Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

5 important cyber security takeaways for law firms

From where and how to spend your money on security to how to prepare for the inevitable security incident, here are five essential learnings for every Australian firm.

user iconDavid Hollingworth 25 October 2023 Big Law
expand image

From where and how to spend your money on security to how to prepare for the inevitable security incident, here are five essential learnings for every Australian firm.

Editor’s note: This article originally appeared on Lawyers Weekly’s sister brand, Cyber Daily.

Cyber Daily was recently lucky enough to sit down with one of the veterans of Australia’s cyber security industry – Tim Redhead, founder and chief executive of DotSec. The conversation covered a wide range of topics and is well worth watching, but if you want to get to the essence of the piece – the essential five points, if you will – we have got you covered.

 
 

  1. Help is out there – don’t be afraid to use it
If you’re unsure where to start, there are a lot of standards out there that are good frameworks to follow and that will set up your business from the ground up.

According to Mr Redhead, the Australian Securities and Investments Commission (ASIC) has a very good, very straightforward document called “Cyber resilience good practices”, which is a great place to start. It features advice on governance and risk management, information sharing, asset management, detection systems, and more.

  1. Understand your risk appetite
Every business should ask themselves, “What really matters?” What can a business do without, what is essential, and what are the costs if those essentials are suddenly compromised or unavailable?

“So think about those assets, the kind of damage they can sustain, the cost to the business in terms of a range of things,” Mr Redhead said. “These could be short-term operational costs, loss of revenue, long-term repair and recovery costs, increase in insurance premiums, and so forth, possible fines, and so on.”

Once you know what you need to protect, that’s where you start.

  1. Follow what’s happening overseas and prepare for regulations to change
In a lot of ways, Australia is playing catch up with the rest of the world when it comes to our regulatory response to data breaches and similar cyber incidents. Mr Redhead believes that if you want to see where things could be going here in the future, look to what’s happening overseas.

“Follow the class action bandwagon that’s been going in the US for quite some time now, surrounding breaches, and loss of sensitive information,” Mr Redhead said. “I think we’re just starting to see the first part of that train coming into Australia – I don’t see any reason why that’s not going to continue.”

  1. Consider the right cyber insurance for you
When it comes to risk, insurance is all about transferring the risk you may face as a business to a third party – the insurer.

According to Mr Redhead, insurers are starting to become much more cyber savvy, and they will ask you hard questions about your resilience and readiness. However, this is where the first point comes back into play because if you’re following an established playbook, your cyber maturity journey is already well underway, and you should have the answers to those hard questions.

“Did you implement multifactor authentication? Do you have endpoint management? Do you have a way of managing and monitoring what goes on in your organisation? And so forth? If you’ve got those in place, you’ll probably get paid out,” Mr Redhead said. “But if you don’t, then I guess you’re at the mercy of the insurer at that point. And that answers your question: what would they pay and what they won’t? It’ll depend on what the causes are.”

  1. Understand who the bad guys are and the scale of their operations
Modern cyber criminals are not some kid sitting in a basement wearing a hoodie – they are well-organised, highly skilled, and often very well-resourced.

“It’s proper organised crime,” according to Mr Redhead, complete with support desks to help their victims navigate paying a ransom, and often with a range of affiliate organisations backing them up.

“There are hacking groups that create and sell tools and software for a profit,” Mr Redhead told Cyber Daily. “So they’re basically … attack-as-a-service. And if I’m not very smart, but I do want to get into some phishing and business email compromise, and I can go to these, pay some money – it’s not so expensive, a couple of $1,000, usually first – and you get a good starter kit.”

These points are just the tip of the iceberg of what we discussed with Mr Redhead, and if you did miss the live stream, you can still watch it right here.