Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

‘Cyber security remains a significant risk for boutique and SME law firms’

With cyber risk still an important issue in 2024, small firms have been urged to implement protective measures and educate themselves on new and emerging risks.

user iconLauren Croft 15 February 2024 SME Law
expand image

In recent years, cyber risk has been revealed to be a key issue for organisations across a range of sectors, including legal, with companies urged to implement protective measures such as cyber insurance and take a closer look at their positive security obligations.

For SMEs and boutiques, contractual obligations are also important to consider – particularly as a cyber breach may have a bigger impact on them than BigLaw firms. Late last year, NAB confirmed that the SME sector stood as one of the least prepared sectors in terms of defending cyber risk.

This news came after the IPH cyber incident – and the multimillion-dollar costs the firm had to front – as well as the Optus, Medibank and HWL Ebsworth data breaches.


In 2024, cyber security risk remains one of the key challenges for boutiques and SMEs, according to DotSec director Dr Tim Redhead.

“Cyber security remains a significant risk for boutique and SME law firms for a couple of reasons. Firstly, cost is an important consideration since boutique and SME firms do not generally have the budgets available in larger firms. Secondly, there is a perception that due to these constraints, smaller firms are a more attractive target for cyber criminals, and various online publications back this up. For example, it has been reported that an American Bar Association showed that while 20 per cent of survey respondents overall reported having breached, in firms with 10–49 attorneys, this figure was 35 per cent,” he explained.

“Addressing this imbalance can only be done by first establishing an initial set of prioritised, risk-based requirements. This risk assessment guides them in understanding their specific vulnerabilities and threats, allowing them to allocate resources wisely. With this foundation in place, boutique and SME law firms can then invest in the necessary technology and expertise to protect their client confidentiality effectively, as well as adapt to the evolving landscape of cyber threats.”

However, despite advancements in technology, Work Visa Lawyers principal lawyer Chris Johnston outlined a number of issues still driving this imbalance.

Limited resources and expertise often hinder the implementation of comprehensive security measures. Additionally, cyber criminals frequently target smaller firms assuming they have weaker defences compared to larger corporations. Hence, it’s vital for firm owners to prioritise cyber security education and invest in robust protective measures to safeguard their clients’ trust and their firm’s reputation,” he said.

“Firm owners must stay abreast of both technological advancements and cyber security best practices to effectively navigate today’s digital landscape. Understanding the latest trends and potential threats allows them to make informed decisions regarding technology adoption and security investments. By proactively addressing these challenges, they can mitigate risks, build resilience, and foster long-term success for their firms.

“Embracing technology and prioritising cyber security are indispensable for modern law firms. By leveraging the right tools and strategies, practitioners can enhance operational efficiency, protect client data, and maintain a competitive edge in the industry.”

Despite the limited resources in smaller firms, tech is “extremely important and should not be underestimated”, according to Maison Chen Law Group chief executive and principal lawyer Traci Yan Yan Chen.

“Boutique firms already have limited resources, but if they are able to utilise AI and automation to undertake the repetitive mundane tasks, it will free up the team members’ time to take on more high-level tasks that will advance the business. It can be a hard concept to grasp at the beginning, and you will need external providers to help you set it up, but it will help grow your business exponentially. For example, to grow your business, you may need to see more clients, but the simple task of booking in more clients can take your receptionist half a day to complete. If you set an automatic bookings system, it can save your receptionist half a day of work,” she said.

“Cyber security should be taken seriously by all firms. It can be an expensive exercise, but it is well justified. Cyber criminals are becoming more sophisticated, so it is a constant learning curve. You need to run regular training with your team as well as conduct random tests, so they become familiar with spotting a scam and cyber attack.”

Incorporating technological solutions into smaller firms can also significantly strengthen cyber security and protect client data and sensitive information from cyber threats. Investing in measures to protect yourself, Conveyed founder and chief overlord Melissa Barlas said, is vital in 2024.

“Cyber security is a major risk to boutiques and SMEs because the sad, and perceived, reality is that many boutiques and SMEs have limited resources to deal with cyber security and lack of awareness about it, compared to large-scale businesses. Some may even have inadequate security measures such as firewalls, antivirus software, intrusion detection systems, and employee training programs. This makes smaller businesses more susceptible to cyber attacks such as malware infections, phishing scams, and ransomware attacks,” she said.

“Just because we don’t hear about it in the media, it doesn’t mean that cyber attacks are not prevalent in small businesses. The best thing we can all do is invest in proactive measures to mitigate these risks and protect our businesses from cyber threats …before a claim arises!”

This doesn’t mean becoming a cyber lawyer or an expert by any means – but firm leaders should be educating themselves on the risks and challenges associated with cyber security to safeguard themselves and their clients in the future.

“Law firm owners and partners do not (in general) have the time to become cyber security practitioners and, with the selection of pragmatic, flexible and expert partners, there is no need to. However, it is important that owners and partners have enough of an overview to be able to engage with their partners, to understand how technology aligns with their initial set of prioritised, risk-based requirements, and to detect the smell of bull when they are being fed tech for its own sake,” Dr Redhead added.

“Partners, directors and owners who are serious about managing their organisation’s risks need to be seen raising the security bar and lead by example, because only they have the authority to set the cyber security direction for their organisations. By understanding cyber risk (perhaps with the assistance of subject matter experts), partners, directors and owners can communicate the importance of cyber security to their staff, fostering a culture of security consciousness that aligns with the identified risks.

“Ultimately, owners need enough of an understanding of cyber security-related business risks to allow them to meet their directors’ obligations, keep abreast of their insurance requirements, safeguard their clients’ data, and maintain their business’s professional reputation.”

You need to be a member to post comments. Become a member for free today!