16 minute read
It’s time to get our heads out of the sand and into the cloud
ALEXANDRA DOUVARTZIDIS, ASSOCIATE AT HWL EBSWORTH LAWYERS AND MEMBER LEGAL TECHNOLOGY COMMITTEE, AND ALEXANDRA HARRIS, SENIOR ASSOCIATE AT TINDALL GASK BENTLEY LAWYERS AND MEMBER, LEGAL TECHNOLOGY COMMITTEE
Data breaches and cyber-attacks are occurring on a more frequent basis in Australia. Recently, the South Australian Government was the victim of a ransomware cyber-attack in November, 2021. The government first disclosed the extent of the data breach in November, when it said at least 38,000 employees had their records stolen and, in some cases, published on the dark web. It was later revealed that the breach impacted almost 80,000 employees.1
Advertisement
The South Australian Government is not the only victim of large cyberattacks. From other State Governments attacks amassing hundreds of thousands, to CANVA’s breach in 2019 impacting approximately 139 million of its users,2 cyber-attacks are almost a part of everyday life. Even though the Australian Government is revising its cybersecurity frameworks and policies, businesses, including law firms, cannot exclusively rely on the government for protections against cyber-attacks.3
It has become increasingly essential for lawyers and law firms to understand, embrace and implement emerging legal technologies in their individual practice and overarching firm policies, not only to improve efficiencies and work flow generally, but also to protect clients’ and their own sensitive information.
It is somewhat obvious that law firms will competitively benefit from keeping up to date with technology and integrating it into their everyday practice. Every day we are seeing an increasing number of firms and courts around Australia move away from traditional paper storage to cloudbased storage and document management systems.
What isn’t as obvious is the concept that being a ‘tech savvy’ lawyer, or at the very least keeping up to date with the latest technological advancements potentially falls under the overarching ethical obligations that lawyers must abide by.
This article considers a common type of cyber-attack in detail, the risks and consequences for practitioners, and how practitioners can avoid cyber-attacks. We also consider what steps practitioners should take if an attack occurs, and what are the general benefits of increasing your overall knowledge of technology in everyday practice.
WHAT IS A “CYBER-ATTACK” AND WHAT ARE THE COMMON TYPES?
A cyber-attack is when cybercriminals through the use of a computer launches an attack to disable systems, steal and/ or destroy data and information, or use a breached computer system to launch additional attacks. Cybercriminals use different methods to launch a cyberattack that includes malware, phishing, ransomware, or other methods.4 Criminally motivated persons generally launch cyber-attacks in order to seek financial gain through the theft of actual monies and/or data information that they can hold ‘ransom’ and seek payment for the return or destruction of the information held. Occasionally, an attack is launched for the purposes of merely disrupting a company’s system,5 or for a multitude of other reasons.
From ransomware to malware, the types of cyber-attacks individuals and companies face today are endless. For the purposes of this article, we focus on the key cyber-attack method of ‘phishing’ commonly faced by practitioners.
Phishing is where cybercriminals send fraudulent messages in an attempt to steal confidential information, such as banking logins, credit card details, business login credentials or passwords/passphrases.6 Phishing, unlike hacking, relies on a person voluntarily providing information.7
‘Spear phishing’ for example, is when messages sent to target specific individuals and/or organisations.8 It is not uncommon for more sophisticated messages to contain material that is true (or appears likely to be true) to make them seem more genuine.9
Spear phishing often uses a method called ‘social engineering’ for its success. Social engineering is a way to manipulate people into taking action by fashioning very realistic ‘bait’ or messages. It usually involves a great deal of research by the cybercriminals to target its victims.10
The message itself will usually lead the unsuspecting recipient to a fake website full of malware, which is an intrusive software effectively designed to destroy computer systems.11
The technique of spear phishing is one of the key factors leading to successful cyber-attacks commonly known as a ‘business email compromise’ (BEC). One example of a BEC is where cybercriminals will, using spear phishing techniques, target companies who use online invoicing methods. The sting involves gaining remote access to a business’ (or customer / client) email and lying in wait for the perfect opportunity to strike.12
They will usually ‘keep watch’ for a while (typically with the use of malicious software mentioned above) and get a feel for the type of emails and invoices being sent.
When the opportunity arises, they intercept the invoice, manually change the bank account details and redirect it to the victim for payment.
Common examples involve businesses sending an invoice for payment (that is shortly after intercepted) and there have also been reports of real estate agencies sending trust account details over email which have resulted in significant house deposits being lost to criminals in an instant.
