The Importance of Cyber Security for Practitioners and Legal Practice

Maintenance of cyber security continues to be a widespread issue among the legal sector. Targeted cyber-crime is becoming more common among small businesses, including law firms, worldwide.

It is necessary that practitioners educate themselves in cyber security due to the reliance and use of technology in the legal sector. It is vital practitioners understand how these cyber-attacks occur and how to minimise or protect themselves (or the company) against them. Failure to take appropriate steps to protect and impose proper cyber security practices includes a risk of breaching your professional obligations as a legal practitioner in South Australia (under the Australian Solicitors' Conduct Rules).

If you have any inquiry regarding your professional obligations as a practitioner in this section, please contact the Society's Ethics and Practice Unit on 8229 0229.

 

Source: Law Council Of Australia

The Law Council has a variety of general checklists to ensure your practice has sufficient cyber security mechanisms. You can refer to them by clicking the links below.

Please note these are not exhaustive lists. The Society recommends you seek independent advice from cyber security professionals due to the complexity of cyber crime:

Our Tips

A successful cyber-attack may have severe consequences for your law practice. Cyber-attacks have most notably caused damage in the areas listed in the below non-exhaustive list:

  • Theft of corporate, and financial information which has led to the theft of large sums of money;
  • Destroying and rendering all client data useless by irreversible encryption;
  • Affecting the operation and use of mobile and computer equipment.

Law practices (and practitioners) should note and be aware of the following further consequences associated with a successful cyber-attack:

  • If the firm is found to lack appropriate procedures and/or systems to protect the confidential client information and ensure that damage from cyber-attacks are mitigated, the firm may face claims of professional negligence amongst other consequences which may include but not be limited to:
    • Facing claims of unsatisfactory professional conduct or even professional misconduct for breaches of professional obligations under the Australian Solicitors’ Conduct Rules (SA);
    • Breach of contract with clients; and
    • Potential requirement to make disclosures under the Privacy Act for data breaches.
  • Employers should educate staff on appropriate cyber protocols and failure by staff to comply and reckless disregard for protocols may be result in disciplinary action.
  • Law practices hold extensive amounts of confidential information and their clients trust them to keep their information safe, failure to have appropriate procedures and systems may negatively affect and damage the reputation/brand of the law practice.

Such reputational damage may affect the business and may also not be easily recovered from. 

The Society reminds practitioners to be vigilant with their communications and use of technology, including computers and mobiles. We recommend that all legal practitioners develop procedures to ensure their cyber security is tested and up to date. While a scam may take many forms, there are simple steps to reduce the risk of a cyber-attack:

  1. Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a file or a malicious login page which can control your computer or capture your login details.
  2. Even if the sender is known, it is beneficial to check with the sender to confirm the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camouflage their emails to look like a genuine sender.
  3. Emailed directions with respect to money and trust transactions should be confirmed verbally every time.
  4. Account details for payment should always be provided verbally, or via a written document such as a bill or retainer letter, and should not be included in the body of an email.  Such details can be easily modified through cyber-attack techniques.
  5. Educate your clients about cyber-attacks and advise them to contact you immediately if they receive any in-genuine, weird or fake emails. Such email may take the form of the request to pay money, receive details, or upload/downloading files. If you become aware of such activity, please advise the client to refrain from opening any further emails.
  6. Have your cyber security systems checked by certified cyber security professionals and not only typical IT support. These professionals are trained to ensure systems can handle cyber-attacks. They are also capable of teaching your staff how to protect the firm.
  7. Have sufficient cyber crime insurance schemes in place.
  8. Implement a cyber-attack procedure and plan for typical and worst-case scenarios. 

Cyber-attacks occur very frequently to a variety of organisations all around the world. Several real-life examples have occurred with law firms in Australia recently.

In Queensland, a conveyancing firm reported that fraudsters gained access to law practice email accounts by email phishing methods and appeared to have either emailed clients directly or altered outgoing emails asking clients for funds.

A typical good scam email will usually be tailored for each firm. Generally most take form like this:

Enquiry purporting to be from a prospective client seeking conveyancing services

HELLO,
 
I'm looking forward to buy a new house and an office building, want to dispose my old home or maybe renovate it before selling it.
 
I and my husband are in need of a trust worthy solicitor firm, to represent us in the course of this trade of both the buying of a new house and office, also the selling of our current home.
 
Kindly get back to us if you're interested or available to take on a new contract.


The scammer will usually take a 3 step process:

  • Firstly, an email enquiry about a legal related matter usually concerning a field of law the firm practices in.
  • Secondly, the scammer will attempt to gain access to the computer by utilising several types of methods. They may do so by a link which forces them to log in to a common service such as email or another application (like Dropbox. The page may look genuine to a layperson which allows the perpetrator to deceive the victim and enter their password.
  • When the practitioner enters their password the scammer gains access.


If you find that you are being targeted through such methods please contact the persons listed below.

If you believe you have are a victim to an on-going threat or potential of a cyber-attack, it is immediately recommended to:

  • Contact a cyber security IT professional to deal with the relevant attack; and
  • Review any emergency or accident manuals relating to cyber-attacks or IT issues.

  • If you do not have a checklist or guide for an emergency, you can view the comprehensive cyber-attack checklist developed by the Law Council of Australia. 
    I Have Been Cyber Attacked! - Cyber Attack Checklist

    The Australian Cyber Security Centre has developed 8 essential mitigation strategies to help avoid cyber security incidents. The following technical tips should be given to the relevant IT or cyber security expert for implementation and consideration. The following is a redacted version of the essential tips:

     https://www.cyber.gov.au/publications/essential-eight-explained

    • Application Whitelisting: Whitelist any genuine and approved applications to prevent execution of malicious programs.
    • Patch Applications: Patch and update applications regularly to avoid any extreme risk vulnerabilities.
    • User Application Hardening: Disable any unneeded applications and features that are likely to increase risks. (Such as Java, Office Suite Macro Scripts, etc)
    • Restrict Administrative Privileges: Restrict access to administrative accounts and operating systems based on user duties. Re-validate access to systems regularly.
    • Use Multi-Factor Authentication: MFA is used as another layer of protection if typical security mechanisms are breached. Utilise MFA for all remoting protocols to access sensitive data systems (such as RDP, VPNs, SSH, etc).
    • Maintain Daily Backups: It is important that daily backups are made in the case of a cyber security incident.

    Who to contact to report or if you need more information?


    It is recommended that reports of cyber fraud affecting legal practitioners should be made to:

    Further information about Cybercrime is available from Law Council of Australia Cyber Precedent website

    Other Law Society Articles, Guidelines and Publications about Cyber Security can be found here .