Neal Costello, national account manager at Excite Cyber, has a specialty in securing law firms and said there are a number of shortfalls in the government’s plan.

“While the government’s intentions are commendable from a national security perspective, one in two legal firms already lack confidence in their ability to detect and respond to threats. Increased regulation could make it even more difficult to run an effective internal security function; we expect to see that level of confidence fall even further,” he said.

“We know many legal firms are under increasing pressure from clients (e.g. insurance companies) to show compliance to industry standards such as NIST, ACSC Essential Eight, and ISO27001. It’s also evident that many rely heavily on third-party service providers to secure their crucial client data as well as that of their partners and staff. Recent incidents where managed service providers and managed file transfer providers have been hacked show us these relationships must also be defended and tested.”

According to Mr Costello, there are a number of reasons why law firms will find their efforts to build and maintain a cyber security team more challenging with the new strategy – which he said will result in increased regulatory complexity as well as talent shortages in the market.

“The introduction of these cyber shields is likely to come with a slew of new regulations and compliance requirements. For those firms that were already struggling to stay ‘up to date’ with their compliance requirements, these additional measures are likely to be expensive and even cause confusion as internal IT teams struggle to catch up. It also adds further barriers for firms who have yet to establish a robust security function,” he added.

“It is likely that firms will need to invest more deeply in their security efforts to adjust to meet the new cyber security obligations. This will be complicated by Australia facing a shortfall of nearly 17,000 cyber security professionals by 2026. The government’s emphasis on developing a pipeline of cyber security skills could lead to increased competition for cyber security talent. In addition, the government itself is going to hoover up cyber security talent for its own internal projects, meaning that fewer will be available for the private sector, and those available will command higher wages.”

Additionally, Mr Costello said that the strategy is likely to mean threat intelligence sharing, and while “the idea of real-time threat sharing between government and businesses is appealing”, it can also raise concerns about the privacy and security of sensitive data.

VIEW ALL

“Security teams are going to be sorely pressed to resolve the conflict between the ideology of data sharing and the need to protect the environment from potential data breaches or misuse of their data. Many industry sectors are establishing their own intelligence-sharing systems to protect themselves within a targeted environment, whilst still sharing information with government,” he said.

“Finally, the stricter cyber security regulations can stifle innovation and create conflict between the interests of the firm and the obligations of the security team. Much of this tension will play out through IT and security teams, which is ground zero for all cyber security matters, and could result in it being seen as an inhibitor within the organisation. We frequently encounter tension between how people want to work and security requirements when internal messaging has failed to explain the benefit and value of changes to the end user and their employer.”

To rise to these challenges, firms will need to adapt fast, with Mr Costello citing “board-level awareness” as an important factor moving forward.

“As law firms work to rise to the challenge presented by the government’s new and deep enthusiasm for cyber security, the question is how they will be able to resource and support the critical IT and information security functions that will allow them to keep up with the national effort,” he concluded.

“In many cases, the answer is to engage external expertise to allow internal staff to focus on essential support and assistance to staff, but in many cases, the missing aspect is board-level awareness and willingness to adapt to an increasingly hostile technological reality.”