Law ranks among the top three industries reporting data breaches, according to the Office of the Australian Information Commissioner.Half came from human error, while the remainder were caused by malicious or criminal attacks. These figures are particularly concerning given the fact that a third of all Australian law firms do not invest in cybersecurity training, as a study by GlobalX and the Australian Legal Practice Management Association (ALPMA) recently found.
A risk too significant – and costly – to ignore
“Lawyers and conveyancers host a vast amount of personally identifiable information (PII), which heightens their risk of cyber attacks in an increasingly digitized work,” GlobalX CEO Peter Maloney told Australasian Lawyer. According to Peter, 79% of legal professionals are concerned about cybersecurity, but only 21% are confident their firm can handle a cyberattack.
Data breaches have been caused by both new and obsolete technology.
“It is clear that the lack of investment in regular cybersecurity training and slow adoption of modern technology is leaving an open door for cyber criminals,” Peter said.
It is a threat James Nunn-Price, Deloitte Asia-Pacific leader, understands all too well.
“The industry needs to avoid being the weak link as enterprises and end clients invest in cybersecurity. Ransomware, often used to take over email communications between parties, is one of the most prevalent global cyber-crime threats and currently costs the Australasian legal industry millions annually,” James told Australasian Lawyer “These criminals can request large sums of money before returning access to confidential client information. Meanwhile, this data can be used for insider trading and identity fraud.”
Switch to an intelligent password
Passwords are easily forgotten, which is why we tend to re-use the same passwords for multiple logins. The push for ever more complex passwords – symbols, numbers, upper case, lower case, and the occasional hieroglyph – turned the simple act of creating a password into a code-cracking event to rival The Imitation Game. These days, best practice suggests a far simpler solution – a passphrase. This involves a sequence of unrelated words, ideally three to four short words. For example, pulldragonapplenow is easy to remember but hard to crack.
Don’t go phishing
Phishing is the increasingly common practice of fraudulent emails or calls designed to mimic real people or organisations. Phishing emails attempt to trick victims into clicking links, downloading attachments or divulging sensitive information, such as passwords or financial information.
You can catch a phishing email from a dubious email address – a small spelling error or variation in the email will give it away as a false email address. It is also unlikely to address you by name or contain a website address that seems unfamiliar.
Urgency is a tactic often deployed to encourage you to divulge information. If you receive a phone call or suspicious email, never provide your personal or financial information, or assist with ‘updates’ to your existing details. Delete any emails you suspect to be fraudulent.
Avoid USBs and lock your computer
Physical breaches are among the simplest and most overlooked threats to security. While USBs were once a popular form of portable storage, cloud data storage services such as DropBox, Google Drive or LawConnect, which provide vast amounts of data storage, render USBs largely obsolete. Never plug in a USB into a computer unless you know its contents with confidence.
Similarly, unlocked computers allow for data theft or fraud. Make it a habit to lock your computer whenever you are away from your desk.
Backup to the cloud, not local servers
Contrary to common belief, keeping your data in the cloud can often be safer than using a local server. Amazon Web Services, for example, deploys multiple data centres, ensuring a backup is available if one server goes offline or experiences a breach. The size and scale of major cloud providers like Amazon Web Services allows them to implement security best practices, which are constantly monitored and updated in a way few law firms could match. Find out how your data is currently being stored, whether it is on a local server or even in a physical filing room, and explore available cloud options.