This is the third article in our series on Cyber Security for Lawyers. The idea behind this series is to initiate a discussion on why cyber security is essential for lawyers. In the first article, we talked about best practices from the UK based on a guidance document published by the UK’s General Council of the Bar. While in the second article, we deliberated on the guidelines prepared by Canada Bar Association’s Ethics and Professional Responsibility Committee. In this article, we talk about best practices from the Australian legal community.
In November 2016, the Law Institute of Victoria formulated and published a cyber security toolkit. The Intellectual Property and Information Technology Committee and the Technology and Law Committee prepared this toolkit for providing guidance and educating staff members on cyber security risks. This toolkit comprises six components:
- Manager Handout: This handout gives managers a comprehensive overview of the most important cyber security problems they need to discuss.
- Employee Handout: This handout offers a short summary of the details available in the Manager Handout. Employees must go through this handout for a better discussion on cyber security at their workplace. Also, it provides a dictionary of common terminology related to cyber security.
- Crucial Cyber Safety Tips: This can be used as a handout during a training session. The organisation should distribute it to employees so that they have access to key cyber safety tips.
- Cyber Security Case Studies: Trainers can use these case studies to highlight cyber security risks that may come into play due to employees’ conduct.
- Training Outcomes Checklist: Trainers and organisations can use this checklist to confirm and strike off issues they have dealt with in a training session.
- Training Engagement: This resource pool consists of cyber security materials to be used by employers to train their employees.
Should cyber security be a priority for your law firm?
According to a recent report by the Australian Cyber Security Centre, they received 67,500 reports of cyber crime in the last year. This is an increment of 13% from their last annual report. Cyber security is not solely an IT issue, and everyone in a law firm has a role to play. The Australian Government’s initiative StaySmartOnline is a good place to begin reviewing basic cyber security measures for your organisation. Common security threats that a law firm may face are:
- Phishing scams: Phishing scams are notoriously famous, and you may come across such emails regularly. A phishing email usually contains an email leading to a malicious site or an attachment designed to trigger malicious programmes on your computer. Scammers may use social engineering techniques to gather information about your employees and customise emails to increase their chances of success.
- Ransomware: Think of a business that will store sensitive information in one place. Law firms are certainly one of them. Ransomware encrypts information on your system. As a result, users cannot access their systems like they would normally do. Further, the attacker asks you to pay a ransom to get access to decryption keys. They usually demand ransom in cryptocurrency. You may come across a timer along with a message saying that the ransom amount will increase if you do not pay in the specified duration.
- Hacking email accounts: Email is the go-to medium for law firms to communicate internally and with their clients. Due to the nature of information being exchanged, attackers know the stakes involved. Make sure your employees have enabled two-factor authentication along with strong passwords. The training program must equip your employees with the necessary knowledge to identify a genuine site and a fake login page.
Good security practices from the Law Institute of Victoria’s cyber security toolkit
- Attachments and links on emails
- Do not open links or attachments from unknown senders.
- Be aware of downloading email attachments with extensions such as .exe and .zip. They may contain malicious programs that can infect your computer system.
- Prefer running an anti-virus scan on your email attachments.
- Hover your cursor over links in emails to verify if they are legitimate websites.
- Confidentiality and privacy
- Do not access sensitive or confidential information from unprotected devices.
- Avoid responding to emails requesting sensitive or confidential information.
- Do not post sensitive or confidential information belonging to clients on public forums or with individuals who are not authorised.
- Limit posting your personal information on social media platforms.
- Verify email requests even if they come from known sources. For instance, attackers may spoof email addresses.
- Securing devices
- Install licensed security software on your systems.
- Enable full scans using a reputed anti-virus/anti-malware tool daily.
- Instead of using free email services, prefer enterprise suits offered by various service providers as they offer more control over the security of your organisation’s email accounts.
- Avoid using public Wi-Fi networks as they may not be secure.
- Use a VPN if there is no other option than using public Wi-Fi.
In the legal profession, one cannot deny the necessity of having good cyber security practices. Toolkits like this are a welcome step as they push for implementing good practices. How effectively it will be implemented or adopted is a concern that is often left unaddressed. While adopting this toolkit may not be mandatory, incorporating good security practices will never be a wrong choice for a law firm. Above all, clients place their trust while sharing confidential information with their lawyers and lawyers are expected to maintain confidentiality.
Akshara P. Kamath, an undergraduate student at Symbiosis Law School, Hyderabad, worked on this article’s initial draft during her internship with The Cyber Blog India in June/July 2020.
With inputs from Neha Bhandari.
Featured Image Credits: Job vector created by stories – www.freepik.com