Skip to main content

LPLC has produced a guide full of practical information to help lawyers be cybersafe. The guide outlines 5 key areas of focus and explains why each is important to be included in cybersafe strategies for law practices. For each key area the guide provides a checklist of practical steps to take to secure any legal practice.

What's on this page?

Cyber Security Guide for Lawyers April 2024.PDF

(PDF, 742.41 KB)
Download Cyber Security Guide for Lawyers April 2024.PDF

Law firms of all sizes, including sole practitioners, are targeted every day by cyber criminals from all over the world. Most law firms transact large amounts of money and hold confidential information that criminals can sell or use to extort a ransom payment.

Failure to protect your business and your clients’ money and information could be costly both financially and to your firm’s reputation.

Basic information for everyone

Every staff member in a law firm is responsible for keeping the firm safe from cyber-attack. There are many things that everyone can do, and this guide addresses the five basic areas to focus on to help lock the door on cyber-crime. It is important that everyone in a firm understands what the risks are and what part they must play in keeping the firm safe.

The Australian Cyber Security Centre website is a good place for everyone to start to review basic information about protecting your business online. Register for the Australian Cyber Security Centre's Alert Service to receive updates on scams, risks and preventative action to protect your firm and your clients.

It is everyone's business

Cyber security is not just an IT issue. It is an essential part of today’s legal practice and everyone in your firm has a critical role in preventing cyber-crime. There is no silver bullet to protect your firm and your client’s money. The concept of cyber security must be built into everything people do in a law firm.

The approach to cyber security needs to be multi-pronged. This guide sets out five key areas to address, underlines why they are important, what can be done and how to do it. Included in this guide are links to valuable resources and information.

1. Secure your technology

Security software

Install reputable security software on all computers, including for remote access, with at least daily updates to the signature database and a daily full scan of files.

Business grade email

Use a business grade hosted email service, rather than using a free web-based email account as the security offered is much higher.

Custom domain set up

Use a custom domain name for your email rather than a free or generic email account like Gmail or Hotmail. This makes it harder for cyber criminals to impersonate your email address and provides better security and spam filters.

Software updates

Register for alerts to all software updates and promptly install them.

Multi-factor authentication

Implement multi-factor authentication for all devices and cloud-based systems. If using Office 365 ensure you turn on two factor authentication.

Web filtering

Use Domain Name Server (DNS) web-based filtering service to block high-risk websites.

Backup files

Backup files automatically, at least daily.

User security

Ensure users return office devices, and can no longer access office systems, once their employment ceases

Strong passwords

Have a documented policy and process for:

  • creation of strong passwords changed regularly
  • restricted use of removeable media like USB sticks, DVDs, CDs, memory cards

Secure Your Technology checklist.JPG

(JPG, 1.50 MB)
Download Secure Your Technology checklist.JPG

2. Establish policies and procedures

Electronic funds transfers

Electronic funds transfers of money, including trust money, and email payment instructions

Security measures

Regularly review these as security measures are continually changing as cyber threats evolve.

Client information

System access

Staff training

Establish Policies Procedures Checklist.JPG

(JPG, 1.13 MB)
Download Establish Policies Procedures Checklist.JPG

3. Create a culture of cyber risk awareness

Create a secure email culture

Require everyone to:

  • always verify emailed payment details before transferring funds in accordance with office policy
  • never open unknown or suspicious attachments or links
  • regularly audit staff email settings, particularly their email rules to ensure their emails are not being redirected by cyber criminals
  • not use public wi-fi for work purposes
  • be alert to anything unusual or suspicious and check it appropriately
  • adhere to the firms policies and procedures about cyber security
  • have an email retention/deletion policy

READ

National Archives Australia website on managing email

Australian Law Reform Commission on data security and information destruction and retention requirements

Australian Government Business website on record keeping

Up-to-date staff training

Provide regular and up-to-date training to all existing staff and new joiners, including students, interns, and temporary staff about:

  • cyber risk and their role in minimising it
  • the firm's relevant policies and incident response plan
  • who to contact if a suspected incident has occured - 'see something, say something'

Appoint a responsible staff member

Appoint a staff member to be responsible for ensuring:

  • the steps outlined in this guide are implemented
  • cyber security news, updates and recent issues are regularly communicated and easily available as a reference

Centralised information

Have a centralised place for storing cyber risk information, including the firm's cyber action plans, policy and up-to-date points of contact which can be accessed by all staff.

