By -

Would you have guessed that in the 2024 financial year about 14 per cent of Australians experienced personal fraud, including card fraud, scams, identity theft and online personation? That is more than 3.4 million people in the span of a year.

Of those 3.4 million people, 688,100 experienced either identity theft or online personation. Identity theft is the use of someone’s personal details in stolen, fraudulent, or forged documents without permission, or otherwise illegally appropriating another’s identity. Online impersonation occurs when someone’s personal details have been purposefully misused to impersonate them online without their permission.

The sad reality is that year after year an increasing number of Australians are becoming the victims of these types of hoaxes, and research indicates that the more frequently we use technology, the more likely we are to be the victims of cyber-fraud.

Technologies are ever evolving and becoming more and more interconnected. While this gives us many conveniences, it also requires regular assessment of the adequacy of our cyber security systems.

This article serves as a reminder for law practice principals to continually monitor and review the integrity of their law practice IT security systems.

Implementing the measures set out in this article will go a long way in minimising the risks of cyber fraud, and safeguarding your clients, business and reputation.

Steps to protect yourself and your practice

  1. Protect your data

Firstly, know what data you hold, what it is used for, who can access it and where it is stored.

Regularly backup your data and ensure that you can access the backed-up data.

Manage user accounts and control access to sensitive information and files.

Practitioners should consider using multifactor authentication to access sensitive information and files, as this adds another layer of protection.

Test the quality of backed-up data by regularly restoring it to ensure its integrity. The integrity of your data is critical to resuming normal operations after a cyber incident or IT disruption.

Finally, ensure that you scan backed-up data for malware.

  1. Protect your communication platforms

Protect your email account and messaging applications, such as Microsoft Teams, by setting up multi factor authentication.

You can secure attachments to your emails by sharing them through cloud storage services such as Microsoft OneDrive, Dropbox or Google Drive.

Establish clear and consistent policies and procedures on use of communication platforms in your practice. Make sure your employees know where to find them.

  1. Protect your devices

Whether it’s a laptop, mobile phone or other portable device, make sure your devices are protected.

For laptops:

  • Enable real-time protection and auto-updates of your operating system.
  • Perform weekly malware scans on your devices.
  • Encrypt the hard disk so that, in the event it is lost or stolen, your content can only be accessed by password.
  • Don’t use public Wi-Fi to access the Internet. If possible, connect to your Mobile Hotspot.

For mobile devices:

  • Set up password protection.
  • Don’t leave your device unattended.
  • Don’t use public Wi-Fi to access the Internet.
  • Turn off location services when not in use.
  1. Protect your passwords

Make sure you use strong passwords. Mix up the characters by using a combination of capital and lowercase letters, numbers and special keys. The longer the password the better.

Never reuse a password and make sure you change your passwords regularly.

Use a password manager to securely store and keep track of your passwords.

  1. Have cyber incidents response plan

Establish and implement a cyber incident response plan.

You may wish to use the Cyber Incident Procedure and Emergency Contacts.

  1. Train your staff

Provide comprehensive training to all staff on your IT systems, policies and procedures.

As a first step, consider the Cyber Wardens program, a free online training course about the fundamentals of cyber risk and cyber security for small business owners and employees. The core program takes about 45 minutes to complete and is self-paced.

In the event of a cyber incident, your staff should know how to act in accordance with your cyber incident response plan.

What should I do if I find out my identity has been misused?

In the event you find out that your personal information has been misused by a cybercriminal:

  1. Report the incident to the Police through ReportCyber.
  2. Contact your bank’s fraud team immediately and ask them to put a block on your accounts until you have assessed and mitigated the risks. Check and monitor your bank accounts for unauthorised activity. If trust money has been stolen, contact the Law Society Trust Accounts Department on (02) 9926 0333 or by email at trust@lawsociety.com.au.
  3. Report the incident to Lawcover Group Cyber Policy Response Team on 1800 4 BREACH (1800 427 322).
  4. Change any newly issued default passwords or PINs.
  5. Monitor your communication platforms for unusual activity until you have reviewed your IT security systems for vulnerabilities and determined it is safe.
  6. If you need to replace stolen identity documents, contact the relevant state or territory or Commonwealth department for advice.