Speaking on a recent episode of The Boutique Lawyer Show, he reflected on the current state of affairs for cyber risks and how and why legal businesses should improve their cyber security frameworks to avoid adverse implications.

Payne has specialised in forensic technology and cyber for the last 17 years and said that the space is an “ever-changing threat landscape”.

“It should be no surprise to many, but ransomware clearly takes the number one spot. For those that aren’t familiar, it’s essentially a form of malware in which unauthorised access to an environment is usually followed by exfiltration and/or encryption of data followed by a ransom. So, paying the ransom is usually met with a promise by the threat actor to provide what’s known as a decryption key. And that’s what you need in order to decrypt the data or suppression of data from actually being published or sold online,” he explained.

“Now, often, with ransomware attacks, we see one or the other, or in some cases, we actually see both, where the data is encrypted, the data is exfiltrated, and then a ransom is made. And in no way is ransomware or other types of cyber incidents on the decline. If we look at the three most high-profile cyber attacks in Australia in the past 18 months, all of them were ransomware.

“Usually, these are sophisticated attacks, unlike the spray and pray approach we see with spam, email targeted individuals generally in important positions such as human resources, finance or accounts payable, or executives, are targeted. Common examples include invoice and payment fraud, which we see a lot.”

Payne also highlighted the prevalence of third-party and supply chain risk within the cyber risk landscape.

“That applies to all businesses, whether it’s SME, law firms, or big global national operations. Most businesses nowadays rely on third-party vendors in some way or form. And what we’re seeing is an increase in the number of breaches against these providers, which then often impacts multiple businesses that rely on those services,” he outlined.

VIEW ALL

“So, cyber criminals are often targeting the weak links in the supply chain to gain unauthorised access to larger, more valuable targets. And we’ve clearly seen an increase in the number of attacks against law firms, I’d say, in the past nine to 12 months, in Australia and also globally as well.”

Despite these increased risks and attacks, Australian businesses have varying levels of preparedness when it comes to protecting themselves against cyber criminals.

“There are some businesses that have a really mature cyber posture, and they have the capital and the time and the expertise to invest in cyber security. And then we have, on the other end of the spectrum, the smaller businesses, perhaps they’re sole traders or smaller operations that perhaps don’t quite have the level of understanding. [And] we’ve got the smaller to medium-sized enterprises that [have] a number of hurdles that they’re facing in implementing the right strategies,” Payne added.

“What we’re seeing is limited resources, including budgets, expertise of staff and resources to invest in a robust cyber posture. There’s a real lack of awareness or expertise if we look at best practice and risk, especially in the SME market. And the other one that is quite surprising is a resistance to change. Whether that be employees or management or key stakeholders, I can’t tell you the number of times that I’ve worked with businesses [that] didn’t implement something as simple as multifactor authentication because it’s perceived to be a hindrance to their business operations.”

A cyber attack can mean various legal liabilities for law firms, both in terms of financial loss and impacting business operations – and Payne added that from his perspective, there are a number of implications from breaches that are “really important” moving forward.

“The importance of protecting sensitive and confidential information, as well as intellectual property, is critical. And that’s probably expected by a client to maintain that trust and confidentiality. Potential brand and reputational damage is another big one. It’s often hard to calculate what the actual damage is or could be in relation to a cyber incident until you actually go through it.

“One of the issues for law firms, in particular, is they’re often dealing with what we call unstructured data, and it can be difficult to understand what information has been accessed or exfiltrated by a threat actor or an unauthorised party when you’re dealing with this type of information. SME law firms are likely to contain larger data sets which are unstructured, making it harder to determine who the impacted victims are,” he said.

“I think the other important step as well for law firms is the importance of an incident response plan or a business continuity plan. So, you need to be able to respond in a timely manner in the event of a cyber instance. Those first few hours and days are really critical. It helps reduce damage and downtime and allows you to return to business as usual operations as soon as possible.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Brendan Payne, click below: