Due to the nature of their business, law firms are an increasingly attractive target for cyber criminals. In the course of providing legal services such as estate planning, criminal, family or corporate law, in-house legal teams collect huge amounts of confidential documents and sensitive data. If data is breached or lost due to a cyber incident, the reputational impact to a law firm could be devastating, costing even small firms hundreds of thousands of dollars.
From July to December 2022, legal firms were one of the top five industries in Australia to report data breaches, according to the Office of the Australian Information Commissioner (OAIC). During this period there was a 26% increase in breaches overall, as a result of large-scale cyber security incidents.
With cyber attacks a growing threat, it’s essential that law firms take cybersecurity seriously and implement strong security measures to protect their systems and data. Below I take a look at why law firms are vulnerable to cyber attacks and the most common threats to be aware of. Most importantly, I also outline the most effective and inexpensive practices available to protect your business against cyber incidents.
Why law firms are vulnerable to cyber attacks
The 2023 State of Cyber Maturity for Australian Law Firms survey report by Dotsec found that 51% of legal firms were not confident in their threat detection and response capabilities. 11% admitted to having no cyber security procedures in place at all.
Many cyber-attacks exploit the fact that many businesses do not destroy, or securely warehouse, personal data that is no longer required for the purpose for which it was collected.
This would appear to be the common element of both the Optus and Latitude data breaches, with primary documents used for identity verification retained long after those documents had been used for verification purposes.
Just recently, one of Australia’s largest commercial law firms HWL Ebsworth suffered a major cyber attack, with 4 terabytes worth of internal company data including employee CVs and client data stolen.
The notorious ransomware group BlackCat Ransomware, also known as ALPHV, posted late April that it had downloaded a trove of information including a complete map of local and remote company credentials, client documents including IDs, credit card information and loans data, and internal company data including insurance agreements.
Organisations, where possible, should minimise the collection of personal information to only what is required and to destroy information where it is no longer needed. If it can’t be destroyed because of legal obligations to retain records, then the records should be moved to a more secure and controlled environment with limited access.
The main types of cyber incidents
According OAIC’s 2022 Notifiable Data Breaches Report, the main types of cyber incidents reported were:
- Compromised or stolen credentials
- Brute-force attack
The Australian Cyber Security Centre (ACSC) assesses that ransomware remains the most destructive cybercrime threat. This is due to the increased impact on victim organisations, as their business is disrupted by the encryption of data, but they also face reputational damage if stolen data is released or sold on. The public are also impacted by disruptions and data breaches resulting from ransomware.
The best ways to protect your law firm from cyber attacks
With hackers and scammers becoming more ambitious and bolder in their attempts, it’s no longer viable to simply set security measures and forget about them. Preventative actions, multi-layered approaches and regular assessments are key for businesses to stay ahead. Below I’ve listed some of the best ways to protect your business from a cyber attack (which also includes the ACSC’s essential eight mitigation strategies):
Implement a cybersecurity policy
In order to create a cybersecurity policy, it’s best to start by undertaking a security assessment to establish a baseline and close existing vulnerabilities. It’s also important to review the cyber security posture of remote workers and their use of communication, collaboration and business productivity software.
Businesses should then establish a cybersecurity policy that outlines best practices, procedures, and guidelines for employees to follow. This policy should be regularly reviewed and updated to reflect changes in the company’s operations or the threat landscape.
Employee education and awareness
One of the most common ways that cyber criminals gain access to a company’s systems is through its employees. It’s essential to educate all employees on best practices for cybersecurity, such as how to create strong passwords, how to recognise phishing emails, how to avoid downloading malware and how to reduce the risks of data breaches when sending emails.
The latest notifiable data breaches report from the Office of the Australian Information Commissioner (OAIC) showed that 25% of breaches were caused by human error – most commonly by sending emails to the wrong address, closely followed by unintended release or publication, and thirdly by the failure to use (BCC) when sending emails.
Introduce access controls
Access control is a way to limit access to a computing system. It helps protect your business by restricting access to files and folders, applications, mailboxes, networks and online accounts, for example.
Typically, staff do not require full access to all data, accounts, and systems in a business in order to perform their role and this access should be restricted where possible. Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses. It gives users the bare minimum permissions they need to perform their work and also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.
Configure MS Office macro settings
Microsoft Office Macros (automated commands) are designed to make workflows more efficient by automating routine tasks. However, if a macro is compromised, it could grant threat actors access to sensitive resources. Only allow Office macros where there is a business requirement and restrict the type of commands a macro can execute.
User application hardening
Application hardening is the practice of increasing the resilience of online applications against cyber attack. This could involve keeping applications updated with the latest patches and implementing specialised security solutions.
The aim is to block access to internal networks from public-facing applications to prevent malware injection. Legacy applications are usually targeted in such attacks because they lack the necessary security sophistication to identify and block breach attempts.
Commonly targeted applications include:
- Adobe Flash
- Microsoft Silverlight
- Microsoft Office
- PDF Viewers
- Legacy web browsers
Implement multi-factor authentication
Multi-factor authentication (MFA) adds an extra layer of protection to your company’s systems by requiring more than just a password to access an account. This means that even if an attacker has stolen an employee’s password, they still won’t be able to access the account without the second authentication factor.
Law firms should implement MFA on important accounts wherever possible, prioritising financial and email accounts. Some MFA options include, but are not limited to:
- Physical token
- Random pin number
- Biometrics/ fingerprint
- Authenticator app
While MFA is one of the most effective ways to protect your accounts from cybercriminals, if it’s not available, then passphrases should be used to protect accounts.
A passphrase uses four or more random words as your password. For example, ‘mirror banana clay ferrari’. Passphrases are hard for cybercriminals to crack, but should be easy for users to remember.
Passphrases should be:
- Long: The longer your passphrase, the better, at least 14 characters in length.
- Unpredictable: A random mix of unrelated words with no famous phrases, quotes or lyrics.
- Unique: Do not reuse passphrases on multiple accounts.
For more on this see: Creating a best practice password policy for your business
Keep software up to date
Cyber attackers often take advantage of vulnerabilities in software to gain access to systems. An operating system, for example, is the most important piece of software on a computer. It manages the computer’s hardware and all its programs, and as such needs to be updated regularly to ensure you are always using the most secure version.
Keeping all software, including operating systems, browsers, and other applications, up to date with the latest security patches can help prevent the most common types of cyber threats.
Regularly backup important data
A backup is a digital copy of your business’ most important information such as customer details and financial records. This can be saved to an external storage device or to the cloud. An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention.
Safely disconnecting and removing your backup storage device after each backup will ensure it remains secure during a cyber incident. Regularly backing up important data is essential in case of a cyber attack. If your systems are compromised, having a backup of critical data means that it can be restored quickly, minimising downtime and potential losses.
About the author
DAVID BOWER | CEO / Chief Engineer | Neo Technologies
David is the founder and CEO of Neo Technologies, a national managed IT services provider specialising in cybersecurity and compliance for a range of industries, including professional services and law firms. With over 25 years of IT experience, Neo Technologies is also a partner with the Australian Cyber Security Centre (ACSC), Department of Defence and has been the recipient of several awards including the Lord Mayor’s Commendation for Business.