Skip to main content

Multi-factor authentication is one of the most effective ways you can prevent cyber-criminals from gaining access to your firm’s systems and your clients’ confidential information. Multi-factor authentication is readily available, easy to set up and gives you an extra layer of security if your password is stolen (including where it is fraudulently obtained by phishing and social engineering).

What's on this page?

All too often LPLC is contacted by law firms with compromised email accounts. In many instances the infiltration would have been prevented had MFA been enabled on the law firm’s devices and networks.

The importance of MFA

Law firms should, at a minimum, implement multi-factor authentication (MFA). For Victorian practitioners, this is an expectation under the VLSB+C Minimum Cybersecurity Expectations.

Since making the announcement that from 1 July 2023 LPLC’s PI policy will include a deterrent (double) excess where a claim arises due to the absence MFA on business email accounts, LPLC has received enquiries from proactive practitioners who are keen to get their MFA house in order. How to implement MFA has been the most common question we’ve been asked.

What is MFA and where is it?

When you enter a username and password to access online accounts, that is classed as single-factor authentication. Your password is the only security credential (authenticating factor) that verifies you are who you say you are.

Single-factor authentication is unsafe. Usernames are often email addresses which may be publicly available or easily guessed and once cyber criminals have that, they can try to obtain your password by:

  • experimenting with commonly used passwords or guessing a weak password
  • sending you a phishing email which tricks you into clicking on a link and entering your password on a webpage
  • taking advantage of a data breach on the relevant website or another website where you have used the same password.

MFA requires a user to enter more than one piece of information or credential, in addition to a username and password, to verify identity and gain access to an account. The user typically needs something they personally have such as a mobile phone app, SMS code or token.

MFA systems can be set up so that you are not required to enter an authentication every time an account is accessed, but instead only when you log in via a new device or IP address. Even if a cyber-criminal obtains your password, MFA provides a further layer of protection to successfully authorise any login attempt.

There are many readily available MFA options. At a minimum, MFA can be enabled on Office 365 as well as most popular email and social media platforms including LinkedIn, Facebook, Instagram, WhatsApp, Gmail, Microsoft/Outlook Mail and iCloud. A search of the platform security and privacy settings will reveal simple steps to set it up.

MFA short video explainer

Enabling MFA

Enabling MFA will be a different process for different accounts so it is not possible to provide advice on a single way to do it. LPLC is also not qualified to provide IT advice. The good news, however, is that there is plenty of guidance available online, and if in doubt practitioners can seek assistance from IT providers who specialise in cyber security. The Law Council of Australia, Cyber Precedent website notes that CyberCert maintains a list of appropriate vendors who can assist in implementing cybersecurity controls such as MFA.

Key takeaways

If your firm does not currently use MFA, we urge you to contact your IT professional to enable this on your devices and systems as soon as possible.

In addition to MFA, there are some other basic cyber security measures you can take which includes:

  • ensuring staff passwords are sufficiently strong (passphrases of 20 or more characters are recommended)
  • maintaining up to date software on your devices and
  • educating staff in relation to cyber risks.

Cyber security risks are constantly evolving and protecting your firm’s network and data requires vigilance.

Don’t wait until it’s too late and you experience a cyber-attack before taking these simple steps. The statistics tell us that this is a matter of when, not if - regardless of the size of your firm.

More information on how to set up MFA can be found in the LPLC’s Cyber risk guide for Lawyers and Protect Yourself: Multi-factor Authentication on the Australian Cyber Security Centre website.

Other tips and strategies for improving cyber security are detailed in the Cyber Risk Guide and in the Cyber Security section of our website.

More tips about email, MFA and cyber security

  • Don’t use web-based, free email products for your business email. Business grade hosted email client software such as Outlook on Microsoft 365 is ideal as the security offered is higher.
  • When implementing MFA on your email accounts, don’t forget non-personal organisational accounts such as info@ or accounts@ or temp@ etc. All email accounts must have MFA enabled and if some are overlooked they can provide a way in for cybercriminals.

More on Technology & Cyber

All Resources
LPLC Articles

Checking your system rules: Protecting your practice from the inside out

Cyber security 16 Jun 26

If a cybercriminals has infiltrated your network they can manipulated system rules to move undetected through your practice's digital environment. Two of the most overlooked vulnerabilities in law firms are email rules and access controls. Regularly checking both is a simple but powerful way to detect intrusions early and limit the damage they can cause.

Learn more
LPLC Articles

Humans are the weakest link - Cybersecurity training is one of your best defences

Cyber security 16 Jun 26

Cybersecurity training is one of your most important risk controls. When we think about cybersecurity, we often picture sophisticated computer attacks with hackers running complex code, breaching firewalls, and exploiting software vulnerabilities. The reality is far more mundane, and far more unsettling. Most successful cyberattacks succeed not because a criminal outsmarted a computer, but because they outsmarted a person.

Learn more
Practitioner Resources

Cyber Insurance cover

Cyber security 16 Jun 26

There are many cyber risks existing and emerging and only some of them will be covered by LPLC’s professional indemnity policy. LPLC is aware that many firms have been looking for cyber insurance cover to supplement their other insurances.

Learn more
All Resources

Latest News & Alerts

All News & Alerts
News

Joint statement on behalf of the Victorian legal profession on the tragic events at Bondi Beach

Where to get help 15 Dec 25

We are united in our shock and sorrow following the horrific attacks that took place at Bondi Beach yesterday evening.

Our thoughts are with the victims, their families and all those who have been tragically affected by this abhorrent violence. This has particularly impacted the Jewish community of Sydney and across Australia, a community that is an integral and cherished part of our multicultural society.

We stand in solidarity with the Jewish community and all who have been affected by this senseless violence. Everyone has the right to safety, security and freedom from fear.

We condemn these acts of antisemitism, extremism and violence in the strongest possible terms. We reaffirm our commitment to the rule of law, which underpins the safety and security of all in Australia.

We are united in our resolve that such acts of violence and hate will not undermine the values of inclusion and fundamental freedoms, including of religion and other rights, which define our community.

Learn more
News

LPLC Annual Report 2024-2025

17 Nov 25

The LPLC is proud to present the Annual Report for 2024-2025. This high was tabled in the Victorian Parliament on 12th of November 2025.

Learn more
Alert

Alert - Fake Solicitor Websites

Cyber security 15 Aug 25

Cybercriminals are creating fake solicitor websites with domain impersonation.

Learn more
All News & Alerts
TOP