Cyber resilience: an unseen battle ground

The year was 1988, and the world was on the cusp of a digital revolution. But before the internet could truly connect us all, something else began to spread; an invisible, insidious force born in the quiet hum of servers at NASA Ames Research Center. At the time, there was speculation that it had slipped out of California, a whisper of code travelling on the nascent electronic mail networks, and then it had exploded. Across America, it moved, a phantom contagion infecting machines in its wake.

“It spread very quickly,” exclaimed Mark Eichin, an MIT student and self-proclaimed part-time virus hunter, his voice a mix of awe and alarm. “We believe it was intended to spread more slowly than it did, so that it wouldn’t be noticed as quickly.”

But it was noticed. Soon, the news channels were buzzing. “There are reports in newspapers today that it has made its way to Europe and to Australia,” announced James D. Bruce, an MIT professor.

It arrived at MIT in the dead of night, a silent intruder. “It just ran. It would enter your machine, it would do its thing, it would go to other machines,” a student recounted with frantic energy. Yet, amidst the chaos, a strange consensus began to form. “It’s benign. It’s not malicious. It attempts to do no damage besides propagate itself, and that’s why I think it’s a warning.”

“My personal speculation is that this is somebody who is trying to warn people,” another mused, “to say, ‘it can happen to you’.”

That “somebody” was Robert Tappan Morris, at the time a graduate student and this was the dawn of the infamous Morris Worm, the first computer virus to “break the internet” on 2 November, 1988.

As the chaos unfolded, the spotlight inevitably turned to the source. Though initially obscured, the digital fingerprints eventually pointed back to Cornell University in Ithaca, New York, and then, inevitably, to Morris. This wasn’t just a technical glitch or a harmless prank. This act brought a significant portion of America’s nascent digital infrastructure to its knees.

The legal ramifications were unprecedented. The Computer Fraud and Abuse Act of 1986, a relatively new legislation, suddenly found its first significant test case. Morris was indicted. The public closely watched the court proceedings, and in the end, Morris was convicted. He received a sentence of three years’ probation, 400 hours of community service, and a fine of over US$10,000. While his sentence was relatively lenient, the conviction was monumental, establishing that the digital world was subject to the rule of law. The Morris Worm exposed the vulnerabilities of the early internet and laid the groundwork for the legal framework that would govern cybersecurity for decades.

From curious kids to professional criminals

The evolution of cybercrime is a story from innocent, non-monetised mischief to today’s highly professionalised, financially driven, and state-sponsored attacks.

Richard Buckland, a Professor in Cybercrime, Cyberwar, and Cyberterror at the School of Computer Science and Engineering at UNSW, has provided cybersecurity education and training for the past 20 years.

He amuses the Journal by stating that, in the “really old days,” cyber attackers were primarily “kids in their underpants, in their mum’s basement,” driven by curiosity and a desire to “hack around.”

These early viruses, like the Morris Worm, were often simply a way to explore what was technically possible, spreading through early networks and causing chaos and system slowdowns without a clear monetary goal. This era gave rise to the first antivirus applications, such as Norton and McAfee Antivirus, which focused on manually identifying and fixing viruses based on their unique “signatures.”

But at the turn of the millennium, the landscape of cybercrime shifted dramatically as the internet became integral to business and personal finance. With the advent of online banking and the storage of business data on computers, a clear path to monetisation emerged. This led to the rise of ransomware, where criminals encrypt a victim’s files and demand payment for decryption.

As people’s lives and businesses moved online, attackers realised they could also leverage brand damage and public fear by threatening to leak sensitive customer data. Buckland says this “double-extortion” model became a powerful financial tool. Concurrently, other forms of attack evolved, such as Distributed Denial of Service (DDoS) attacks, which overwhelm a system to take it offline, using botnets (a network of internet-connected devices such as computers and smartphones that have been infected with malware and are controlled remotely by an attacker) to amplify the assault.

Today, cybercrime threat actors range from state-sponsored to organised crime to lone wolves. Cybercrime has become a critical component of international relations, with governments engaged in “soft war” and cyber espionage, establishing a “fifth domain of war” alongside land, sea, air, and space.

Buckland highlights that certain professions are more susceptible to specific types of cyber attacks, mainly depending on the value of their data, their cyber maturity, and the potential for real-world impact.

Critical infrastructure, encompassing everything from dams and power grids to universities, is a prime target for nation-state actors due to the “kinetic impact” an attack could have. The Stuxnet attack on Iran’s nuclear facilities in 2012 served as a stark awakening to this vulnerability. While banks are also obvious targets due to the sheer volume of money they handle, their constant exposure to threats has ironically fostered robust cybersecurity teams, sometimes even exceeding military capabilities. This makes them a “low probability, catastrophic payoff” for attackers. Conversely, industries with valuable information but lower cyber maturity, such as local municipalities and smaller professional services, become attractive targets for organised crime, as seen with attacks on US councils for ratepayer records in 2023. The airline sector, too, is vulnerable given the massive financial and operational disruption an attack could cause.

