How have boutiques fared on cyber security during COVID-19?
Post-pandemic, boutique law firms should consider full reviews of their technology and processes to ensure proper protection for clients and adherence to regulatory duties.
By now, it is well established that businesses across Australia have experienced an increase in cybercrime. Research from KPMG Forensic, for example, found that ASX 200 companies have been particularly susceptible to fraud during COVID-19.
The Telstra Security Report 2019 found that over half (56 per cent) of businesses interviewed experienced a ransomware and business email compromise at least quarterly. Boutique law firms, Kate Healy advised, may be especially vulnerable to these forms of crime “if they do not have the internal expertise or expect that it will be part of their IT services, which is often not the case”.
According to Ms Healy – a principal cybersecurity strategist at Telstra Enterprise – boutique firms “should have conversations with their telco or IT partners to understand how they are protected and to ask hygiene questions about how their data is backed up and protected, how often their systems are updated with security patches and how their regulatory obligations are met.”
“They should also be looking at their internal processes as cyber security is not just about technology, but how it is used by employees and accessed,” she said.
Businesses that saw minimal interruption, Ms Healy continued, were those who had “robust and tested” business continuity plans. Lawyers Weekly has written about the importance of BCPs for boutiques in the wake of the pandemic and why they will be so integral post-pandemic.
“BCPs are like fire drills for your technology which help cover a number of business interruption scenarios from a flood in your computer room, a criminal stealing or encrypting your data through ransomware or natural disaster,” Ms Healy explained.
“These plans should be a joint effort across your organisation and include your IT provider to plan and test out these scenarios. It should also encompass everything from where to get spare laptops and servers through to how you will respond to customers and regulators. They don’t need to be overly complicated but they should be tested, just like you test a fire drill.”
One of the less-discussed lessons from the pandemic, Ms Healy warned, is the need to properly consider one’s adoption of technology and how well it might protect the business.
“In the last few months, we saw two key changes across most Australian organisations in response to COVID-19, the move to the cloud and working from home; and for many this will become the new normal. However, in some cases this adoption of new technologies was done under emergency circumstances,” she advised.
“This meant that some businesses may not have thought about the impacts such as security risks, the need to meet regulatory obligations such as the Australian Privacy Act, GDPR or PCI DSS. The move to cloud and online collaboration tooling can provide an opportunity to consolidate your IT environment and turn on much of the security capability already included in these products. Boutiques should think about working with specialists who can review their technology and processes to help ensure they are well protected and meeting their regulatory obligations.”
In response to such concerns, Ms Healy said that one of the most effective things some of Australia’s largest companies do is share their cyber security experiences through regular meetings within the industry and wider or sharing insights around fighting cybercrime and learnings.
“Collaboration is so important, and the establishment of a framework can only benefit all organisations. There is also an opportunity to get some advice around what technologies others are using in building secure solutions,” she said.
COVID-19 has “fast-forwarded a technology shift towards cloud usage, remote working and the digitisation of processes”, Ms Healy surmised.
“It is difficult to imagine many organisations going back to the way they used to operate. This does potentially create a greater exposure to cybercrime which can feel a little daunting, but it is a risk of doing business that needs to be managed like any other risk and organisations are not alone,” she concluded.
“More and more vendors are beginning to build robust security into their solutions and there are experts available who can help guide you on this journey.”
Ms Healy’s comments follow reporting by Lawyers Weekly two weeks ago, arguing that COVID-19 has highlighted the importance of stringent cyber security measures for all SMEs.