The cybersecurity landscape of the Australian legal industry has significantly shifted, with no law firm safe from targeted cyber attacks.
Protecting the sensitive data and personal information that law firms work with on a daily basis presents a significant challenge, and cybersecurity is now not only a 'tech' problem but a 'human' problem.
"Human behaviour accounted for 38% of data breaches in 2020."
- Office of the Australian Information Commissioner (OAIC)
When we mention cybersecurity, you may think of protection strategies such as Multi-Factor Authentication, strong passwords, firewalls, or modern anti-virus solutions. While these are important inclusions to protect your internal systems, it is important to note that one of your most critical cyber defences are in fact, your employees.
MinterEllisons Perspectives on Cyber Risk 2021 report explains that individuals remain the prime targets of cyber attacks, with phishing attacks with fraudulent emails being the source of 70% of cyber incidents.
Further, the latest Notifiable Data Breaches report claims that 38% of all successful cyber attacks are a result of staff not being able to identify a cyber threat and not knowing how to manage them appropriately.
So, here are some common ways your employees might be exposing your firm to cyber risks.
1. Your employees are not aware of how to identify current cyber threats
Do your employees know what a phishing attack is? Would they be able to identify a social engineering email? If they did, do they know how to respond or report the threat?
Put simply, without the knowledge or tools needed to identify and respond to cyber threats, your employees are a risk to your business. Cyber threats are evolving every day, and it is critical that employees understand their role in protecting your business and client data.
Without comprehensive and regular cybersecurity awareness training, law firms are leaving gaping holes in the front line of the cybersecurity defences - their human firewall.
Reputable Cybersecurity Awareness Training courses educate employees about cyber threats and attacks they may be subjected to and help them navigate through the minefield that is “cyber” and data security to ensure that they have the tools and experience to keep your organisation’s systems and data safe.
Read how one law firm increased their cybersecurity posture through cybersecurity awareness training.
2. Your employees have not been issued with cybersecurity policies and procedures
Cybersecurity policies and procedures are one of the most critical tools in educating and setting expectations with your employees. They provide your people with an understanding of how to handle sensitive and personal information, safe use of company systems, and a clear process on what is required if they receive a malicious attempt.
Policies and procedures should generally include requirements about password complexity, mandatory reporting of breaches, cybersecurity training, multi-factor authentication and disaster recovery to name a few.
They help your business prepare and understand a plan of action to take when a breach occurs, how to communicate with clients and shareholders, and how to get your business back up and running as quickly as possible.
Regularly updated policies and procedures that are signed off on by your team ensure that your employees understand their responsibilities in protecting your organisation. Without these, law firms are unable to set a precedence of cyber behaviour within their business.
3. Your cybersecurity culture is lacking
Do your employees believe that cybersecurity is "an IT thing'? Do your employees believe they are too time-poor to complete their cybersecurity awareness training?
The truth is, cybersecurity is a team sport. A cultural shift in the Australian legal industry needs to occur in order for employees to 'buy in' to your firm's cybersecurity strategies and not only understand the risks, but why they are a necessary part of them.
Often, law firms that invest in cybersecurity base their investments on technology, neglecting a review of their current cybersecurity posture and culture.
Healthy cybersecurity culture is one where time is spent explaining and raising awareness with their employees about possible cyber risks that are targeting the legal sector and their implications, where cyber policies and procedures are embedded in daily practices, and where a mutual understanding of how each employee can help or hinder the entire organisation is nurtured.
If cybersecurity conversations in your firm feel like an uphill battle with your employees, it may be time to urgently review your defence strategies.
How Diamond IT can help improve cybersecurity in your organisation
Diamond IT's online or face-to-face Cybersecurity Awareness Training and Cybersecurity Healthcheck can have an immediate impact on the strength of your security. We can help you ensure your staff education programs are fit for purpose and align with best practice.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity, and are ready to speak with you. Contact our team on 1300 307 907 today.