It is devastating, and all too easily avoided with the right knowledge and use of technology.
Bank details should never be exchanged via email, as doing so leaves the sender vulnerable to a third party intercepting the email and editing the bank details so that monies are transferred to a third party account. Once this happens, it is very difficult and near impossible to retrieve the lost money.
It is not uncommon to receive a scam email that is tailored to your firm. For example, you may receive an email from a prospective client. They may include a link which requires you to click to access their ‘documents’ (for example, they may include a link which appears to be Dropbox or a similar application). They may also appear to be a co-worker, such as a senior practitioner delegating tasks, using your co-workers name and the firms signature template to appear more realistic.
Equally concerning, and often less easy to identify, is when a scammer sends an email or message which appears to be from your own firm’s IT department (or another department). They may send a message appearing to be from your own company’s IT helpdesk asking you to click on a link and change your password because of a ‘new policy’.
According to Scamwatch, BEC scams caused the highest losses across all scam types in 2019 costing businesses $132 million, according to the ACCC’s Targeting Scams report.
Scamwatch alone received almost 6,000 reports from businesses in 2019 with $5.3 million in reported losses. False billing was the most commonly reported type of scam which includes BEC scams.13
WHAT ARE THE RISKS AND CONSEQUENCES FOR LAWYERS IF A CYBER-ATTACK OCCURS?
Practitioners must realise the integral role played by technology in the legal profession and the consequences for practitioners when a cyber-attack occurs.
Practitioners store and use personal and commercially sensitive information about their clients. If a law firm is the victim of a cyber-attack the consequences can be overwhelming for both the clients and the practice itself. Overall, failing to
be cautious of the risks and incorporating the use of technology into everyday practice could ultimately result in a breach of conduct and/or a practitioners’ obligations.
For example, a cyber-attack may amount to breach of the South Australian Legal Practitioners Conduct Rules (the Rules), which sets out, amongst other things, that one of the fundamental duties of legal practitioners is to deliver legal services competently, diligently and as promptly as reasonably possible, and to ensure they avoid any compromise to their integrity and professional independence.14 The Rules also require practitioners to ensure that they do not disclose any information which is confi dential to a client and is acquired during the client’s engagement.15
The bottom line: as a practitioner, you are responsible for keeping your client’s information safe.
Even if sensitive information isn’t impacted during a cyber-attack, the consequences of an attack could affect the ongoing operations of the fi rm. For example, a major law fi rm was attacked by through a malware system, which compromised its operations for days. The fi rm had limited to no access to its computers or emails. It was recorded that the fi rm had to spend approximately 15,000 hours in overtime for its IT employees to address the issues.16
SO, HOW CAN YOU AVOID A CYBERATTACK?
Practitioners should always be vigilant with their communications and use of technology, including computers and mobiles. Here are some tips prepared by the Australian Cyber Security Centre17 and the Law Society18 on how to reduce the risk of a cyber-attack: • Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a fi le or a malicious login page which can control your computer or capture your login details. • Before you click a link (in an email or on social media, instant messages, other web pages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser.
This way you can fi nd the article, video or web page without directly clicking on the suspicious link. • Even if the sender appears to be/ or is known, it is prudent to check with the sender confi rming the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camoufl age their emails to appear genuine. Emailed directions with respect to money and trust transactions should always be confi rmed verbally. • If you’re not sure, talk through the suspicious message with a co-worker, or check its legitimacy by contacting the relevant business or organisation (using contact details sourced from the offi cial company website). • Install anti-virus software on all devices and set it to automatically apply updates and conduct regular scans. • Account details for payment should always be provided verbally, or via a written document such as a bill
or retainer letter, and should not be included in the body of an email. Such details can be easily modifi ed through cyber-attack techniques. If the bill or retainer letter containing the bank details is sent via email, it should be done so using the proper encryption software to ensure that third parties cannot gain access. • Educate your clients about cyberattacks and advise them to contact you immediately if they receive any in-genuine, weird or fake emails.
Such emails may take the form of a request to pay money, receive details, or upload/downloading fi les. If you become aware of such activity, you should advise the client to refrain from opening any further emails. • Have suffi cient cyber-crime insurance schemes in place. • Implement a cyber-attack procedure and plan for typical and worst-case scenarios.
