Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Firms need to ‘stay vigilant’ as cyber risks evolve

As the cyber security landscape continually evolves, legal businesses must keep improving their frameworks and educating themselves on changing risks – or risk adverse implications.

user iconLauren Croft 21 May 2024 Big Law
expand image

Brendan Payne is a partner at McGrathNicol and operates in the cyber risk incident response and digital forensic space, having specialised in forensic technology and cyber for the last 17 years.

Speaking on a recent episode of The Boutique Lawyer Show, he emphasised the importance of improving cyber security frameworks and outlined key steps firms can be taking.

While the risk of cyber attacks on law firms is “in no way” declining, according to Payne, there are still some massive hurdles standing in the way of firms actually putting in measures to prevent attacks and protect their data.


“In terms of practical steps moving forward and what businesses, especially SME law firms, should be focusing on, the first would be conducting risk assessments. A risk assessment allows a business to identify potential vulnerabilities and threats [before] they occur. But it’s important to note that risk assessments aren’t a one-off, and they should be conducted periodically in order to ensure that you’re keeping up to date with that ever-changing threat landscape,” he said.

“Implementing multilayered defence strategies is just as important. It’s important to remember that these threats are dynamic and constantly evolving, meaning you’re never done addressing risks. Employee training and awareness, I think, is a big one as well. You may often hear the phrase that people are the weakest link in cyber. I don’t agree with that. It’s not too empowering to hear that, as an employee, you’re the weakest link. So, I think, instead, we should be encouraging our staff and ensuring they’re actually the strongest link, and then discuss best practice for securely storing, transmitting and disposing of data.

“I think that’s really important for those smaller to medium-sized enterprises that might not have the resources that the larger firms do. So, there’s a real focus now in industry for businesses to consider what information they’re retaining, why they’re retaining it and for how long. And do they need to be retaining it? Because at the end of the day, that just adds to the risks, I think, of keeping that data.”

As such, there are also a number of key questions firm owners should be asking themselves in terms of the importance of improving their cyber security frameworks.

“As an executive, as a board, as a leadership group, we don’t want to be assuming that any one particular part of the business has complete coverage and oversight when it comes to cyber security. Everyone, all key stakeholders, needs to be involved. So those are questions that should be had at board meetings or management meetings. You need to make sure that everyone is on board, everyone is in the room, so that when there is an incident, you know how to respond,” Payne said.

“For those that aren’t aware, Australia released its 2023 to 2030 cyber strategy just late last year. And the key takeaway from that is that Australia is looking to be a world leader in cyber security by 2030. Improving Australia’s ability to share intelligence and strengthen collaboration between government agencies, I think, is critical as well. Prioritising critical infrastructure, investing in cyber defence capabilities, and then investing in cyber security education and training to fill an expected skills gap.”

Education, moving forward, remains important, added Payne, to make sure the profession continues “heading in the right direction”.

“I appreciate there are different size organisations out there that may not warrant having a dedicated full-time resource in house to look after and manage cyber security operations. That’s where a managed service security provider or a third-party vendor can provide those services, but it doesn’t mean that it should be left to them and that’s the end of the conversation. You need to be regularly having meetings and discussions with those third parties to ensure that your security posture is where it needs to be,” he said.

“We just need to stay vigilant. It’s probably not a matter of if your business will fall victim or suffer an incident. It’s more likely when. And it’s just about making sure that you’re prepared and ready to respond when it does happen so that you can return to business operations quickly and with minimal disruption.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Brendan Payne, click below: