Checking your system rules: Protecting your practice from the inside out

Check your email rules regularly to make sure fraudsters are not in your account. If cyber criminals can gain entry to your email account they can sit and watch the email traffic, often for many weeks. They set up email rules that divert emails with certain words like 'settlement', 'bank account' or 'BSB' in them. They will intercept any emails containing bank account details, change them to divert money to themselves and on send. They will prevent relevant emails you or your client might send from getting to the recipient. Fake emails they send are either immediately deleted or moved to an unused folder like the RSS Feed folder.

Cybercriminals can, and often do, harvest all your contact email addresses and send further phishing emails to everyone you know from your email account. This often results in your inbox being inundated with bounce backs or return emails and a switchboard full of people calling to ask what is going on.

Check your email rules regularly and make sure they are ones you created. Anything suspicious may indicate your account has been compromised. If you detect any rules that you didn't create, change your password immediately then contact your system administrator or IT provider and report it.

The Australian Cyber Security Centre website provides guidance about how to secure email accounts.

Controlling who can access your systems and data is just as important as keeping attackers out. The VLSB+C Minimum Cybersecurity Expectations require law practices to implement role-based access control. This means that staff should only be able to access the programs, files, and client information they actually need to do their job.

This is an important control for two reasons. The first is that data breaches don't just come from external hackers but can also occur via authorised users. The issues occurs when the user has access that is too broad, poorly managed, or simply never reviewed. A staff member who has access to every client file, even ones unrelated to their work, creates unnecessary risk, whether through accidental disclosure, a phishing compromise, or a departing employee. The second is that if a breach occurs, the account that is compromised should not have access to unnecessary information. This decreases the footprint of the information available to the hacker thus mitigating the scale of the breach.

A good access control policy should incorporate the following:

• Match access to roles. Grant each staff member access only to the systems and information required for their specific responsibilities. Revisit this whenever someone changes roles.

• Manage temporary workers carefully. Contractors, interns, and trainees should receive individual login credentials (not shared passwords) and only for the duration of their engagement. Temporary guest access is an appropriate alternative where individual accounts aren't feasible.

• Keep records and monitor access. Document who has been granted access to what, and periodically check that sensitive information is only being accessed by those with the right permissions. Access control software can help automate this.

• Review access monthly. The Minimum Cybersecurity Expectations recommend reviewing access permissions at least once a month. Promptly update access when someone changes roles, and revoke it immediately when someone leaves your practice.

• Separate administrator accounts from everyday accounts. Administrator accounts have the power to install software, modify settings, and delete files. Don't use them for routine tasks like reading email. Set up standard user accounts for day-to-day work and reserve admin access strictly for IT administration tasks.

• Minimise shared accounts. Accounts that aren't tied to an individual (such as social media or shared library accounts) make it impossible to trace who did what. Only use them where there is genuinely no alternative.

Both email rules and access controls require regular, active review. There are not a one-time setup. The following practical steps may help your practice stay on top of both.

• Calendar a monthly access review. Set a recurring reminder to check who has access to sensitive systems and files, and update permissions as needed.

• Check email rules for every staff account, not just principals — a compromised junior staff account can be just as damaging.

• Build offboarding into your exit checklist. Revoking access should happen on a departing employee's last day, before they leave the building.

• Test your own knowledge. Could you identify an email rule you didn't create? Do you know who in your practice currently holds administrator access? If not, those are gaps worth closing now.

• Document everything. A simple register recording access permissions, changes, and reviews gives you a defensible record and makes auditing far easier.

• Obtain help where needed. Not everyone is a computer expert. If you are not sure how to review and update your email and access control settings, engage an IT or cybersecurity consultant.

Reviewing your system rules won't take long but catching a problem early can save your practice, and your clients, from serious harm.