A recent study has found alarming evidence that confidential and sensitive data is at risk of exposure due to inadequate cyber security practices by lawyers.
The Edith Cowan University’s Security Research Institute survey of 122 lawyers, in partnership with the Law Society of Western Australia, found 11% had no anti-virus protection on their work computers, 41% did not know what cyber security counter measures were in place on their smartphones, and 94% used email to send confidential data. Just 9% used encryption to protect client data.
Associate Professor Mike Johnstone said there were some serious but not insurmountable flaws in the way lawyers were protecting themselves from cyber attack.
According to Lloyd’s and Cyenc in ‘The Ins and Outs of Cyber Insurance’ published in 2018, $4.6 billion to $53.1 billion claims await a Cloud based computer service hit with a malicious attack.
No Australian law firm could suffer such losses, but the proportionate loss could be equally as devastating. The Law Council of Australia’s Cyber Precedent website estimates the average cost of an attack at $265,000 and 25 days loss of service.
For small law firms to think they are safe, think again. According to the ABC, in 2016-2018 45% of Australian companies were attacked by online criminals and 36% of businesses were hit by fraud and reported a high negative impact on reputation and brand strength. Most experts point to a dual loss, the immediate financial loss to firm or client but equally the reputational loss.
Generally, the smaller the firm, the weaker the defences and the greater the risk of a ‘break-in’. This is illustrated by the ease with which a conveyancing firm lost control of its comparatively tiny network and its clients lost hundreds of thousands of dollars late last year. Fortunately, the loss was restored by the industry participants.
The Law Council of Australia, State law societies and more recently the Legal Practitioners’ Liability Committee of Victoria (LPLC) have concentrated on warning the profession of the risks.
Recently, the Victorian Legal Services Board reviewed the situation in its Review of Electronic Conveyancing National Law and commented on the difficulty for small firms of lawyers to combat cybercrime. It infers that many small law firms would under report cases of cybercrime, which emphasises how damaging cybercrimes can be to the reputation of legal firms.
In Victoria, from 1 July 2019 solicitors entitled to claim under their compulsory professional indemnity policy face a double excess when a claim arises from any payment or EFT made on the basis of a purported instruction or authority, where the law practice failed to take reasonable steps to verify.
Many firms now have a warning to clients in their email footer emphasising the need to communicate orally with the firm to check on bank details.
Insurance is needed but by itself is not enough. Prevention is better than cure.
Insurance is no substitute for good risk management. It’s just a protection of last resort. Like car and house insurance, good risk management from cybercrime is essential.
We do not want to be dependent on our insurers and insurance is no substitute for proper preventative measures, practices and training. Cyber fraud has become a major problem globally and Australia is no exception. Hackers are continually finding new ways to intercept communications and divert funds to different accounts, robbing innocent individuals.
Your firm is only as strong as the weakest link in your processes, procedures and the people involved. To protect your firm, always be smart with what information you share, invest in strong technology services, good training and get the right insurance if something does go wrong. Know who you are communicating with and always choose the safest method to do so.