Australia’s law firms facing ‘serious but not insurmountable’ cyber flaws

Australia's law firms facing 'serious but not insurmountable' cyber flaws

A survey by Edith Cowan University has shown that lawyers are putting client data at risk because they are not taking cybersecurity measures seriously enough.

Edith Cowan University’s Security Research Institute (ECUSRI) polled 122 lawyers and found that:

41% didn’t know what cybersecurity countermeasures were available on their smartphones

11% said they have no antivirus protection on their work computer.

41% of respondents did not have automatic updates switched on for their work computer.

9.4% of respondents use encryption to protect client data

64% of lawyers have the temptation to use home or free public WiFi

53% send work-related emails to a non-business email account, such as Gmail or Hotmail

94% use email to send confidential data

ECU Associate professor Mike Johnstone says the results show there are serious but ‘not insurmountable flaws’ in the way lawyers are protecting themselves and their devices from cyber-attacks.

“Lawyers, along with doctors are the two professions which handle most of our confidential information on a day-to-day basis. It’s incredibly important that their cybersecurity practices are improved to protect their clients and themselves,” he explains.

“Imagine, as a lawyer, you’d engaged to draft a will for your client and had your email compromised and a cybercriminal gained access to all of the information contained in that will? Trials could also be affected if key documents related to arguments are inaccessible due to a ransomware attack like the WannaCry attack in 2017,” Johnstone notes.

ECU is one of two Academic Centres of Cyber Security Excellence in Australia. ECU’s Joondalup Campus is also home to the headquarters of the Cyber Security Cooperative Research Centre, established in April 2018 with $140 million in funding.

The hidden liabilities within Legal Firms corporate infrastructure.

The volume of unstructured data and paper filings that are being created, shared and stored by legal entities is still growing exponentially, a lot of that data is ROT (Redundant, Obsolete and Trivial).

Add to that unified messaging, where important or sensitive information could be stored on an employee phone as a text message, as a screenshot or photographs.

Data must be identified, preserved, potentially relevant documents identified, reviewed for relevancy and privilege before being disclosed.

The small law firm lawyer is most fearful of cloud-based computing technology, and rightly so. There’s just no IT manpower to operate and manage what is really the law firm’s stuff located in someone else’s computing system. The small law firm is most inclined to keep everything in-house, and this cloud-based whatever just rubs against that. Talk to us and we can surely simplify the explanation and mitigate misconceptions.

Additionally, as a consequence of the pandemic, WFH and virtual collaboration have undeniably become an important part of doing business and this is no different to lawyers. For the small law firm, we built solutions that address the needs and requirements of such working environment. Solutions which are also very competitive, well priced and productive.

Some of the main issues facing small and medium law firms that we experience everyday are:

Cyber resilience

Cloud-based computing

document sharing & management

Remote access / WFH

secure collaboration

Data security & backup

Data Privacy & Digital Security Responsibilities

We do not claim to understand law and we do not expect you to understand technology beyond what it does to help you secure your data and making you more productive. We like making things simple and this is it in simplest form: Your and your clients’ data are paramount, and the underlying security and accessibility should be sentinelled.

Data privacy and digital security are not duties legal industry leaders take lightly. Law firms face serious security risks from a multitude of online threats including:

  1. Phishing and hacked email accounts
  2. Ransomware
  3. Data leaks
  4. Allegations of legal malpractice due to poor cybersecurity

A lot have been written about cybersecurity, and of the many professions that have been identified as prime targets for hackers, lawyers specifically singled out as being easy prey to biometric, cloud, and phishing cyberattacks.

Since law firms handle sensitive client information and may have international reaches depending on the size of their staff, these entities are hot targets for hackers. A lot of legal work involves sharing electronic records, transferring files, preserving metadata, and so on. Digital contracts, eDiscovery, virtual data rooms, and cloud storage are here to stay.

While there are various kinds of hacks possible, they all have drastic impacts on business operations. Here are some of the biggest threats law firms currently face in their cybersecurity:

1. Phishing/Hacked Email Accounts

Lawyers typically use email accounts throughout their workdays and may also depend on online tools like Dropbox or DocuSign that users connect their emails to for login purposes. However, cybercriminals are getting increasingly creative about using phishing techniques to hack email accounts used by law firm personnel.

A common example is a request to log into a document-storage service and view a document that looks very authentic. When you attempt to get more information and call the phone number which is operated by the hackers, the hackers will add authenticity to the request and insist it was necessary for you to look at the document. The rest is history. Additionally, hackers use graphics and colour schemes to impersonate sign-in screens. You could also get an email that looks legitimate as it appears to come from a law firm. When you click on the document, you are redirected to a phishing website.

One of the first things to do after such attacks is to change email accounts passwords and possibly seek help to deal with it.

2. Ransomware

A ransomware attack happens when hackers encrypt files and make their victims pay to get them back.

If an organisation receives threats about files getting deleted if hackers do not receive ransom payments (generally Bitcoin), enforcement agencies advice they should avoid paying the ransom and speak to file recovery experts first.

While you still can consider your options, can you answer YES to these basic requirements:

Do you have business continuity plan?

Do you know the state of your Cybersecurity posture?

Do you have plan B in place?

have you tested your plan?

How often do you test your plan?

Do you have well defined policies and response plans?

If you answered NO to one or more of the above, it is probably a good time to consider new perspective of things with a free IT site audit.

3. Leaks of Sensitive Data

Subsequent to a cyberattack, data leaks are a common occurrence. Under the Notifiable Data Breach (NDB)

scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

An eligible data breach occurs when:

there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds

this is likely to result in serious harm to one or more individuals, and

the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action

talk to us today about protecting your data and implementing data protection plan.

4. The Risk of Legal Malpractice Allegations Due to Poor Cybersecurity

Having a robust cybersecurity risk management framework, cyber resilience and structured security governance program driven from the executive down is key in avoiding regulatory action as well as potential third party claims against directors and officers.

ASIC has identified 11 cyber resilience good practices which guide the assessments of the adequacy of an organisation’s cyber resilience program, and which ASIC considers will enable organisations to operate highly adaptive and responsive cyber resilience processes. It would be important for Boards to be familiar with these good practices and incorporate them in their organisation.

ASIC has also identified eight key questions an organisation’s Board of Directors should consider when evaluating cyber resilience within their organisations.

Boards may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.

We can help take the pain out of implementing such requirements backed by over 20 years’ experience of small to medium business IT solutions, services and support.

MSP 365 Reviews

We are a construction company and always had IT issues with field staff and now WFH people too. this really affected our work. MSP365 did very good job with a thorough analysis followed by a detailed proposal which was simple to read and transparent. This was the best money we ever spent. At least we now have a secure collaborative workspace setup. great team. recommended.
We approached MSP365 to take care of our IT systems. At the beginning we were reluctant to make any changes due to previous bad experiences.We decided to give them a chance and the results were more than we anticipated. The new solution was implemented with negligible interruption to our business.Technicians are efficient & competent allowing us to get on with running our business. Highly recommended.
Excellent team fixed many of our IT issues. Great company and easy to work with. Personalised enterprise grade services. we are a small team, but we always felt very well looked after and taken care of.
We required the assistance of this company (which we knew from Sydney) to resolve our IT issues remotely. As usual they did a great job. The response time was fantastic, we were provided an appointment time which was kept, could not have asked for better! They upgraded our pharmacy IT infrastructure and integrated cybersecurity and disaster recovery solution. This was very much needed. They configured everything, shipped to us and was just plug in and just worked. After sales service was magnificent. They are now our managed service provider. Competitively and reasonable. Would highly recommend!
Empirical IT technicians are professional and provide the required support. They are always easy to contact and great people to deal with. I would recommend.
Great service from Sam and the team. Kept me informed during the whole process, understood the urgency and got us working again very quickly! Explained everything and very affordable. Great service, great value and very friendly so would highly recommend.
Great service from Sam and the team. Kept me informed during the whole process, understood the urgency and got us working again very quickly! Explained everything and very affordable. Great Service, great value and very friendly so would highly recommend.
top managed services from MSP365,. They are my new IT provider and they take care of all our IT needs. they did a great job that i am still thank full for the work done, and highly recommend them to any business. their solutions are very well planned and executed. I was informed and kept in the loop all the way through. Very professional and knowledgeable.
These guys really know their stuff and provide excellent service for very competitive rates. Our network was running really slow and they completed a root-cause and business analysis. Empirical IT provided us with a great solution to get us back up and running in next to no time. They also recommended another solution to protect our network from cyber attacks following a malware virus that our old set up from another company failed to prevent. The new solution has provided us the security and speed necessary for us to continue working with peace of mind. Highly recommended AAAA+++++

Our Partners



Helping You Save &

Work Faster, Better, Smarter