The Australian Cyber Security Centre has also developed the ‘essential eight’ mitigation strategies to help avoid cyber security incidents.19 In summary, the mitigation strategies suggest: • Application Whitelisting: The practice of specifying a list of approved software applications or executable fi les that are permitted to be present and active on a computer system. • Patch Applications: Application patch management is the process of testing, acquiring, and installing patches (code changes) on computer systems to avoid vulnerabilities.
• User Application Hardening:
Disable any unnecessary applications
Calls to the Australian Cyber Security Hotline in 2021 increased by almost 310% from the previous year. Professional services are among the top 3 sectors reporting cyber security incidents in 2021
ACSC Annual Cyber Threat Report
The legal profession is often targeted for the sensitive client data they hold. It is no longer a matter of if but when your organisation will be subject to a cyber intrusion attempt. With the onset of the Covid-19 global pandemic and the increasing shift to flexible workplace arrangements many organisations are inadvertently leaving themselves vulnerable to a cyber incident. Do you have the security in place to combat such a threat? Contact one of our security experts today for an obligation free discussion about your network security. Mention this ad and receive a complimentary dark web scan of your domain, usernames and passwords and an external vulnerability report of your primary site.
empower | connect | protect
sinc e 1999
Lettscom was established in Adelaide in 1999 and remains proudly South Australian owned and operated. Supporting businesses on a local, national, and global level for 23 years.
Call: 08 8177 5600 Email: security@lettscom.com.au Web: lettscom.com.au
and features that are likely to increase risks (Such as Java, Office Suite Macro
Scripts, etc).
• Restrict Administrative Privileges:
Restrict access to administrative accounts and operating systems based on user duties. Re-validate access to systems regularly. • Multi-Factor Authentication: Multifactor authentication (MFA) is a security measure that requires two or more proofs of identity to grant you access. • Maintain Daily Backups: Undertaking daily backups of your system to ensure a copy of all of the data is saved in the event of a data breach.
YOU’VE HAD A CYBER-ATTACK, WHAT DO YOU NEED TO DO?
If your cyber-attack has potentially led to sensitive and confidential information being stolen, destroyed, and/or altered, it is important the breach is reported through the appropriate channels.
Remember, even in circumstances where information may not have been impacted in some way, practitioners should report a cyber-attack, Practitioners should consider whether to report to the following entities: • South Australian Police • Australian Cybercrime Online
Reporting Network • The South Australian Law Society • Scam Watch • Consumer & Business Services
Further, if the cyber-attack has resulted in a data breach (meaning when personal information is accessed or disclosed without authorisation or alternatively is lost), then under the Notifiable Data Breaches scheme, an organisation or agency that must comply with Australian privacy law has to tell the affected party if a data breach is likely to cause them serious harm.20
An organisation or agency who has existing obligations under the Privacy Act must also report any serious data breach to the Office of the Australian Information Commissioner.
This includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.21
Generally, an organisation or agency (which has an obligation under the Privacy Act to report) has 30 days to assess whether a data breach is likely to result in serious harm.22
When a data breach occurs, an organisation or agency must endeavour to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency is not obligated to advise the individual about the data breach.
Should we apply this approach to the concept of maintaining client confidentiality – i.e., take it a step further and notify the party whose confidentiality has been breached as soon as practicable? Some would say yes, and indeed many law firms are erring on the side of caution and creating internal policies dealing with this very issue.
For example, sending an email to the wrong recipient is all too easily done. It may be prudent to set up internal firm policy (as indicated above) providing some guidance around how individuals in the firm should respond to such an error. A simple step by step process may look like: • Contact the unintended recipient immediately and request that they destroy the email; and • Contact the affected individual whose confidentiality has been breached and explain the situation, including if applicable confirmation that the content has been destroyed by the unintended recipient.
WHAT ARE SOME OTHER BENEFITS FOR BEING “TECH-SAVVY”?
Being “tech-savvy” is not just important to avoid the risk of a cyber-attack. Practitioners ought to frequently turn their minds to the vast array of technology available to them and query how they can utilise it in their everyday practice for the ultimate benefit of their clients’.
Embracing technology and the law can result in quicker more cost-effective communication, security and freedoms to work outside of the four walls of the office.
For example, we have long embraced the use of email communications with clients (and others) as a main type of communication in practice. Emails enable effective and fast communications. Today, the majority of practitioners will often communicate through email more than utilise phone calls. Not only are we communicating through emails, we are creating a written record at the same time.
Technology surrounding security measures (such as firewalls and other protection software) allow businesses such as law firms to protect and maintain client confidentiality as well as protect transactions surrounding trust monies and associated transactions.