Create A Culture of Cyber Risk Awareness Checklist.JPG

(JPG, 1.23 MB)
Download Create A Culture of Cyber Risk Awareness Checklist.JPG

4. Warn clients about cyber risks

Explain risks to clients

Explain the risks of fraudulent emails to clients in your face-to-face meeting.

Confirm risks

Confirm the risks of fraudulent emails to clients in writing.

Verify email requests

As part of your retainer, tell clients, and confirm it in writing, that you require them to verify any email requests by your firm for payment before transferring money.

Include a warning message

Add a warning to your email footer about the risks of relying on payment details in email.

Warn Clients About Cyber Risks Checklist.JPG

(JPG, 766.26 KB)
Download Warn Clients About Cyber Risks Checklist.JPG

5. Have an incident response plan for prompt action

Document a plan

Document what to do if a cyber incident occurs.

Document procedures to help clients

Document what to do if your client pays money to the wrong account.

Your plan should include:

Test plans and procedures

Test that everyone is clear about what they are required to do if something goes wrong

Have An Incident Response Plan Checklist.JPG

(JPG, 1.15 MB)
Download Have An Incident Response Plan Checklist.JPG

Download a pdf of the complete guide

Cyber Security Guide for Lawyers April 2024.PDF

(PDF, 742.41 KB)
Download Cyber Security Guide for Lawyers April 2024.PDF

Useful websites and resources

Law Council of Australia - Cyber Precedent - strengthening the legal profession's defence against online threats

Australian Cyber Security Centre

Australian Competition and Consumer Commission

Australia's Cyber Security Strategy

Australian Cybercrime Online Reporting Network

IDCARE - National Identity and Cyber Support

Law Institute of Victoria - Cybersecurity

More on cyber security

All Resources
LIJ Articles

Call first to avoid cyber fraud

Cyber security 08 Feb 23

When transferring money firms and their clients should always call first to check that account numbers are correct to avoid being victims of cyber fraud. LPLC sees costly cases where this critical step is overlooked.

Learn more
LPLC Articles

4 fundamental cyber security habits to adopt now

Cyber security 08 Jul 22

Four things legal practitioners must do now to protect their firm from cyber fraud.

1. Enable Multifactor Authentication (MFA)

2. ALWAYS call before you pay – no exceptions

3. Warn your clients

4. Check your email rules regularly

Learn more
Client Resources

Cyber security — how to protect yourself — Client Brochure

Client resources, Cyber security 08 Nov 24

This brochure is provided by LPLC as a template for lawyers to use for client information purposes. The brochure outlines what the law firm will do when acting for a client and makes recommendations to the client about what they should do to maintain cyber security. Firms can tailor the wording to suit their needs and insert their own branding or to use the sample brochure as it is.

Learn more
All Resources

Latest News & Alerts

All News & Alerts
News

LPLC Annual Report 2023-2024

31 Oct 24

The LPLC Annual Report for 2023–2024 was tabled in the Victorian Parliament on 31 October 2024.

Learn more
Alert

Vacant Residential Land Tax—Changes to ‘Holiday Home’ Exemption

Tax 17 May 24

The Victorian Government has introduced the State Tax Amendment Bill 2024 which, amongst other taxation changes, will (if passed) broaden the holiday home exemption to allow shareholders of companies, as well as certain beneficiaries of trusts and relatives of those shareholders and beneficiaries, to satisfy the exemption for a property owned by a company or trust.

Learn more
Alert

Snapshot of Major Victorian Property Tax Changes effective from 1 January 2024

Conveyancing, Tax, GST, Leases, Building and Construction, Building and Construction 13 Dec 23

The State Taxation Acts and Other Acts Amendment Act 2023 received Royal Assent on 12 December 2023. The new law introduces significant property tax changes in Victoria with effect from 1 January 2024.

Learn more
All News & Alerts
TOP