A Corrs Chambers Westgarth partner has issued a warning to businesses, including law firms, to take a proactive approach to cyber security.
The recent spread of the ‘WannaCrypt’ or ‘WannaCry’ ransomware brought the issue of cyber security to the fore.
The attack affected businesses in many countries around the world, encrypting victims’ files and then demanding bitcoin payments to release them.
Michael do Rozario, a Sydney-based partner and head of technology solutions at Corrs Chambers Westgarth, said this shows that cyber attacks need to be treated like any other business risk.
“It is not the case that businesses can approach cyber attacks as though they are unforeseeable or unpreventable,” Mr do Rozario said.
“They are not acts of nature, but another type of corporate fraud that businesses must have processes in place to prevent.”
He added that the ransomware’s exploitation of out-of-date Windows operating systems revealed a weakness in many businesses.
“These attacks clearly demonstrate that it is essential for all companies to have a plan in place to deal with cyber attacks,” Mr Rozario said.
“The fact that the attacks took advantage of a patch that many organisations have not applied highlights a key vulnerability for organisations.”
The Corrs partner said the maintenance of computer systems can be hampered by limited IT budgets, concerns about downtime and seemingly constant update requirements.
However, a concerted approach to cyber security across the whole organisation has become more important than ever.
“That decision-making process needs careful attention. Certainly [failure] to apply a patch would create legal risks for a company that causes loss to its clients or shareholders [and] then becoming a victim of a foreseeable cyber security incident as a result of that failure,” he said.
“We believe that general counsel, executives and boards need to become more directly involved in understanding the risks and plans for response to the threat of cyber attacks.
“General counsel, in particular, need to grab a hold of this issue as they would [on] any other major fraud risk, and drive the assessment of risk and plan the response of the company, drawing on internal and external expertise as needed.”