Australia’s law firms facing ‘serious but not insurmountable’ cyber flaws

A survey by Edith Cowan University has shown that lawyers are putting client data at risk because they are not taking cybersecurity measures seriously enough. Edith Cowan University’s Security Research Institute (ECUSRI) polled 122 lawyers and found that:

• 41% didn’t know what cybersecurity countermeasures were available on their smartphones
• 11% said they have no antivirus protection on their work computer.
• 41% of respondents did not have automatic updates switched on for their work computer.
• 9.4% of respondents use encryption to protect client data
• 64% of lawyers have the temptation to use home or free public WiFi
• 64% of lawyers have the temptation to use home or free public WiFi
• 94% use email to send confidential data

ECU Associate professor Mike Johnstone says the results show there are serious but ‘not insurmountable flaws’ in the way lawyers are protecting themselves and their devices from cyber-attacks.

“Lawyers, along with doctors are the two professions which handle most of our confidential information on a day-to-day basis. It’s incredibly important that their cybersecurity practices are improved to protect their clients and themselves,” he explains.

“Imagine, as a lawyer, you’d engaged to draft a will for your client and had your email compromised and a cybercriminal gained access to all of the information contained in that will? Trials could also be affected if key documents related to arguments are inaccessible due to a ransomware attack like the WannaCry attack in 2017,” Johnstone notes.

ECU is one of two Academic Centres of Cyber Security Excellence in Australia. ECU’s Joondalup Campus is also home to the headquarters of the Cyber Security Cooperative Research Centre, established in April 2018 with $140 million in funding.

The hidden liabilities within Legal Firms corporate infrastructure.

The volume of unstructured data and paper filings that are being created, shared and stored by legal entities is still growing exponentially, a lot of that data is ROT (Redundant, Obsolete and Trivial).

Add to that unified messaging, where important or sensitive information could be stored on an employee phone as a text message, as a screenshot or photographs.

Data must be identified, preserved, potentially relevant documents identified, reviewed for relevancy and privilege before being disclosed.

The small law firm lawyer is most fearful of cloud-based computing technology, and rightly so. There’s just no IT manpower to operate and manage what is really the law firm’s stuff located in someone else’s computing system. The small law firm is most inclined to keep everything in-house, and this cloud-based whatever just rubs against that. Talk to us and we can surely simplify the explanation and mitigate misconceptions.

Additionally, as a consequence of the pandemic, WFH and virtual collaboration have undeniably become an important part of doing business and this is no different to lawyers. For the small law firm, we built solutions that address the needs and requirements of such working environment. Solutions which are also very competitive, well priced and productive.

Some of the main issues facing small and medium law firms that we experience everyday are:

• Cyber resilience
• Cloud-based computing
• Cloud-based computing
• Remote access / WFH
• secure collaboration
• Data security & backup

Data Privacy & Digital Security Responsibilities

We do not claim to understand law and we do not expect you to understand technology beyond what it does to help you secure your data and making you more productive. We like making things simple and this is it in simplest form: Your and your clients’ data are paramount, and the underlying security and accessibility should be sentinelled.

Data privacy and digital security are not duties legal industry leaders take lightly. Law firms face serious security risks from a multitude of online threats including:

• Phishing and hacked email accounts
• Ransomware
• Data leaks
• Allegations of legal malpractice due to poor cybersecurity

A lot have been written about cybersecurity, and of the many professions that have been identified as prime targets for hackers, lawyers specifically singled out as being easy prey to biometric, cloud, and phishing cyberattacks.

Since law firms handle sensitive client information and may have international reaches depending on the size of their staff, these entities are hot targets for hackers. A lot of legal work involves sharing electronic records, transferring files, preserving metadata, and so on. Digital contracts, eDiscovery, virtual data rooms, and cloud storage are here to stay.

While there are various kinds of hacks possible, they all have drastic impacts on business operations. Here are some of the biggest threats law firms currently face in their cybersecurity:

1. Phishing/Hacked Email Accounts

Lawyers typically use email accounts throughout their workdays and may also depend on online tools like Dropbox or DocuSign that users connect their emails to for login purposes. However, cybercriminals are getting increasingly creative about using phishing techniques to hack email accounts used by law firm personnel.

A common example is a request to log into a document-storage service and view a document that looks very authentic. When you attempt to get more information and call the phone number which is operated by the hackers, the hackers will add authenticity to the request and insist it was necessary for you to look at the document. The rest is history. Additionally, hackers use graphics and colour schemes to impersonate sign-in screens. You could also get an email that looks legitimate as it appears to come from a law firm. When you click on the document, you are redirected to a phishing website.

One of the first things to do after such attacks is to change email accounts passwords and possibly seek help to deal with it.

2. Ransomware

A ransomware attack happens when hackers encrypt files and make their victims pay to get them back.

If an organisation receives threats about files getting deleted if hackers do not receive ransom payments (generally Bitcoin), enforcement agencies advice they should avoid paying the ransom and speak to file recovery experts first.

While you still can consider your options, can you answer YES to these basic requirements:

• Do you have business continuity plan?
• Do you know the state of your Cybersecurity posture?
• Do you have plan B in place?
• have you tested your plan?
• How often do you test your plan?
• Do you have well defined policies and response plans?

If you answered NO to one or more of the above, it is probably a good time to consider new perspective of things with a free IT site audit.

3. Leaks of Sensitive Data

Subsequent to a cyberattack, data leaks are a common occurrence. Under the Notifiable Data Breach (NDB)

scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

An eligible data breach occurs when:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
• this is likely to result in serious harm to one or more individuals, and
• the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action

the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action

4. The Risk of Legal Malpractice Allegations Due to Poor Cybersecurity

Having a robust cybersecurity risk management framework, cyber resilience and structured security governance program driven from the executive down is key in avoiding regulatory action as well as potential third party claims against directors and officers.

ASIC has identified 11 cyber resilience good practices which guide the assessments of the adequacy of an organisation’s cyber resilience program, and which ASIC considers will enable organisations to operate highly adaptive and responsive cyber resilience processes. It would be important for Boards to be familiar with these good practices and incorporate them in their organisation.

ASIC has also identified eight key questions an organisation’s Board of Directors should consider when evaluating cyber resilience within their organisations.

Boards may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.

We can help take the pain out of implementing such requirements backed by over 20 years’ experience of small to medium business IT solutions, services and support.