Sophisticated cyber attacks, coupled with changing regulations and compliance standards, have created an increasingly complicated cybersecurity landscape for the Australian legal industry.
To date, many law firms have seen cybersecurity as a complex issue, however, the consequences of not having (and routinely reviewing) cybersecurity strategies against best practice have never been greater.
Cyber attacks and data breaches are now unfortunately a case of 'when' not 'if', and we urge all law firms to take the front foot on fostering a culture of cyber awareness and resilience. Proactive cybersecurity strategies are crucial, and investing in cybersecurity training, insurance policies, and a relationship with a trusted technology provider need to be high on the agenda before it is simply too late.
Why are law firms being targeted by cyber attacks?
Every day, law firms deal with sensitive data including personal information, intellectual property, merger and acquisition details and business information.
Coupled with historically not having a great track record of secure data and internal system management, has left law firms an easy target for cyber crime.
In fact, a collaborative report from the Australasian Legal Practice Management Association (ALPMA) and GlobalX revealed almost one in five Australian law firms have suffered a data security breach. The report also found that 87% of firms are concerned about their cybersecurity.
These figures are startling and demonstrate the dire need for a shift in the way the Australian legal industry views cyber risk.
So, what can law firms do in order to review and improve their cybersecurity strategies?
Cybersecurity strategies for your firm - Start with the Essential Eight
The Essential Eight is a "series of baseline mitigation strategies" recommended to organisations from the Australian Cyber Security Centre. While no single mitigation strategy can prevent cyber attacks, the following section looks into the strategies that law firms can apply to internal system security.
Broken down into three subcategories, the Essential Eight are deemed as the bare minimum strategies that all Australian organisations should implement, including:
Mitigation strategies to prevent malware delivery and execution
1. Application Whitelisting - This sets an approval around trusted programs to your firm, and prevents your employees from being able to access unapproved and potentially malicious programs.
2. Patch Applications - Patching ensures that your employees are using the latest versions, and mitigates any vulnerabilities of outdated applications.
3. Configure Microsoft Office Macro Settings - These settings can be used to block macros from the internet, which can be used to deliver and execute malicious code.
4. User Application Hardening - Configuring web browsers blocks applications such as Flash, Java and web ads which are also popular ways to deliver and execute malicious code.
Mitigation strategies to limit the extent of cybersecurity incidents
5. Restrict Administrative Privileges - Administration accounts are deemed 'keys to the kingdom' so it is crucial to restrict and monitor user privileges based on your employee's duties.
6. Patch Operating Systems - Patching all computers and network devices ensures vulnerabilities are promptly addressed and that'll operating systems are using up-to-date and most secure version.
7. Multi-Factor Authentication - is the use of more than just the form of authentication when logging in. This puts a second line of defence between an intruder and your business data.
Mitigation strategies to recover data and system availability
8. Daily backups - Ensure that a secondary copy of all of your business data is stored separately and securely which can easily be accessed and restored following the event of a cyber attack.
Train your employees on how to detect and respond to cyber threats
While the Essential Eight provide baseline strategies for system security, we know that the biggest risk to all law firms is in fact their employees. According to the latest Notifiable Data Breaches report a whopping 38% of all successful cyber attacks are a result of staff not being able to identify a cyber threat and not knowing how to manage them appropriately.
The purpose of Cybersecurity Awareness Training is to educate staff about cyber threats and attacks they may be subjected to each day.
Cybersecurity Awareness Training for all levels of users in your organisation raises people’s vigilance on what to look for, as well as having the skills to safely take the appropriate action required if they do receive a malicious attempt.
Cybersecurity Awareness Training ensures you and your employees:
- Are comprehensively aware of cyber threats, the associated risks, and how to minimise them.
- Understand the part everyone must play in protecting your organisation and client’s data.
- Can identify cyber threats and manage them appropriately.
- Understand how to handle personal information provided by clients and partners.
- Comply with the state and federal guidelines in regard to staff cyber and data protection awareness and education.
How Diamond IT can help improve cybersecurity in your organisation
Diamond IT's online or face-to-face Cybersecurity Awareness Training and Cybersecurity Healthcheck can have an immediate impact on the strength of your security. We can help you ensure your staff education programs are fit for purpose and align with best practice.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity, and are ready to speak with you. Contact our team on 1300 307 907 today.
