Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Law firms unsure of cyber security responsibilities: Report

A significant proportion of Australian law firms lack clarity on who within their organisation is responsible for cyber security and protecting client data, a new report has revealed.

user iconLawyers Weekly 23 October 2023 Big Law
expand image

The worrying findings come from a new research report from Australian cyber security organisation DotSec, which surveyed legal professionals across the nation.

The 2023 State of Cyber Maturity for Australian Law Firms report asked legal professionals what role in their organisation is the primary driver for maintaining, reporting on, and/or improving cyber security.

The majority of legal professionals (37 per cent) said cyber security was the responsibility of the IT department, while one in four believe partners are responsible.


One in 10 legal professionals said lawyers are primarily responsible for cyber security, 9 per cent see it as a job for the chief technology officer, and another 9 per cent said it’s the role of the compliance officer. Just over one in 10 (11 per cent) said “other”.

Commenting on the findings, DotSec owner Tim Redhead said that in most cases, business owners, partners, and C-level roles are the primary drivers for cyber security, placing a greater emphasis on overall leadership and direction.

“When we work with law firms, we always ensure that it is a whole-of-organisation approach that is being driven by the key decision-makers and business leaders,” Mr Redhead said.

“However, what the survey findings reveal is a lack of consensus and clarity on who is responsible for the organisation’s security and risk management. This can create confusion, overlap, or gaps in responsibilities, leading to a fragmented and less effective approach to cyber security.”

Mr Redhead pointed to another area of the report, which found that only 30 per cent of respondents were confident that they were compliant with an external security framework or standard.

Legal professionals were asked if they were confident that their organisation complied with an external security framework or standard, such as ISO/IEC 27001:2022 or the CIS Essential Controls.

The majority (64 per cent) said they were unsure, 15 per cent were compliant with their own in-house framework, and just over one in 10 (11 per cent) said they were not compliant with any framework.

“Security frameworks and standards exist to provide a common point of reference, allowing an organisation to be confident of its own security maturity while also being able to demonstrate that maturity to a client, partner, insurer or other third party,” Mr Redhead said.

“The fact that 75 per cent of legal professionals were either unsure or were certain that they complied with no well-accepted standard or framework is a major concern for Australia’s law firms,” he said.

“This clearly indicates a lack of cyber awareness and a major risk to the sensitive data that these organisations hold on behalf of their clients. Given that the majority of law firms are in the dark when it comes to securing their practice, those who do invest in cyber security have a competitive advantage with clients who need to know that their data will be safe.”