Skip to main content

Cybersecurity training is one of your most important risk controls. When we think about cybersecurity, we often picture sophisticated computer attacks with hackers running complex code, breaching firewalls, and exploiting software vulnerabilities. The reality is far more mundane, and far more unsettling. Most successful cyberattacks succeed not because a criminal outsmarted a computer, but because they outsmarted a person.

What's on this page?

Humans continue to be the weak link

Research consistently shows that the overwhelming majority of successful data breaches involve a human element. This could be a mistaken click, a misplaced confidence, or a moment of distraction. Law firms are particularly attractive targets because they hold sensitive client data, manage significant financial transactions, and operate under time pressure that can cloud judgment. A busy conveyancing clerk who receives what appears to be an urgent settlement instruction from a familiar email address is exactly the kind of target a criminal exploits.

How do cybercriminal exploit the human factor? Trust is the vulnerability

The element of trust is what cybercriminals look to exploit. To achieve this, at their core, cybercriminals social engineers. Social engineering is a broad, umbrella term for a wide range of psychological manipulation tactics used by cybercriminals to exploit natural human tendencies like trust, fear, and a desire to be helpful. The goal is to manufacture enough trust, urgency, or fear that the victim willingly takes an action against their own interests.

These psychological manipulation tactics are present in most of the attack types. Common examples include:

  • Phishing: Broadly casting deceptive emails or messages to trick victims into revealing sensitive data. Victims trust the message and click on an embedded malicious link.
  • Spear Phishing: Highly targeted phishing campaigns that leverage personal details to build trust. The message looks like it comes from a trusted source and in trusting that information (and not verifying it), the victim is tricked by the cyber-criminal.
  • Vishing / Smishing: Social engineering attacks executed over the phone (voice) or via SMS (text messages). The aim is to get the victim to divulge sensitive information.
  • Business Email Compromise (BEC): Impersonating a trusted authority figure (like a CEO or vendor) to manipulate an employee into authorising fraudulent fund transfers.

What the regulator expects

The Victorian Legal Services Board + Commissioner (VLSB+C) has published Minimum Cybersecurity Expectations for legal practices, and cybersecurity training sits squarely within its behavioural controls. The expectations are clear and worth unpacking in detail.

Comprehensive, role-relevant training for all staff

The VLSB+C expects practices to provide all staff with comprehensive cybersecurity training that is relevant to their specific roles and responsibilities. This is an important nuance in that a receptionist, a conveyancing paralegal, and a trust account manager each face different threats and need training tailored accordingly. Topics should include phishing emails, social engineering, password best practices, safe web browsing, and emerging risks. Critically, the expectations apply to principals and lawyers too. "Also complete this training yourself" is an explicit requirement. Seniority does not confer immunity from being deceived, and leadership sets the tone for how seriously the whole practice takes cybersecurity.

Induction training and annual refreshers

New staff must complete cybersecurity training as part of their induction and before they have access to sensitive systems, not weeks later when it is convenient. Existing staff must receive refresher training at least once a year. Cyber threats evolve constantly, and annual training ensures your team's awareness keeps pace.

Keeping training current

The cybersecurity landscape shifts quickly. A training module that was current two years ago may not address the risks your practice faces today. New risks arises regularly, for example: AI-generated phishing emails, deepfake voice calls, or new malware strains. The VLSB+C expects training to be updated at least yearly, and more frequently when new threats emerge that are relevant to your practice.

Ensuring staff understand their role and obligations

Cybersecurity training should incorporate both threat recognition and breach response. Every staff member should understand what to do if they suspect a cybersecurity incident: who to notify, what not to do (such as continuing to use a compromised device), and how the practice's incident response process works. A well-trained team that responds quickly and correctly can dramatically limit the damage of a breach.

