LPLC has produced a guide full of practical information to help lawyers be cybersafe. The guide outlines 5 key areas of focus and explains why each is important to be included in cybersafe strategies for law practices. For each key area the guide provides a checklist of practical steps to take to secure any legal practice.
Law firms of all sizes, including sole practitioners, are targeted every day by cyber criminals from all over the world. Most law firms transact large amounts of money and hold confidential information that criminals can sell or use to extort a ransom payment.
Failure to protect your business and your clients’ money and information could be costly both financially and to your firm’s reputation.
Basic information for everyone
Every staff member in a law firm is responsible for keeping the firm safe from cyber-attack. There are many things that everyone can do, and this guide addresses the five basic areas to focus on to help lock the door on cyber-crime. It is important that everyone in a firm understands what the risks are and what part they must play in keeping the firm safe.
The Australian Cyber Security Centre website is a good place for everyone to start to review basic information about protecting your business online. Register for the Australian Cyber Security Centre's Alert Service to receive updates on scams, risks and preventative action to protect your firm and your clients.
It is everyone's business
Cyber security is not just an IT issue. It is an essential part of today’s legal practice and everyone in your firm has a critical role in preventing cyber-crime. There is no silver bullet to protect your firm and your client’s money. The concept of cyber security must be built into everything people do in a law firm.
The approach to cyber security needs to be multi-pronged. This guide sets out five key areas to address, underlines why they are important, what can be done and how to do it. Included in this guide are links to valuable resources and information.
Install reputable security software on all computers, including for remote access, with at least daily updates to the signature database and a daily full scan of files.
Business grade email
Use a business grade hosted email service, rather than using a free web-based email account as the security offered is much higher.
Custom domain set up
Use a custom domain name for your email rather than a free or generic email account like Gmail or Hotmail. This makes it harder for cyber criminals to impersonate your email address and provides better security and spam filters.
Register for alerts to all software updates and promptly install them.
Implement multi-factor authentication for all devices and cloud-based systems. If using Office 365 ensure you turn on two factor authentication.
Use Domain Name Server (DNS) web-based filtering service to block high-risk websites.
Backup files automatically, at least daily.
Ensure users return office devices, and can no longer access office systems, once their employment ceases
Have a documented policy and process for:
- creation of strong passwords changed regularly
- restricted use of removeable media like USB sticks, DVDs, CDs, memory cards
Electronic funds transfers
Electronic funds transfers of money, including trust money, and email payment instructions
Regularly review these as security measures are continually changing as cyber threats evolve.
Create a secure email culture
Require everyone to:
- always verify emailed payment details before transferring funds in accordance with office policy
- never open unknown or suspicious attachments or links
- regularly audit staff email settings, particularly their email rules to ensure their emails are not being redirected by cyber criminals
- not use public wi-fi for work purposes
- be alert to anything unusual or suspicious and check it appropriately
- adhere to the firms policies and procedures about cyber security
- have an email retention/deletion policy
National Archives Australia website on managing email
Australian Law Reform Commission on data security and information destruction and retention requirements
Australian Government Business website on record keeping
Up-to-date staff training
Provide regular and up-to-date training to all existing staff and new joiners, including students, interns, and temporary staff about:
- cyber risk and their role in minimising it
- the firm's relevant policies and incident response plan
- who to contact if a suspected incident has occured - 'see something, say something'
Appoint a responsible staff member
Appoint a staff member to be responsible for ensuring:
- the steps outlined in this guide are implemented
- cyber security news, updates and recent issues are regularly communicated and easily available as a reference
Have a centralised place for storing cyber risk information, including the firm's cyber action plans, policy and up-to-date points of contact which can be accessed by all staff.
Explain risks to clients
Explain the risks of fraudulent emails to clients in your face-to-face meeting.
Confirm the risks of fraudulent emails to clients in writing.
Verify email requests
As part of your retainer, tell clients, and confirm it in writing, that you require them to verify any email requests by your firm for payment before transferring money.
Include a warning message
Add a warning to your email footer about the risks of relying on payment details in email.
Document a plan
Document what to do if a cyber incident occurs.
Document procedures to help clients
Document what to do if your client pays money to the wrong account.
Your plan should include:
Test plans and procedures
Test that everyone is clear about what they are required to do if something goes wrong
Law Council of Australia - Cyber Precedent - strengthening the legal profession's defence against online threats