RISK WATCH
Cybersecurity – a matter of when, not if MERCEDES EYERS-WHITE, PII RISK MANAGEMENT CO-ORDINATOR
I
t feels good to see progress. Plodding along in our day-to-day, it’s easy to miss the little gains. These days there are loads of tools out there to measure our progress and track our improvements. If you are a runner, a swimmer or a cyclist, chances are you use a GPS-enabled device to do just that. You let it track where you’ve been and when, at what speed and with whom. That information could be a bit sensitive, and if like me you’ve been using a Garmin device, you might be wondering just who now has access to that information after the ransomware attack on that company on 23 July. As I write the servers are just now beginning to restore after nearly five days out of action. While Garmin has no indication that any customer data has been accessed, lost or stolen, such an attack serves to remind us that even substantial tech companies with their resources and technical knowledge and IT departments are vulnerable. The disruption to the business is enormous, the remediation task prodigious and the tarnish to reputation enduring. Law firms are also valuable targets for criminals because they are obvious repositories of sensitive client and transactional information. The high profile attack in May, 2020 of US entertainment firm Grubman Shire Meiselas & Sacks points to a worrying trend in ransomware attacks. Aside from the eye-watering $42m ransom demand to unlock the law firm’s systems, nearly a terabyte of sensitive information is reported to have been stolen and threatened to be released publicly. Gone are the days, it would seem, when the ransom was moderate compared to the remediation exercise and the information was merely encrypted rather than stolen. Restoration of systems upon the payment
28 THE BULLETIN September 2020
of the ransom is no longer de rigueur either, and this trending lack of honour amongst thieves has prompted the Australian Cyber Security Centre to recommend ransoms are not paid, though they are still often the most economical solution. It’s not just large firms, either. Indeed, smaller firms are attacked more often than you would think because hackers, like most people, go for low-hanging fruit. They figure small firms have fewer resources, less technical knowledge internally and less time to pay attention to these things. And generally, they’d be right, which means your risk is higher than you may have thought. Failure to take appropriate steps to protect and impose proper cyber security practices includes a risk of breaching your professional obligations as a legal practitioner in South Australia (under the Australian Solicitors’ Conduct Rules). Unfortunately, this is more a matter of ‘when’ than ‘if ’. If your system was locked by a ransomware attack today, what would you do? Do you have a plan? Do you have an up-to-date back-up of your critical information available to you? Cyber-security has been a hot topic for some time now, so if you have put it in the ‘later’ pile, the time for action is now. So, what can you do? In short, you need to stop being low hanging fruit. To assist you in this, in addition to the resources and information already provided on our website, the Society’s Risk Management section has licensed and adapted several useful cyber tools and checklists from the Queensland PII insurer Lexon. We also recommend engaging with your IT service provider – there is a checklist to help you have a meaningful discussion about your needs. To get you started, insured practitioners can access the following on the Law Society website (www.lawsocietysa.asn.au):
• 8 Steps to enhance your cybersecurity while working remotely Working from home increases the cyber risks to a legal practice; consider these eight steps to better protect yourself, your family and your practice. • Cyber Off-Risk Email Conducting basic checks on an unsolicited email purporting to be from a potential new client can leave you in doubt of its legitimacy; consider using this email template to prompt voice communications instead. • Cyber Alert – Funds transfer critical information An information sheet for clients, insureds and all known transfer parties on procedures for the transfer of funds, including reading out and reading back account and BSB numbers. • Cyber bookmark Cut it out and keep it by your screen; a bookmark-sized reminder on simple cybersecurity steps for all staff. • Cyber Security 101 Defending your assets in cyberspace is about more than just the device you’re using; do you know the four layers of a computing system? • Key System Controls Many steps can be undertaken to limit a cyber criminal’s ability to adversely use your systems. These are some core components. • Cyber Security – IT Systems Checklist Use this checklist to inform a meaningful discussion with your IT service provider. • Where to Deploy MFA Multi-factor authentication is one of the most powerful things you can do to limit the risk of an Account Takeover attack – but there is no point locking the front door if the back door is wide open…
