We use cookies to compile information about how our website is used and to improve the experience of our website visitors. You can review and update your cookie setting by clicking "Manage cookies preferences". For more information about the cookies we use, please read our
Cookies and Electronic Marketing Policy.

simone herbert law cybersecurity
18 August 2022

What are the top 5 ways to protect yourself from cyberattacks, hacks and fraud?


Published on 18 August 2022
Law and technology

Lawyer and College of Law PLT adjunct lecturer Simone Herbert-Lowe knows all too well what can go wrong when you fail to secure your systems from cyberattacks, hacks and fraud. That’s why she founded Law & Cyber, which provides CPD-eligible training to help protect lawyers and others from cyber risks and fraud - especially against the most common form of cyberattack, compromised email. We caught up with Simone to navigate the murky and complex world of cyber risk, the top 5 threats facing lawyers today - and what you can do to mitigate your risk.

Single case of cyber fraud causes firm’s clients’ six figure losses

Simone realised the scale of cyber risk through an incident she became aware of several years ago. 

“It really opened my eyes to how devastating a cyber incident could be,” she explained. “A lawyer had discovered that two of his clients had paid hundreds of thousands of dollars into bank accounts after receiving emails that appeared to be from him. The lawyer’s IT advisor told him that there was no way the lawyer’s email had been hacked and the problem must have been at the clients’ end.” 

“Two weeks later, the lawyer went into the office on a Monday morning and found more emails from clients saying “why are you asking me for money?” The lawyer was then faced with the reality that the hackers had been in his email address book and could have emailed all of his clients in order to commit fraud against them. This was the first time I’d become aware of an incident that affected multiple clients of one legal practice in this way.” 

For Simone, the incident crystallised the fact that, for lawyers, cyber risk was inherently different to other risks.

“It has nothing to do with your abilities as a legal professional and yet it is a huge professional risk,” observed Simone. “In other cases I was aware of, the situation devolved into a fight between victims about who would bear the loss while the fraudster got away with the crime. I became passionate about communicating the need to take preventative action, and to minimise the impact of a cyber event or email fraud. I founded Law & Cyber to help protect Australians from cybercrime through education and cyber advisory services.” 

Delivering targeted cyber risk training to over 4,000 Australians

Around 4000 business professionals have so far completed our CPD-eligible online training and many others have also completed our face to face education,” said Simone. 

“For law firms we focus on professional duties like duties of trust and lawyers’ duty of care, and the feedback we’ve received is that this angle really resonates for lawyers – they understand this isn’t just a boring compliance issue, but something that is vitally important to protecting their clients and themselves.” 

“Our first online course was licensed by the Legal Practitioners Liability Committee in Victoria and I’m thrilled that Lawcover has also shared the course with its insureds here in NSW. We’ve licensed our online cyber training to ALPMA and the Australian Institute of Conveyancers in NSW, Victoria and WA, and in collaboration with PEXA we've produced a course designed specifically for practitioners in the property industry, as cyber awareness training has now been mandated by ARNECC for all users of an e-conveyancing electronic lodgment network.” 

In addition to these targeted courses, Law & Cyber has created cyber risk resilience training for professionals working in the built environment, such as builders, engineers and architects. This helps cater to specific business vulnerabilities of these industries.

“We’ve even created a course for a leading Australian luxury retailer,” said Simone. “Most recently we've launched Cyber Risk and Your Business to support Australian businesses generally.”

The difference between Law & Cyber and other educational programs is its practicality, and hyperlocal focus.

“A lot of generic cyber training is produced in America and may involve cartoons, with little or no Australian content,” observed Simone. “Our training is practical and relatable, and focuses on business risks such as damage to reputation and legal and professional implications, and Australian legislation like the Privacy Act and Security of Critical Infrastructure legislation.” 

“Human beings have always learned through stories, so we include a lot of up to date news stories and case studies the specific audience will relate to so that people know how to protect their employer, their clients and also themselves.”

What are the top 5 threats to law firms, from a cyber risk perspective?

1. Business Email Compromise

“From what has been published by ACSC and from what I have seen personally, I would suggest that the top threat is business email compromise, or BEC. BEC is especially risky for businesses like law firms that hold large amounts of money on behalf of others because of the risk of funds transfer frauds.” 

