The Importance of Cyber Security for Practitioners and Legal Practice

Try using a passphrase which is made up of four or more random words with a combination of upper and lower characters, numbers and symbols instead of a traditional password.

Passphrases are longer, more complex alternatives to traditional passwords, typically composed of multiple words or a combination of words, numbers, and symbols. Their strength lies in their complexity and length, making them significantly more resilient to brute force attacks. Utilising passphrases enhances cybersecurity by providing a robust defense against unauthorised access, as they are harder for attackers to guess or crack. Encouraging the use of unique and memorable passphrases adds an extra layer of protection to sensitive accounts and information.

Be cautious of unexpected emails, especially those requesting sensitive information or asking you to act on instructions given. Verify the sender's identity before clicking links or opening attachments.

Being cautious of unexpected emails, especially those urging immediate action or requesting sensitive data, is crucial. Verify the legitimacy of the sender, check for unusual email addresses, and refrain from clicking on links or downloading attachments from unfamiliar sources. Educating yourself and your team on these practices enhances cybersecurity by minimising the risk of falling victim to phishing attacks, ultimately safeguarding sensitive information and maintaining a secure digital environment.

Hover your mouse over any links to see the true destination of a purported link.

Link hovering refers to the practice of pausing the cursor over a hyperlink without clicking to preview the destination URL. This simple yet effective technique is beneficial for cybersecurity as it allows users to verify the legitimacy of a link before interacting with it. By hovering, individuals can reveal the actual destination and identify potential phishing attempts or malicious URLs, helping to prevent unwittingly navigating to harmful websites and falling victim to cyber threats.

Your bank requires your bank card and a pin number to access your money, so why treat your email or sensitive documents any other way? Setup MFA on any account that allows you to do so.

Multifactor Authentication (MFA) is a security practice that adds an extra layer of protection beyond just a password. It typically involves a combination of something you know (like a password) and something you have (like a mobile device). This dual verification significantly enhances cybersecurity by reducing the risk of unauthorised access, even if passwords are compromised. Like having a door with two locks and two separate keys, adding an additional step significantly strengthens your security posture.

Cybercriminals take advantage of vulnerabilities in out of date software to compromise computer systems. Why make it easier for them?

Regularly updating your operating system is a fundamental cybersecurity measure. Operating system updates, often containing critical security patches, safeguard your device against vulnerabilities that could be exploited by cybercriminals. By staying current with these updates, you ensure that your system is equipped with the latest defenses, enhancing overall cybersecurity resilience. This includes any device that has internet connectivity such as mobile phones, smart TVs and photocopiers.

Undertake a review of app permissions on your mobile device to ensure that installed applications only have access to necessary information.

Reviewing app permissions on your mobile device is crucial for preserving security as it ensures that each installed app has only the necessary access required for its intended functionality. Unchecked permissions may lead to unauthorised access to data stored on a mobile device. This can lead to user privacy compromise and exposing sensitive information. Regularly assessing and adjusting app permissions minimises the risk of malicious activities and enhances user control over what data can be accessed and shared, contributing to an overall more secure digital environment.

Remind staff to promptly report any suspicious activities or potential security incidents

Encouraging staff to promptly report suspicious cyber activity or security incidents is paramount for effective cybersecurity. Approximately 88 percent of all data breaches are caused by user error. It is therefore important for staff to be aware of the signs of compromise and more importantly be willing to report suspicious activity as soon as possible.

Timely reporting allows for swift response and mitigation, preventing potential threats from escalating. By prioritising and acting on reports from staff, practices can proactively address security concerns, minimise potential damage, and maintain a defense against evolving cyber threats.

Cyber-attacks have most notably caused damage in the areas listed in the below non-exhaustive list:

• Theft of corporate, and financial information which has led to the theft of large sums of money;
• Destroying and rendering all client data useless by irreversible encryption;
• Affecting the operation and use of mobile and computer equipment.

Law practices (and practitioners) should note and be aware of the following further consequences associated with a successful cyber-attack:

• If the firm is found to lack appropriate procedures and/or systems to protect the confidential client information and ensure that damage from cyber-attacks are mitigated, the firm may face claims of professional negligence amongst other consequences which may include but not be limited to:
• Facing claims of unsatisfactory professional conduct or even professional misconduct for breaches of professional obligations under the Australian Solicitors’ Conduct Rules (SA);
• Breach of contract with clients; and
• Potential requirement to make disclosures under the Privacy Act for data breaches.
• Employers should educate staff on appropriate cyber protocols and failure by staff to comply and reckless disregard for protocols may be result in disciplinary action.

• Law practices hold extensive amounts of confidential information and their clients trust them to keep their information safe, failure to have appropriate procedures and systems may negatively affect and damage the reputation/brand of the law practice.

Such reputational damage may affect the business and may also not be easily recovered from.

The Society reminds practitioners to be vigilant with their communications and use of technology, including computers and mobiles. We recommend that all legal practitioners develop procedures to ensure their cyber security is tested and up to date. While a scam may take many forms, there are simple steps to reduce the risk of a cyber-attack:

1. Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a file or a malicious login page which can control your computer or capture your login details.
2. Even if the sender is known, it is beneficial to check with the sender to confirm the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camouflage their emails to look like a genuine sender.
3. Emailed directions with respect to money and trust transactions should be confirmed verbally every time (noting a double excess applies to practitioners insured under the PII scheme if independent payment verification steps are NOT taken).
4. Account details for payment should always be provided verbally, or via a written document such as a bill or retainer letter, and should not be included in the body of an email; Such details can be easily modified through cyber-attack techniques.
5. Educate your clients about cyber-attacks and advise them to contact you immediately if they receive any in-genuine, weird or fake emails. Such email may take the form of the request to pay money, receive details, or upload/downloading files. If you become aware of such activity, please advise the client to refrain from opening any further emails.
6. Have your cyber security systems checked by certified cyber security professionals and not only typical IT support. These professionals are trained to ensure systems can handle cyber-attacks. They are also capable of teaching your staff how to protect the firm.
7. Have sufficient cyber crime insurance schemes in place.
8. Implement a cyber-attack procedure and plan for typical and worst-case scenarios.