Cybersecurity

The Importance of Cybersecurity for Practitioners and Legal Practice

Maintenance of cybersecurity continues to be a widespread issue among the legal sector. Targeted cyber-crime is becoming more common among small businesses, including law firms, worldwide.

It is necessary that practitioners educate themselves in cybersecurity due to the reliance and use of technology in the legal sector. It is vital practitioners understand how these cyber-attacks occur and how to minimise or protect themselves (or the company) against them. Failure to take appropriate steps to protect and impose proper cybersecurity practices includes a risk of breaching your professional obligations as a legal practitioner in South Australia (under the Australian Solicitors' Conduct Rules).

Each year, the Society undertakes a census where questions are asked of practices regarding a different range of topics. In the 2024 practice return, practices were asked various questions relating to their cybersecurity practices. Through this practice return, it was discovered that:

  • 47% of respondents do not have any form of multi factor authentication enabled, down from 48% of respondents in 2023.
  • 23% of respondents do not maintain an offline backup of files away from their internal network or within the cloud, down from 25% of respondents in 2023.
  • 47% of respondents have not undertaken an IT security audit within the last two years, down from 55% of respondents in 2023.
  • 58% of respondents retain emails within their email inbox for longer than 24 months or do not delete them at all, up from 50% of respondents in 2023 and
  • 31% of respondents do not train their staff to identify phishing or social engineering attacks, down from 36% of respondents in 2023.

It’s been proven that taking small risk mitigation steps to strengthen your cyber awareness can lead to the reduction of overall cyber incidents. While there are many technical controls that can be implemented on a computer or mobile device (such as firewalls and security policies), there are many things you can do to strengthen your cyber security defenses. We’ve provided some simple yet effective tips below that you can implement in your day-to-day cyber environment.

Consequences of a successful cyber-attack

The Australian Cybersecurity Centre’s annual report outlines cyber threats and trends that have occurred over the previous year financial year. In the latest report (year ended June 2022), a number of worrying trends were observed, including:

  • An increase in financial losses due to Business Email Compromise to over $98 million, an average loss of $64,000 per report.
  • A rise in the average cost per cybercrime report to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business.
  • A cybercrime report every 7 minutes on average.

Risks associated with a cyber-attack

Cyber-attacks have most notably caused damage in the areas listed in the below non-exhaustive list:

  • Theft of corporate, and financial information which has led to the theft of large sums of money.
  • Destroying and rendering all client data useless by irreversible encryption;.
  • Affecting the operation and use of mobile and computer equipment.

Consequences for practitioners/firms for a cyber-attack

Law practices and practitioners should note and be aware of the following further consequences associated with a successful cyber-attack:

  • If the firm is found to lack appropriate procedures and/or systems to protect the confidential client information and ensure that damage from cyber-attacks are mitigated, the firm may face claims of professional negligence amongst other consequences which may include but not be limited to:
    • Facing claims of unsatisfactory professional conduct or even professional misconduct for breaches of professional obligations under the Australian Solicitors’ Conduct Rules (SA);
    • Breach of contract with clients; and
    • Potential requirement to make disclosures under the Privacy Act for data breaches.
  • Employers should educate staff on appropriate cyber protocols and failure by staff to comply and reckless disregard for protocols may be result in disciplinary action.
  • Law practices hold extensive amounts of confidential information and their clients trust them to keep their information safe, failure to have appropriate procedures and systems may negatively affect and damage the reputation/brand of the law practice.

Such reputational damage may affect the business and may also not be easily recovered from.

Avoiding a cyber-attack

Practitioners should be vigilant with their communications and use of technology, including computers and mobiles. We recommend that all legal practitioners develop procedures to ensure their cyber security is tested and up to date. While a scam may take many forms, there are simple steps to reduce the risk of a cyber-attack:

  • Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a file or a malicious login page which can control your computer or capture your login details.
  • Even if the sender is known, it is beneficial to check with the sender to confirm the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camouflage their emails to look like a genuine sender.
  • Emailed directions with respect to money and trust transactions should be confirmed verbally every time (noting a double excess applies to practitioners insured under the PII scheme if independent payment verification steps are NOT taken).
  • Account details for payment should always be provided verbally, or via a written document such as a bill or retainer letter, and should not be included in the body of an email; Such details can be easily modified through cyber-attack techniques.
  • Educate your clients about cyber-attacks and advise them to contact you immediately if they receive any in-genuine, weird or fake emails. Such email may take the form of the request to pay money, receive details, or upload/downloading files. If you become aware of such activity, please advise the client to refrain from opening any further emails.
  • Have your cyber security systems checked by certified cyber security professionals and not only typical IT support. These professionals are trained to ensure systems can handle cyber-attacks. They are also capable of teaching your staff how to protect the firm.
  • Have sufficient cyber crime insurance schemes in place.
  • Implement a cyber-attack procedure and plan for typical and worst-case scenarios.

Simple tips to minimise your risk

Please click here to download the tips below in a PDF format.

Use a passphrase

Try using a passphrase which is made up of four or more random words with a combination of upper and lower characters, numbers and symbols instead of a traditional password.

Passphrases are longer, more complex alternatives to traditional passwords, typically composed of multiple words or a combination of words, numbers, and symbols. Their strength lies in their complexity and length, making them significantly more resilient to brute force attacks. Utilising passphrases enhances cybersecurity by providing a robust defense against unauthorised access, as they are harder for attackers to guess or crack. Encouraging the use of unique and memorable passphrases adds an extra layer of protection to sensitive accounts and information.

