Sophisticated cyber attacks, coupled with changing regulations and compliance standards, have created an increasingly complicated cybersecurity landscape for the Australian legal industry.
To date, many law firms have seen cybersecurity as a complex issue, however, the consequences of not having (and routinely reviewing) cybersecurity strategies against best practice have never been greater.
Cyber attacks and data breaches are now unfortunately a case of 'when' not 'if', and we urge all law firms to take the front foot on fostering a culture of cyber awareness and resilience. Proactive cybersecurity strategies are crucial, and investing in cybersecurity training, insurance policies, and a relationship with a trusted technology provider need to be high on the agenda before it is simply too late.
Every day, law firms deal with sensitive data including personal information, intellectual property, merger and acquisition details and business information.
Coupled with historically not having a great track record of secure data and internal system management, has left law firms an easy target for cyber crime.
In fact, a collaborative report from the Australasian Legal Practice Management Association (ALPMA) and GlobalX revealed almost one in five Australian law firms have suffered a data security breach. The report also found that 87% of firms are concerned about their cybersecurity.
These figures are startling and demonstrate the dire need for a shift in the way the Australian legal industry views cyber risk.
So, what can law firms do in order to review and improve their cybersecurity strategies?
The Essential Eight is a "series of baseline mitigation strategies" recommended to organisations from the Australian Cyber Security Centre. While no single mitigation strategy can prevent cyber attacks, the following section looks into the strategies that law firms can apply to internal system security.
Broken down into three subcategories, the Essential Eight are deemed as the bare minimum strategies that all Australian organisations should implement, including:
1. Application Whitelisting - This sets an approval around trusted programs to your firm, and prevents your employees from being able to access unapproved and potentially malicious programs.
2. Patch Applications - Patching ensures that your employees are using the latest versions, and mitigates any vulnerabilities of outdated applications.
3. Configure Microsoft Office Macro Settings - These settings can be used to block macros from the internet, which can be used to deliver and execute malicious code.
4. User Application Hardening - Configuring web browsers blocks applications such as Flash, Java and web ads which are also popular ways to deliver and execute malicious code.
5. Restrict Administrative Privileges - Administration accounts are deemed 'keys to the kingdom' so it is crucial to restrict and monitor user privileges based on your employee's duties.
6. Patch Operating Systems - Patching all computers and network devices ensures vulnerabilities are promptly addressed and that'll operating systems are using up-to-date and most secure version.
7. Multi-Factor Authentication - is the use of more than just the form of authentication when logging in. This puts a second line of defence between an intruder and your business data.
While the Essential Eight provide baseline strategies for system security, we know that the biggest risk to all law firms is in fact their employees. According to the latest Notifiable Data Breaches report a whopping 38% of all successful cyber attacks are a result of staff not being able to identify a cyber threat and not knowing how to manage them appropriately.
The purpose of Cybersecurity Awareness Training is to educate staff about cyber threats and attacks they may be subjected to each day.
Cybersecurity Awareness Training for all levels of users in your organisation raises people’s vigilance on what to look for, as well as having the skills to safely take the appropriate action required if they do receive a malicious attempt.
Diamond IT's online or face-to-face Cybersecurity Awareness Training and Cybersecurity Healthcheck can have an immediate impact on the strength of your security. We can help you ensure your staff education programs are fit for purpose and align with best practice.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity, and are ready to speak with you. Contact our team on 1300 307 907 today.