As cyber criminals grow more sophisticated and brazen, William Welch warns that Australian law firms are now confronting a level of cyber risk unlike anything seen before – and many still lack the specialised tools and expertise needed to defend themselves.
Speaking on an episode of The Lawyers Weekly Show, William Welch, the principal solutions architect for the legal sector and AI security at Cybertify, unpacked why law firms across Australia are now facing an unprecedented surge in cybersecurity risks and targeted threats.
Welch explained that the legal profession has become a prime target for hackers not just because of the sensitivity of the data firms hold, but also because many lack the infrastructure and specialised expertise needed to protect it effectively.
“Legal data is so sensitive that no company wants to get it breached. But that also means that it's the juiciest target for hackers to try and come in,” he stated.
While BigLaw firms may be investing heavily in advanced cybersecurity, Welch stressed that the wider market faces a far harsher reality – many firms operate without dedicated security specialists, rely on overstretched information technology (IT) teams, or simply have no idea where to begin.
“The big law firms, they're paying top dollars to keep it secure, but there's a big market for everyone else where they don't even know what the first step is,” he noted.
“Maybe they've got an IT manager, maybe they've got a few teams. But are these teams specialists in security in the legal domain?”
Welch emphasised that, unlike most industries, law firms face unique challenges in safeguarding their data, with strict long-term retention requirements stretching across years – a vulnerability that makes them particularly enticing targets for hackers.
“When I first entered the legal industry, I was kind of blown away that you've got the document discovery tools, the matter management tools. You guys have to keep data backed up for a certain amount of time,” he said.
“A lot of other industries don't have those problems. So that means that hackers are not only accessing data from this year, but they're trying to get data from matters seven years ago. That's something that not a lot of other fields have to face.”
Adding to the challenge, Welch stressed that, unlike banks or major corporations with heavily fortified cybersecurity perimeters, many law firms simply lack the “locks on the outside” to keep intruders at bay from the start.
“The problem with law firms is that their IT infrastructure is so complicated. They often don't have these locks on the outside. So as soon as people get a sniff that they're weak, they'll start breaking in,” he outlined.
Reflecting on his observations, Welch candidly noted that law firm partners are often too busy to fully understand the intricacies of their IT systems or the measures required to guard against cyber risks, leaving crucial details overlooked – the very details where security most often fails.
“If I'm speaking honestly, I think they wouldn't be across it for most of it. Maybe they've got an IT team that can tell them the risks,” he stated.
“But in the large majority of cases, the partners are too busy to be across the intricacies of the systems. But the problem is that detail is where it matters, detail is where it fails.”