Sharing cybersecurity updates

Cybersecurity alerts and warning are regularly published by organisations such as the VLSB+C, the Australian Cyber Security Centre (ACSC), the LPLC, and other sources. When you receive a cybersecurity alert or warning, share them with your staff promptly. A timely heads-up about a new phishing campaign targeting law firms could be the difference between a near-miss and a serious incident.

Building a Training Program That Works

Compliance with the minimum expectations is a floor, not a ceiling. An effective training program should be:

  • Regular and reinforced: annual training alone is not sufficient to change behaviour; supplement it with brief, topical reminders throughout the year (for example, sharing ACSC alerts when relevant)
  • Practical and scenario-based: abstract advice is less effective than realistic scenarios drawn from actual attacks on law firms
  • Tested: consider simulated phishing exercises to assess whether training is translating into changed behaviour, and to identify staff who need additional support
  • Documented: keep records of who completed training and when, both for internal accountability and to demonstrate compliance if required
  • Supported by leadership: when principals visibly participate in and champion training, it signals that cybersecurity is a genuine practice priority, not just a compliance exercise.

The Bottom Line

There is no technical control (no firewall, no antivirus software, no log-in system) that is fully effective. And technical controls are made weaker when your staff have not been trained to recognise and respond to threats. Cybersecurity training is not a tick-the-box obligation; it is a practical investment in protecting your clients, your practice, and your professional reputation.

The VLSB+C's minimum expectations on training provide a clear and sensible starting point. The LPLC provides regular cybersecurity workshops, as well as live and recorded webinars. Meeting your cybersecurity training requirements is achievable for practices of any size.

More on Technology & Cyber

All Resources
LPLC Articles

Checking your system rules: Protecting your practice from the inside out

Cyber security 16 Jun 26

If a cybercriminals has infiltrated your network they can manipulated system rules to move undetected through your practice's digital environment. Two of the most overlooked vulnerabilities in law firms are email rules and access controls. Regularly checking both is a simple but powerful way to detect intrusions early and limit the damage they can cause.

Learn more
Practitioner Resources

Cyber Insurance cover

Cyber security 16 Jun 26

There are many cyber risks existing and emerging and only some of them will be covered by LPLC’s professional indemnity policy. LPLC is aware that many firms have been looking for cyber insurance cover to supplement their other insurances.

Learn more
LIJ Articles

Building a strong risk culture at the start of the year

Resources and information, Supervision, Cyber security 15 Jun 26

Building a strong risk culture within your law firm takes intentional planning and consistent effort. While it's never too late to start new risk management initiatives, the quieter period at the start of the year offers an ideal opportunity to strengthen your fundamentals and establish habits that protect your practice and enhance your firm's resilience.

Learn more
All Resources

Latest News & Alerts

All News & Alerts
News

Joint statement on behalf of the Victorian legal profession on the tragic events at Bondi Beach

Where to get help 15 Dec 25

We are united in our shock and sorrow following the horrific attacks that took place at Bondi Beach yesterday evening.

Our thoughts are with the victims, their families and all those who have been tragically affected by this abhorrent violence. This has particularly impacted the Jewish community of Sydney and across Australia, a community that is an integral and cherished part of our multicultural society.

We stand in solidarity with the Jewish community and all who have been affected by this senseless violence. Everyone has the right to safety, security and freedom from fear.

We condemn these acts of antisemitism, extremism and violence in the strongest possible terms. We reaffirm our commitment to the rule of law, which underpins the safety and security of all in Australia.

We are united in our resolve that such acts of violence and hate will not undermine the values of inclusion and fundamental freedoms, including of religion and other rights, which define our community.

Learn more
News

LPLC Annual Report 2024-2025

17 Nov 25

The LPLC is proud to present the Annual Report for 2024-2025. This high was tabled in the Victorian Parliament on 12th of November 2025.

Learn more
Alert

Alert - Fake Solicitor Websites

Cyber security 15 Aug 25

Cybercriminals are creating fake solicitor websites with domain impersonation.

Learn more
All News & Alerts
TOP