The use of cloud storage and document management systems (if used safely), can streamline significant tasks such as electronic discovery (eDiscovery). eDiscovery systems will often allow firms to create ‘shortcuts’ to streamline the review of documents. For example, eDiscovery systems provide tools to analyse documents to reduce the overall volume to be reviewed and/or discovered. Most systems, amongst other things, offer duplicate detection to group textually similar documents together to help the review process more efficient.
Digital technology also enables us to practice the law outside of the traditional office environment which is increasingly relevant in our post COVID-19 world. Through virtual meetings and negotiations to video court appearances, being able to adopt to these modern practices can only serve to benefit a practitioner (and their clients). The flexibility to practice from any location is priceless, but we must ensure that appropriate measures are put in place to maintain cyber security. Having an understanding of the risks and identifying how to mitigate those is a good starting point. B
Endnotes 1 ‘Personal details of up to 80,000 SA government employees accessed in cyber attack,’ Stacey
Pestrin and Eugene Boisvert (10 December 2021) https://www.abc.net.au/news/2021-1210/thousands-of-sa-government-employeesaffected-by-cyber-attack/100690564 2 Canva criticised after data breach exposed 139m user details, Paul Smith (26 May 2019) https:// www.afr.com/technology/canva-criticisedafter-data-breach-exposed-139m-user-details20190526-p51r8i 3 Australian Cyber Security Centre, Common cyber threats, (accessed: 25 February 2022), https:// www.cyber.gov.au/acsc/view-all-content/ism 4 Ibid. 5 ‘What is a cyber-attack?’, IBM https://www.ibm. com/au-en/topics/cyber-attack (accessed: 25 February 2022). 6 Above n3. 7 Ibid; ‘What is phishing? How this cyber attack works and how to prevent it’, Josh Fruhlinger (4 September 2020), https://www.csoonline. com/article/2117843/what-is-phishing-how-
this-cyber-attack-works-and-how-to-prevent-it. html 8 ‘What is Spear Phishing?’, Kasperksy, (Accessed: 24 February 2022), https://www.kaspersky.com. au/resource-center/definitions/spear-phishing 9 Ibid. 10 ‘How Spear Phishing Makes BEC Attacks So
Effective’, The PhishLabs Team, (2 August 2019) https://www.phishlabs.com/blog/how-spearphishing-makes-bec-attacks-so-effective/ 11 ‘What is malware?’, Joseph Regan & Ivan Belcic, (15 February 2022) https://www.avg.com/en/ signal/what-is-malware 12 Australian Cyber Security Centre, Business Email
Compromise, https://www.cyber.gov.au/learn/ threats/business-email-compromise 13 ACCC Scamwatch, Business email compromise scams cost Australians $132 million, (23 June 2020), https://www.scamwatch.gov.au/news-alerts/ business-email-compromise-scams-costaustralians-132-million 14 South Australian Legal Practitioners Conduct Rules, rule 4.1.3. 15 Ibid, rule 9. 16 Law Protect, What are the main cyber risks for lawyers today? https://lawprotect.com.au/what-arecyber-risks-for-lawyers-today/ 17 Above n3. 18 The Law Society of South Australia, Cyber
Security, https://www.lawsocietysa.asn.au/Public/
Publications/Resources/CyberSecurity.aspx 19 Australian Cyber Security Centre, Essential
Eight Maturity Model, (October 2021) https:// www.cyber.gov.au/acsc/view-all-content/ publications/essential-eight-maturity-model 20 Australian Government Office of the Australian
Information Commissioner, What is a notifiable data breach?, https://www.oaic.gov.au/privacy/ data-breaches/what-is-a-notifiable-data-breach 21 Australian Government Office of the Australian
Information Commissioner, Notifiable Data Breach
Scheme (February 2022), https://www.oaic.gov. au/privacy/guidance-and-advice/data-breachpreparation-and-response/part-4-notifiabledata-breach-ndb-scheme#:~:text=The Privacy
Act requires certain,or after 22 February 2018.or after 22 February 2018.” 22 Ibid.
TECHNOLOGY MANAGED
Is your business cyber-secure?
Your cyber-security posture needs to be strong if you want to remain protected and operational. We’re well versed in data protection and can support your business with cyber-security built into a technology solution that works for your business.
Quickly minimize your cyber-risk
One provider for all your technology needs
Affordable and scalable solutions
Abrahem El-Sayed - Technology Sales Manager 0423 868 560 abrahem.elsayed@efex.com.au
