Impact of Cyber Attacks on Law Firms in Australia
Cyber attacks against businesses are on the increase globally; a trend that has accelerated due to the COVID Pandemic. One estimate states that ransomware attacks have increased by 500% since the start of the pandemic and the average payment has also increased by 43%.[i]
Australian businesses have felt the surge of cyber crime. Industry experts have indicated the annual monetary costs due to cyber crime could be as high as $29Billion per annum in Australia.[ii]
Unfortunately, Law Firms are a key target for cyber criminals. From July-December 2020, legal service firms were one of the top 5 industries in Australia to report an eligible breach as part of the Australian Government’s Notifiable Data Breach Scheme.[iii]
The stats: cyber attacks on law firms
The recent Australian Cyber Security Centre Small Business report highlighted that 62% of small-medium businesses (less than 200 people) in Australia had experienced a cyber attack. However, the statistics on law firms alone in Australia are hard to come by. According to the Director of Australian Information Security Association, this is due to the fact that many cyber attacks go unreported. [iv]
“A lot of law firms would actually attempt to hide that (cyber attacks) information to the extent they can. They’ve got a vested interest in trying to save face. They’ve got a vested interest in not making a notification in certain circumstances.”
– Nicole Murdoch, Director Australian Information Security Association
Whilst the exact figures in Australia are not recorded, there is evidence that globally law firms are experiencing increased attacks, exacerbated by COVID-19 pandemic.
In the US, an American Bar Association report found 29% of law firms reported a security breach, and 1 in 5 weren’t sure if there had been a breach.[v] And a report from Law Society Gazette stated UK law firms had experienced a 300% increase in phishing attacks during the first two months of (COVID-19) lockdown alone.[vi]
Why are firms being targeted?
“Businesses that are most at risk of being targeted are those that hold personal or sensitive information on a lot of people or on particular individuals. Professional services such as law practices are at particular risk because they hold large amounts of detailed data about individuals.”[vii]
Cyber crimes are becoming increasingly sophisticated and strategic. This has resulted in both attacks becoming harder to defend against, and victims being more targeted. Whilst there are major attacks on large companies where attackers will demand millions, sophisticated attackers are targeting small to medium businesses with the following criteria:
- Heavy reliance on computers and networks to undertake work
- Hold confidential/sensitive data and records that can’t be easily replaced
- Hold confidential/sensitive information about people
Law firms fit all three categories in spades. Specifically, legal firms hold highly confidential information about clients that would often be detrimental if it were to be made public. Cyber criminals are aware of this and thus can easily hold firms to ransom by stealing and encrypting this data.
“Law firms and legal industry suppliers are high value targets for ransomware and cyber-attacks, as the data they house is always client-confidential and potentially industry-sensitive; and with the exponential business utilisation of technology this past year, law firms and law firm suppliers are becoming increasingly vulnerable to attack,”
Jeremy Duffy, Nexus Principal.[viii]
What is the impact of a cyber attack for law firms?
“There’s no question that data breaches and hacking activities are some of the biggest threats to legal and conveyancing professionals today,”
– Peter Maloney, GlobalX chief executive.[ix]
There are three core implications for law firms who experience a data breach or cyber attack.
- Monetary cost: it is estimated the average cost of a cyber attack on a small to medium business in Australia is $276,323.[x]
Cyber criminals are almost always after one thing: money. This results in attacks where data is held to ransom and companies must pay a ‘fee’ for the data to be returned. It can also result in account fraud and redirection and social engineering – where scammers convince companies to pay false bills. However, the additional cost for many small businesses is the high downtime of production during an attack. On average, it takes 23 days to resolve an attack, and 51 days to resolve if the attack is by an employee.[xi] The resolve can be both costly to contract experts to solve, as well as costly due to the productivity lost.
- Brand implications: 87% of consumers are willing to walk away and take their business elsewhere if, or when, a data breach occurs.[xii]
Brand and reputation can be greatly impacted by a data breach. The Australian Notifiable Data Breach Scheme requires eligible companies, and/or breaches, to be officially registered. Further, the scheme requires all individuals impacted by the scheme to be notified. This can lead to both media scrutiny and leave clients feeling anxious and insecure. Further, brand implications can have lasting affects on long term business prospects.
- Legal implications: “If the firm is found to lack appropriate procedures and/or systems to protect the confidential client information and ensure that damage from cyber-attacks are mitigated, the firm may face claims of professional negligence amongst other consequences.” [xiii]
The additional implications for legal firms stem from the expectation clients have of confidentiality. The Law Society of SA highlights that firms that do not adequately protect their client’s information could face:
- claim of unsatisfactory professional conduct or even professional misconduct for breaches of professional obligations under the Australian Solicitors’ Conduct Rules (SA);
- breach of contract with clients; and
- potential requirements to make disclosures under thePrivacy Act for data breaches. [xiv]
What can law firms do to protect themselves?
The good news is there’s a solution. Firms can easily put in place systems and tools to dramatically reduce the risk of cyber attacks. Three key areas all business should implement are:
- Cyber Security Technology: being applications and tools which protect the business systems. The best guide for this is the Australian Cyber Security Centre’s Essential 8 mitigation strategies. This includes areas such as multi-factor authentication and regular updating of operational systems and programs. The Jam Cyber – Cyber Security Management System is compliant with the Essential 8 Strategies.
- Employee Training: unfortunately, innocent employee error is a major cause of cyber attacks. This includes both employees being scammed by external hackers and employees accidentally putting the company at risk and causing a breach. Training can reduce cyber attacks by 72%[xv] and also give employees more confidence in their online environment.
- Policies and procedures: in addition to systems and training, it is also important for businesses to have policies and procedures regarding cyber security and IT asset management. These documents act as a guide for employees to ensure they are always acting cyber safe. Further, policies and procedures should clarify what should occur in the case of a data breach as rapid action can greatly reduce the impact of an attack.
At Jam Cyber, our Cyber Security Management System includes all these areas. Contact our team today to ensure your law firm is cyber safe.
10 ways to ensure your business is protected from the Log4j vulnerability In December 2021, a vulnerability was discovered in