Multifactor authentication as a bare minimum

You may have gone without locking your doors at one time in the distant past, but wouldn’t dream of doing it now. It’s the same with MFA. Having up to date business systems that can enable MFA should now be considered an essential part of doing business. Having the right tools to mitigate the associated risks to the client and the practice is all-important. If some firms are still using legacy systems that don’t have or allow MFA to be turned on, it’s time to contact an IT consultant and consider options for upgrading those systems.

The Victorian Legal Services Board + Commissioner’s 2023 Risk Outlook identifies the top five key risks for the legal profession and cybercrime is ranked number one on the list. They have observed that

“…cybersecurity breaches are typically the result of insufficient systems and/or behavioural controls in law practices. Systems controls include having strong passwords, multi-factor authentication, prompt security updates, appropriately secure technology platforms and experienced IT support.”

It is the regulator’s expectation that law practices implement appropriate cybersecurity measures in accordance with their professional obligations to protect their clients’ money and information.

Since making the announcement that from 1 July 2023 LPLC’s PI policy will include a deterrent (double) excess where a claim arises due to the absence MFA on business email accounts, LPLC has received enquiries from proactive practitioners who are keen to get their MFA house in order. How to implement MFA has been the most common question we’ve been asked. Enabling MFA will be a different process for different accounts so it is not possible to provide advice on a single way to do it. LPLC is also not qualified to provide IT advice. The good news however, is that there is plenty of guidance available online we can point to, and if in doubt practitioners can seek assistance from IT providers who specialise in cyber security. The Law Institute has a handy list of providers on their website as a good place to start.

MFA is part of the ‘Essential Eight’ steps recommended by the Australian Cyber Security Centre (ACSC) to mitigate cyber security incidents. The ACSC has comprehensive information on their website about MFA — what it is, and links to how to enable it on various commonly used systems including Microsoft and Apple, social media accounts, financial services accounts, government services like MyGov and more.

On contemporary business systems such as Microsoft 365, MFA is reasonably straightforward to implement. If practices are still using legacy systems and MFA is not available on them, we recommend they contact and be guided by their IT consultant.

• LPLC has produced a short video (2 min) that explains what MFA is and its key function in avoiding the potential for cyber fraud.
• Don’t use web-based, free email products for your business email. Business grade hosted email client software such as Outlook on Microsoft 365 is ideal as the security offered is higher.
• When implementing MFA on your email accounts, don’t forget non-personal organisational accounts such as info@ or accounts@ or temp@ etc. All email accounts must have MFA enabled and if some are overlooked they can provide a way in for cybercriminals.
• Create a secure email culture. Educate all staff about cyber security, including admin, accounts and other non-legal personnel.
• Warn your clients about cyber security and email compromise.
• Have a ‘call before you pay’ policy and encourage your clients to do the same.