Phishing Awareness

Be cautious of unexpected emails, especially those requesting sensitive information or asking you to act on instructions given. Verify the sender's identity before clicking links or opening attachments.

Being cautious of unexpected emails, especially those urging immediate action or requesting sensitive data, is crucial. Verify the legitimacy of the sender, check for unusual email addresses, and refrain from clicking on links or downloading attachments from unfamiliar sources. Educating yourself and your team on these practices enhances cybersecurity by minimising the risk of falling victim to phishing attacks, ultimately safeguarding sensitive information and maintaining a secure digital environment.

Link Hovering

Hover your mouse over any links to see the true destination of a purported link.

Link hovering refers to the practice of pausing the cursor over a hyperlink without clicking to preview the destination URL. This simple yet effective technique is beneficial for cybersecurity as it allows users to verify the legitimacy of a link before interacting with it. By hovering, individuals can reveal the actual destination and identify potential phishing attempts or malicious URLs, helping to prevent unwittingly navigating to harmful websites and falling victim to cyber threats.

Enabling Multifactor Authentication (MFA)

Your bank requires your bank card and a pin number to access your money, so why treat your email or sensitive documents any other way? Setup MFA on any account that allows you to do so.

Multifactor Authentication (MFA) is a security practice that adds an extra layer of protection beyond just a password. It typically involves a combination of something you know (like a password) and something you have (like a mobile device). This dual verification significantly enhances cybersecurity by reducing the risk of unauthorised access, even if passwords are compromised. Like having a door with two locks and two separate keys, adding an additional step significantly strengthens your security posture.

Update your computer operating system and software

Cybercriminals take advantage of vulnerabilities in out-of-date software to compromise computer systems. Why make it easier for them?

Regularly updating your operating system is a fundamental cybersecurity measure. Operating system updates, often containing critical security patches, safeguard your device against vulnerabilities that could be exploited by cybercriminals. By staying current with these updates, you ensure that your system is equipped with the latest defences, enhancing overall cybersecurity resilience. This includes any device that has internet connectivity such as mobile phones, smart TVs and photocopiers.

App Permissions

Undertake a review of app permissions on your mobile device to ensure that installed applications only have access to necessary information.

Reviewing app permissions on your mobile device is crucial for preserving security as it ensures that each installed app has only the necessary access required for its intended functionality. Unchecked permissions may lead to unauthorised access to data stored on a mobile device. This can lead to user privacy compromise and exposing sensitive information. Regularly assessing and adjusting app permissions minimises the risk of malicious activities and enhances user control over what data can be accessed and shared, contributing to an overall more secure digital environment.

Staff Reporting

Remind staff to promptly report any suspicious activities or potential security incidents.

Encouraging staff to promptly report suspicious cyber activity or security incidents is paramount for effective cybersecurity. Approximately 88 percent of all data breaches are caused by user error. It is therefore important for staff to be aware of the signs of compromise and more importantly be willing to report suspicious activity as soon as possible.

Timely reporting allows for swift response and mitigation, preventing potential threats from escalating. By prioritising and acting on reports from staff, practices can proactively address security concerns, minimise potential damage, and maintain a defence against evolving cyber threats.

Cybersecurity Self-Assessment Tool

The Society has developed a cybersecurity self-assessment tool for legal practices aiming to evaluate and improve their cybersecurity posture. It offers a straightforward assessment process that can be completed in approximately 15 minutes. All answers are fully anonymous. After going through the assessment, you will receive a downloadable report.

This report outlines the current state of your practices' cybersecurity measures, identifies potential areas of improvement, and suggests specific corrective actions to address these issues. The goal is to provide legal practices with clear, actionable insights to enhance their cybersecurity defenses effectively.

Please click here to access the Cybersecurity Self-Assessment Tool.

Law & Cyber: Cyber Risk for Law Firms

Law Claims PII Risk Management is partnering with Law & Cyber to provide SA insured law practices access to Cyber Risk for Law Firms, a specialist, CPD-eligible training module.

The 'Cyber Risk for Law Firms' course focuses on cyber risk in the context of legal duties such as duties of confidentiality, fiduciary duties, trustees’ duties, and the Privacy Act.

The main sections of the course cover:

  • cybercrime impacting business today;
  • impersonation fraud;
  • phishing;
  • use of email to compromise other accounts;
  • breached passwords and weak log-in credentials;
  • data theft, identity fraud and the dark web;
  • ransomware and other malicious software; and
  • human error.

Law Claims encourages all legal practitioners to register for this online module and will pay the course fee for eligible insured practitioners (valued at $129).

To register for the online course, please contact the Risk Management team who will forward you the registration details.

For SA PII Scheme Legal Practitioners

Cybersecurity Risk Management Package

  • The aim of the Risk Management packages is to reduce the incidence and magnitude of insurance claims against legal practitioners.
  • The Cybersecurity Risk Management Package includes IT systems checklists, funds transfer critical information sheet and steps to enhance cybersecurity when working remotely.
  • For more information, please see Cybersecurity Risk Management (requires sign-in).

Cybersecurity Practice Visit Program

  • The Practice Visit Program is an interactive risk management session, specifically targeting cyber risk to the legal profession.
  • Available to legal practitioners and legal practices insured under the PII Scheme, the session is suitable for all staff members.
  • Lasting for up to two hours, the Risk Management team will bring everything that is required for the session and no prior reading is required.
  • The session is free and can be used toward your CPD requirements.
  • For more information, please see Practice Visit Program.