How to create a cyber security strategy for your law firm

04 August 2022 By Ajay Unni

Adopting a proactive approach rather than a reactive one when it comes to cyber crime is the best way to protect your firm from becoming the next cautionary tale, writes Ajay Unni.

Law firms know the importance of being thorough when protecting themselves from litigation, but due to the volatility in the cyber security landscape, taking precautions against data leaks or breaches is more important than ever. Class action lawsuits and individual disputes have occurred when resentful clients feel their data wasn’t treated securely. This can lead to significant reputational as well as financial damages.

Clients are becoming ever more sensitive to the protection of their information. The confidential nature of many of the details stored and shared in law firms means that many clients will be especially conscious of cyber security standards and practices.

Due to the large amounts of personal and sensitive data that law firms store, they are at a higher-than-average risk for data leaks. They may be specifically targeted through malware, phishing attacks, hacks, or email spoofing to acquire sensitive client or financial information.


The Australian government has reported a 13 per cent increase in cyber crimes in the last year and a 15 per cent rise in ransomware attacks. It is a prescient issue, therefore, that many law firms have either outdated or unmanaged cyber security practices.

Cyber security is seen by some partners as an intimidating technical topic that isn’t their concern. However, it needs a holistic approach and should not just be left up to the IT department to defend against malicious actors.

ASIC’s 2020 court case against financial services licensee RI Advice indicates the potential entanglements law firms may face from cyber crime.

ASIC took RI Advice to court for failing to uphold a “reasonable standard” of cyber security, citing numerous security breaches at the practices of its representatives. The Federal Court found RI Advice guilty of breaching its license obligations to act efficiently and fairly when it failed to have the appropriate cyber risk management systems in place to effectively manage its cyber security risks. The case set a new precedent as businesses learnt that they can be held accountable by the government for negligence when it comes to their cyber security.

Adopting a proactive approach rather than a reactive one when it comes to cyber crime is the best way to protect your firm from becoming the next cautionary tale.

Lawyers Weekly Discover

A diverse approach to cyber security

Preventing data leaks takes a combination of user security policies and security tools. In the case of law firms, it’s prudent to also have network security components, including access control, antivirus and anti-malware, intrusion prevention systems (IPS), and security information and event management (SIEM), to prevent data breaches and to handle breaches swiftly if they do occur.

In 2022, the focus should not be on antivirus technology alone. While great software and robust digital security infrastructure are a must, there are other areas of your firm to consider as potential areas for cyber crime.

The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to prevent cyber security incidents and help firms protect themselves against various cyber threats.

The most effective of these mitigation strategies is the Essential Eight, a set of eight mitigation strategies designed to protect Microsoft Windows-based networks. These are application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multifactor authentication and regular back-ups.

Law firms should implement these strategies at the bare minimum to make it harder for adversaries to compromise their systems. As ASIC points out, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

Emails and clouds

According to Boston Consulting Group, 77 per cent of cyber attacks are due to human error or failure to detect acts of “phishing”, which accounts for three-quarters of email attacks. Phishing emails mimic those of a real user and are one of the easiest ways for hackers to access your system.

It is vital to educate yourself and your employees on the ways your firm can be attacked in this way and familiarise yourself with terms like keystroke logging, malware, ransomware and spear phishing.

Similar to email, cloud storage systems are becoming more heavily relied upon as businesses scale, and more data storage is required. These can also come with unknown bugs and risks that expose private internal information to online criminals. Make data security and governance a priority when using any type of cloud provider.

Disgruntled employees

Employees leaving their positions can place sensitive information at risk. Should they depart under negative circumstances, they may be inclined to take or leak company documents or continue to log into shared accounts long after their employment has ceased. Allowing ex-employees and contractors’ accounts to remain active following their departure makes a hacker’s job incredibly easy.

To avoid this, ensure employees have their own unique ID and passwords, remove any shared accounts and ensure that they are prompted to change their passwords on a regular basis. When employees finish up, access to these accounts should be automatically closed.

It’s time to take cyber security seriously

A security breach isn’t only a risk to a firm but also to its clients. Once that trust is broken, it’s very hard to win back — especially for law firms, which hold amongst the most sensitive personal information.

Partners and boards should view themselves as partly accountable for the state of a firm’s cyber security. They must look at cyber security through the lens of risk and exposure and realise that they are responsible for the impact of any risk — including cyber.

Not taking these responsibilities seriously can have severe legal, reputational and financial implications, both personally and for the firm as a whole.

Firms, regardless of their size and type, need to enhance their cyber resilience in the face of ever more sophisticated threats.

Ajay Unni is the founder of StickmanCyber. He has over three decades of IT industry experience and more than 15 years of experience as a cyber security specialist.

How to create a cyber security strategy for your law firm
Intro image
lawyersweekly logo