on a conveyancing firm’s email system serves as a timely reminder that firms must adopt an integrated approach to fraud detection and prevention on a practitioner level. The security breach resulted in hackers stealing $250,000 of sale proceeds from the e-conveyancing platform Property Exchange Australia, also known as PEXA.

PEXA is one of a number of e-conveyancing platforms designed to provide an electronic conveyancing solution to the Australian property industry. Since PEXA was released for testing in 2013, it has been phased in with all refinances and standalone mortgages going digital in 2017, and at least half of all conveyancing firms now use the PEXA platform (in its current five live states). As of July 1 2018, all stand-alone NSW transfers and caveats must be lodged electronically, meaning vendors are able to access cleared funds almost immediately after settlement, and purchasers are guaranteed registration of title within 48 hours of settlement.

In the recent cyber-attack, hackers gained access to a conveyancing firm’s email system, allowing them to set up a user account on PEXA and then intercept emails from PEXA alerting the conveyancing firm’s existing users of the new user profile. The hackers were able to edit the vendor’s bank details, resulting in the redirection of all settlement funds to the hacker’s bank account.

PEXA have been quick to address the breach, with acting CEO James Ruddock saying, “These are isolated incidents and do not represent a wider or systemic risk to the PEXA platform”. Since the security breach, PEXA has introduced additional security measures to prevent similar incidents occurring, including timestamps identifying which user entered what data, and when the data was entered. They have also introduced more stringent requirements when setting up new PEXA users.

Law firms must accept responsibility for the security of their systems by ensuring their email and practice management software are sufficiently robust. Regularly updating anti-malware software aimed at detecting suspicious activity will be invaluable. Enacting internal procedures to ensure information is obtained from legitimate sources is also critical. Confirmation of all bank details with your clients and reviewed against your records, as close as possible to settlement, is imperative to ensure this type of breach isn’t repeated.

The introduction of technologies and systems aimed at improving the process of conveyancing is crucial for both clients and the property industry. E-conveyancing services offer unrivalled efficiency compared with traditional conveyancing practices. While there have been some teething problems, e-conveyancing is a positive step for the future of conveyancing and prospective vendors and purchasers should not be discouraged.

This article was originally published in the Newcastle Herald and has been reproduced with the author’s permission. The author would like to acknowledge the valued contribution of Alison Garland, Solicitor at Osborn Law.

NEED HELP WITH E-CONVEYANCING?InfoTrack provides integrated products and services to support you through the end-to-end electronic conveyancing process. If you’d like to know more about how we can help you save time and manage your risk, get in touch with our team at sales@infotrack.com.au or visit our website.

ADDITIONAL RESOURCEShttps://www.lawsociety.com.au/advocacy-and-resources/publications-and-resources/my-practice-area/electronic-conveyancing

http://lca.lawcouncil.asn.au/lawcouncil/cyber-precedent-risk-management/cyber-precedent-your-firm-their-data

http://www.qls.com.au/About_QLS/News_media/News/The_PEXA_hack_new_security_guidelines

http://www.qls.com.au/Knowledge_centre/Ethics/Resources/Cyber_security

KEY TAKEAWAYS

The transition to e-conveyancing and e-settlements brings with it new risks and you must be cyber vigilant to protect your clients, your firm and your reputation.

A strong security program is about more than just security software. Your employees are your first line of defense and must be trained to detect and prevent attacks. You’re only as strong as your weakest link.

The key to protecting your business and your clients is to build a solid foundation for a security program. Firms must adopt an integrated approach to fraud detection and prevention on a practitioner level.

WWW.INFOTRACK.COM.AU

ABOUT INFOTRACK

InfoTrack is a leading service provider for the Australian legal and conveyancing industries. We build smart, integrated technology that helps professionals work efficiencly, reduce error and mitigate risk.

If you have any comments please get in touch.infotrackmarketing@infotrack.com.au

ON THE BLOG THE PODCAST CHANNEL

Technology, legislation and thought leadership

Innovation, technology and legal issues