“These kinds of events can occur either through an actual email account compromise or through impersonation fraud using social engineering techniques.” 

“What many people might not appreciate is that an action for breach of trust is very difficult to defend where money has been paid out of a trust account in error, and Limited Liability Schemes do not cap your liability in this situation.” 

“This means the actual financial implications for a lawyer of incorrectly paying out money from a trust account are very serious, so it’s vital that everyone in a law practice is trained how to recognise fraudulent emails and the importance of protecting their login credentials.”

2. Ransomware

“Another big risk is ransomware – at the end of 2021 the federal government’s Ransomware Action Plan described ransomware as the biggest cyber risk facing Australian businesses. Ransomware is a form of malicious software that encrypts the victims’ files making them inaccessible unless a ransom is paid. However, ransomware is now often accompanied by threats to publish information which can be especially serious for organisations such as law firms that hold so much confidential information.”

3. Hacking for Information Theft

“Hacking for the purpose of information theft is also a big concern, especially for businesses who hold lots of sensitive information or who might be involved in or hold information about critical infrastructure such as defence or telecommunications, or who have high profile clients or where hackers might be politically motivated.” 

4. Identity Fraud

“Regardless of the size of your firm though, you’ll be collecting information about individuals that could be used to harm them if that information is breached. For example, copies of passports or drivers’ licenses used for verification of identity purposes could also be used to commit identity fraud, which is one of the world’s fastest growing crimes.” 

5. Human Error

“Lastly, human error accounts for around 40% of all notifiable data breaches reported under the Privacy Act, so simple things like sending email to the wrong person, unintended release or publication of personal information, often through emails, falling for scam phone calls or emails, failing to use secure Wi-Fi and so on are all things that lawyers and law firm employees need to understand.” 

How can lawyers secure their firms against cyber risks?

  1. Secure your online accounts by ensuring your email service and other online accounts are protected with multi-factor authentication and strong passwords. 
  2. Promptly or automatically install all software updates, only use a business quality email service, and use anti-phishing and anti-virus software.
  3. Ensure that all staff receive regular and effective cyber risk and information security awareness training that explains that managing information security is everyone’s responsibility, how to recognise suspicious emails and social engineering techniques, and why data breaches can cause so much damage.
  4. Ensure that any payment instructions received by email are verified using another method and that this is done in a meaningful way, not just a “tick the box” exercise.
  5. Don’t miss the opportunity to also educate your clients about cyber risk awareness – a well-informed client will also help protect you and your business.

Education is your best defence against cyber risk

According to a study cited by Simone, 91% of successful cyberattacks start with an email.

“This means it’s the recipient’s response to an email that determines whether the cyberattack succeeds or not,” said Simone. “Criminals have worked out that it’s often much easier to trick a computer user into opening the door to a network than to breach an actual firewall.” 

“Secondly, impersonation fraud often involves no computer intrusion at all – the hacker just tricks their target into doing something such as paying money into the wrong bank account or giving away their login credentials. Even the huge Twitter hack of a few years ago was basically done via social engineering involving manipulating people through fake phone calls and emails.”

“Lastly, there is much less separation between people’s professional and personal lives than was once the case. It’s now very easy for a cybercriminal to simply look up Linkedin or a company website to identify a suitable target within a business and then craft an email designed specifically for that person using information gleaned from social media or other public information.” 

Never leave security and cyber risk to the IT department only

Like many professionals, lawyers often would much rather get on with the job of providing sound legal advice and leave IT to deal with cyber risk. Given the prevalence of human error when it comes to compromised security, this is unwise.

“Making big assumptions like “I’m too small to be a target”, “you need to be a target to be a victim” and “cyber risk is something I can leave to the IT department” is the first mistake,” said Simone. 

“This kind of mindset means you won’t be taking the steps you need to take to protect yourself and your clients. Add to that failing to confirm payment instructions received by email using another method, or underestimating how easy it is to compromise a whole business through poor password controls, or failing to implement MFA on your email and other online accounts.”

“Whatever you do, don’t expect your bank to check account numbers and names before they transfer funds electronically – they usually don’t – so always verify payment instructions on large funds transfers.”

Related Resources

Want to learn more about technology and innovation in the law? Check out the Centre for Legal Innovation's website

Centre for Legal Innovation

 

Receive articles like this in your inbox