Did you know that 80% of global law firms suffered a cyber incident last year and 67% of those incidents were caused by the actions of one of their employees?

It is clear from the recent Hiscox Insurance review of claim trends and reported cyber incidents and data breaches, that law firms are becoming a favoured target of cyber threat players.

This is true not just for major firms undertaking sophisticated multi-million dollar matters, but for small and medium sized firms who traditionally lack a culture of cyber security and an organised and disciplined approach to cyber awareness training for staff.

The three main forms of attack that everyone should be aware of:

1. Phishing and Spear Phishing emails. This is a form of social engineering where the cybercriminal tricks the IT user into clicking on a dummy link or download allowing the criminal to access the firm’s information systems and networks. Confidential and personal information can then be stolen and sold on the black market. Once the hackers have access to a username and password, all data and information stored on the network can be utilised for illegal and inappropriate purposes.
2. Malware and Ransomware: Malware is any software which is intentionally designed to cause damage to network systems and the data stored within them. Malware does the damage after it is released or implanted into a target’s computer and can take many forms. It can encrypt files, steal confidential information, spy on activity within your information systems and even hijack your system’s processing capabilities.

Often a cybercriminal will demand a ransom payment to clear your systems of malware.

Sometimes secondary viruses are also downloaded along with the initial ransomware and remain in your system providing cyber criminals with a future “back door” access to your system.

3. Invoice and email hijacking: This is where a cybercriminal hacks into the firm’s email server, accesses emails to clients or third parties and changes the information in those emails. Usually the plan is to change bank account details so that payments are wrongly misdirected  into the hackers own account. . In some instances completely false emails are sent and in other instances, the only piece of information which is changed is the account details in an otherwise legitimate email. 

This type of email hijacking is currently the biggest source of claims for solicitors in Australia.  It remains a significant threat and can have a significant detrimental effect on a victim firm’s reputation.

Protecting Against these major threats

You can protect your business against the risk of these cyber threats by taking some simple steps to protect your information systems:

1. Always ensure you have up -to -date antivirus protection and firewalls. Implement patches immediately and ensure all users understand how these mechanisms work to protect your firm’s data.
2. Create a culture of cyber security. This should generate from the top down. Every member of staff needs to understand the reality of cyber exposure, their role in keeping the firm’s confidential information secure and how to protect against cyber threats.
3. Ensure your information networks are backed up regularly. In the event of a cyberattack this enables your business operations to get back up and running quickly and minimises loss.
4. Undertake an employee education and training awareness program. This should specifically deal with the firm policy on

• Two factor authentication for invoices and payments by the firm
• Safe email practice
• Visiting harmful websites
• Appropriate download protocols
• Use of mobile devices
• Public wifi use
• Safe practice when working from home
• Appropriate password practice; and
• Understanding the risks associated with logging in to the firm’s information systems from an external location.
  

5. Mitigate the risk by purchasing comprehensive cyber insurance cover.

For more information on the risks faced by law firms or for help on how to minimise cyber threats, go to www.cybersafelegal.com.au or email info@cybersafelegal.com.au.