The federal government is currently discussing new standards with industry that could see company directors being held personally responsible for cyber attacks. Making directors accountable and having better governance over their businesses are a welcome shift, but the real key is how and what the government is going to do in order to enforce these new regulations.

The impact on lawyers

A 2020 report from cyber-security services company BlueVoyant revealed law firms tend to be more vulnerable than other types of businesses to cyber attacks, with over 15 per cent of a global sample of law firms showing signs of compromise.

The reputational impact of data loss to a law firm following a security breach cannot be underestimated. The mandatory data breach notification rules that now apply to most law firms exacerbate the effect dramatically and may require contacting every existing and former client to advise them that persons unknown may have their information.

Even if a criminal does not manage to steal one cent of client money, the remediation and reputational effect of an attack could cost even a small firm hundreds of thousands of dollars.

As the number of cyber attacks on Australian companies grows exponentially, the spotlight is now on the leaders of these organisations to act in order to mitigate their risk of exposure. For legal firms, the impact could be incredibly damaging to both firms and their clients.

Change is needed, but it’s not always welcome

VIEW ALL

Despite the clear need for change, my experience over the past 15-plus years across multiple clients and scenarios has made one thing crystal clear: most companies will only invest in an area when they see a need or motivation, it is enforced, or it creates a pain point.

If the law or legislation is lenient, organisations and boards are unlikely to take action. The privacy act and Europe’s General Data Protection Regulation (GDPR) created a lot of noise in the marketplace, but its enforcement and implementation have not been widespread.

In the rare cases where cyber security is top of mind, there is usually some external motivating factor at play, including companies that need to differentiate themselves from their competitors, or organisations that have to respond to a tender where cyber-security certification is mandated. Then there are the companies that have actually seen the crippling effects of a data breach or cyber attack and have heavily invested in cyber security soon after.

Cyber security should not and cannot be a “wait and see” situation for law firms. It needs to be planned and implemented well in advance of an attack, and shouldn’t merely be put in place to tick a box. Leaders and board members need to understand the vital importance of having a cyber-security process in place well before an attack occurs and understand the massive business benefits that come with security.

Following basic hygiene

Making directors accountable for cyber security will require commitment, education, awareness, training, change management, and leadership. In order to persuade board members of the business impact of not investing in cyber security, a risk management framework can help define the impact of a cyber risk in an organisation’s risk matrix.

When faced with a choice, human beings have an inherent tendency to take the path of least action or least resistance. For example, it is common knowledge that preventative care including eating healthy, exercising, and avoiding smoking or drinking will drastically improve your health, and yet people still fail to do so.

We have seen throughout the COVID-19 pandemic that simple steps to protect oneself by wearing a mask, social distancing and washing hands regularly can help keep us safe, but a lot of people still disregard these measures.

Similarly, cyber security has some basic hygiene principles and if law firms can follow them diligently, they can protect themselves and mitigate the risk. It all comes down to culture, enforcement and encouragement leading to a broad cultural change.

Ajay Unni is the founder of StickmanCyber and is a member of the NSW government’s cyber security taskforce.