Lawyers and Cyber Security

The significance of Cyber Security is undeniable, and the Information Security risk considerations should excogitate beyond noticing them as an ‘IT Issue’. This article will mainly focus on what Lawyers should know about Information and Cyber Security. According to the Cyber Precedent highlighting the Australian Privacy Principles and Cyber Security, prepared by the Law Society of NSW and published by Law Council of Australia, Cyber threats and risks continue to increase in scale and intricacy. These threats create legal, regulatory, and business risk to law firms. In Australia the average cost of a cybercrime incident is $276,323 and average time to resolve an attack is 25 days.

During the 2020–21 financial year, over 67,500 cybercrime reports were made via ReportCyber, an increase of nearly 13 per cent from the previous financial year. One cybercrime report is made approximately every eight minutes in Australia.

The Annual Cyber Threat Report for 2020-2021 also suggests that the top three cybercrime types reported were:
■ fraud cybercrime – approximately 23 per cent
■ shopping cybercrime – approximately 17 per cent
■ online banking cybercrime – approximately 12 per cent.

According to the ‘Annual Cyber Threat Report 2020’ published by ASCS Australian Cyber Security Centre between 1^st July 2019 to 30^th June 2020 the most common type of cyber security incident was ‘malicious email’ and Phishing and spear-phishing emails have consistently remained the most common cyber security incidents reported to ASCS, followed by ‘compromised system'.

Cyber Security incidents, by type (1 July 2019 to 30 June 2020 Source: ASCS

In general terms, cyber security is about protecting yourself and your organisation from unauthorised activities that have the potential to compromise computers, associated infrastructure or any electronic information that is responsibility of your organisation.

In short, cyber security is defined as the measures taken to protect your data from theft and other cybercrimes which can be triggered by Viruses, Ransomware, Phishing, Malware, Hacking, and DDoS.

Why are lawyers targets of Cyber-attacks?

There is a common question of “why are Lawyers the targets of these Cyber-attacks”? But the answer is simple, Law firms hold lots of sensitive data, some of it in the cloud. In addition, compared to other professions, lawyers have been slow to implement cyber security measures. According to Law Council of Australia, some banks have even warned that law firms are a cyber security risk.

The Australian Government defined a ‘cyber-attack’ as “a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity”. Therefore, there are many risks associated with the Cyber Attack. Typically, the damage caused by a cyber-attack can cause theft of confidential corporate, personal, and financial information which may lead to the theft of large amounts of money. Another related risk includes destroying and rendering all client data useless by irreversible encryption and impacting the use of computer and mobile.

It is important that Lawyers and Law firms understand and implement cyber security measures to protect their data. If a lawyer’s practice is the victim of cybercrime the repercussions can be ruinous for both lawyer's clients and the law firm.

According to ASCS between 1^st July 2019 and 30^th June 2020, the largest proportion of incidents were reported by the Commonwealth Government followed by State/Territory Government sector. However, Legal and Professional Services sector incidents cannot be ignored as shown in the figure below

Cyber Security Incidents, by affected sector (1 July 2019 to 30 June 2020)

Cyber Security Incidents, by affected sector (1 July 2019 to 30 June 2020) source: ASCS

How to avoid a Cyber-attack?

According to the Law Society of Australia, practitioners should be vigilant with their communications and use of technology, including computers, mobiles, and any other devices. Legal practitioners must develop and implement procedures to ensure that their cyber security is tested and up to date, there are some simple steps for lawyers and end users to mitigate the risk of a cyber-attack:

Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a file or a malicious login page which can control your computer or capture your login details.
Even if the sender is known, it is beneficial to check with the sender to confirm the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camouflage their emails to look like a genuine sender.
Emailed directions with respect to money and trust transactions should be confirmed verbally every time.
Account details for payment should always be provided verbally, or via a written document such as a bill or retainer letter and should not be included in the body of an email. Such details can be easily modified through cyber-attack techniques.
Educate your clients about cyber-attacks and advise them to contact you immediately if they receive any emails that seem not genuine, weird, or fake. Such emails may take the form of the request to pay money, receive details, or upload/downloading files. If you become aware of such activity, please advise the client to refrain from opening any further emails.
Have your cyber security systems checked by certified cyber security professionals and not only typical IT support. These professionals are trained to ensure systems can handle cyber-attacks. They are also capable of teaching your staff how to protect the firm.
Have sufficient cybercrime insurance schemes in place.
Implement a cyber-attack procedure and plan for typical and worst-case scenarios.

What to do if you are cyber-attacked

If you believe that you are a victim to an ongoing threat or potential of a cyber-attack, it is recommended to immediately:

Contact your organisation’s IT department or a cyber security IT professional to deal with the relevant attack; and
Report the incident to an Information Security Officer or
Review any emergency or accident manuals relating to cyber-attacks or IT issues.

Conclusion

It is necessary that practitioners educate themselves in cyber security due to the reliance and use of technology in the legal sector. It is vital practitioners understand how these cyber-attacks occur and how to minimise or protect themselves (or the company) against them. Failure to take appropriate steps to protect and impose proper cyber security practices includes a risk of breaching your professional obligations as a legal practitioner.

Written by Rizwan Bhatti: Helpdesk Analyst at LawMaster

This article was updated 04/10/2022 to include updated data on cyber crimes in Australia.

References

Law Council of Australia, “Privacy Principles” http://lca.lawcouncil.asn.au/lawcouncil/images/Privacy_Principles.pdf
Law Council of Australia, “Cyber Precedent Essential” http://lca.lawcouncil.asn.au/lawcouncil/cyber-precedent-essentials/cyber-precedent-reality
Australian Signals Directorate, Publications – “Cyber Security Essential Eight” https://www.cyber.gov.au/publications/essential-eight-explained
Law Society of South Australia, Publications – “Resources for Cyber Security” https://www.lawsocietysa.asn.au/Public/Publications/Resources/CyberSecurity.aspx

ASCS "Annual Cyber Threat Report 2020-21" https://www.cyber.gov.au/sites/default/files/2021-09/ACSC%20Annual%20Cyber%20Threat%20Report%20-%202020-2021.pdf