A cyber-security specialist has provided insight on how law firms can ensure they have adequate cyber-security measures in place.
For Lander & Rogers partner Lisa Fitzgerald, the new year period is an opportune time for businesses, including law firms, to reassess and bolster their protection.
“Many businesses are underprepared,” she said.
“Even when they have a data breach response plan, it’s often stored on servers and may be rendered inaccessible during a cyber incident. The Federal Government’s Cyber Strategy 2020 report flags express directors’ duties in relation to cyber security, which could mean greater potential for shareholder class actions where a cyber incident leads to a drop in share price.
“All businesses today need data to operate. Whether that data is personal, sensitive, confidential, privileged or simply essential to running the business, as soon as that data becomes inaccessible, business comes to a grinding halt.”
Here are seven ways businesses can protect themselves against a threat, according to Ms Fitzgerald:
1. Review your IT systems and increase malware detection measures.
2. Remind your staff to be on the alert for phishing emails and actively monitor compliance with your IT policies.
3. Ensure data breach response plans are up to date and fit for purpose.
4. Require two-factor authentication, including from third-party tech vendors.
5. Encrypt the most sensitive and business-critical data, including customer data. This will require a data audit.
6. Reinstate robust procurement processes for cloud services and ensure your contract will help, rather than hinder, you at a time of crisis.
7. Obtain cyber insurance.
If the business has already fallen victim to an attack, Ms Fitzgerald advised there are several measures one can take.
“Activate your data breach response plan – your external lawyer is well placed to be a custodian of this plan and to play a key role in ensuring timely, effective and compliant steps are taken,” she said.
“Engage a cyber forensics team to understand what and who has been potentially affected as soon as possible. Waiting until exfiltration of data has been proven is not enough and dangerously narrow. Screenshots of data don’t require data extraction or transfer from a server, so identifying potentially impacted data is part of this process.
“Obtain legal advice without delay to help with an effective response and to mitigate damage.
“Check the terms of your insurance policy and follow it.”