However, Buckland expresses particular concern for law firms, which he views as a “really obvious target.” Despite handling highly sensitive and monetisable information—such as settlement discussions, merger details, and legally privileged data—law firms historically have lacked the stringent cybersecurity protocols of banks. From influencing share prices to impacting legal outcomes, the value of this information makes it incredibly attractive to criminals. Furthermore, the high-pressure, deadline-driven environment within law firms and potentially lean IT teams creates a fertile ground for social engineering and other attacks. 

Beyond financial gain, Buckland points to the vulnerability of democratic processes, suggesting that elections are a “pinch point” where a relatively “cheap” cyberattack could yield a significant return by influencing the outcome and potentially installing a sympathetic government. Similarly, at the critical juncture of legal decisions, judicial officers could become targets for blackmail or extortion, highlighting how even non-financial leverage can be a powerful motivator for threat actors.

A vulnerable profession

Today, in an era of evolving and rapidly accelerating cyber threats, law firms face a unique and amplified challenge. Cybersecurity can no longer be viewed as merely an IT concern; it’s a fundamental aspect of professional competence and a non-negotiable for safeguarding client trust and a firm’s integrity. So, what cyber risks are lawyers facing?

Simone Herbert-Lowe, Partner, Cyber, Media and Technology at Clyde & Co., emphasises that disclosing confidential client information, privileged documents, or even data belonging to other parties poses an acute risk of cyber-attacks.

Herbert-Lowe has worked in various insurance areas, including professional liability and cyber, for over 30 years and handled some of the first cases involving email fraud and computer hacking in claims against NSW solicitors.

She notes that the most high-profile risks, particularly for lawyers, have always been compromised emails and funds transfer fraud because they are the most visible. “Data breaches can often be quite silent, whereas when large amounts of money get transferred, it’s noticeable very quickly,” Herbert-Lowe says.

“I think that’s always been the main focus of the legal profession, and it’s still extremely important, but it isn’t the only risk.”

She elaborates that the rise of cyber extortion, including ransomware and threats to publish client data, poses a critical risk, demanding robust backup strategies and incident response plans. These incidents can also cause significant business interruption, hindering a firm’s operations. Additionally, the increasing reliance on third-party vendors and cloud services introduces third and fourth-party risks, where breaches can occur due to vulnerabilities in external service providers, underscoring the need for thorough due diligence.

“[W]ith so much dependent on technology these days, and people using all sorts of different platforms (and) cloud service providers for different things, often a breach can occur,” she says.

This sentiment is echoed by Benjamin Di Marco, who leads Willis Towers Watson’s Australia and New Zealand Cyber and Technology Risk Team and is a seasoned cyber technology and insurance law solicitor. He stresses that the sensitivity of data held by law firms makes them uniquely vulnerable, and protecting this sensitive data has been one of the profession’s biggest challenges, often more so than in other industries.

Di Marco says cyber attackers are fundamentally motivated by financial gain, not just causing disruption, which motivates them to find various ways to monetise their access and exploits. For law firms, this translates into specific, high-risk scenarios. Attackers frequently target the interplay between trust account fraud, false payment instructions, invoice manipulations, and other social engineering attacks. These can affect individual lawyers and threaten the entire firm’s financial integrity. 

Additionally, cyber extortion has evolved beyond simple ransom demands. Di Marco warns of “Second and Third Wave extortion,” where attackers, if unpaid by the initial victim, will directly approach the victim’s clients or other affected parties, threatening to release their data unless a separate ransom is paid. 

This adds complex layers to incident response, forcing firms to manage the immediate cyber threat and its far-reaching consequences.

Di Marco highlights that a significant and unique long-term risk for law firms facing cyber incidents is the potential for sustained reputational and financial harm. He points to the breach involving law firm HWL Ebsworth (HWLE breach) as an example.

In April 2023, HWL Ebsworth fell victim to a significant cyber-attack by the ALPHV/BlackCat ransomware group. The attackers gained unauthorised access to the firm’s systems, including highly sensitive information.

“HWLE took the step, unprecedented in Australia, of obtaining an injunction from the Supreme Court of NSW, seeking to restrain further publication or dissemination of confidential information,” the firm says in a statement on its website.

“The injunction was sought to protect the interests of impacted entities and individuals. The privacy and security of our client and employee data is of the utmost importance.”

As Di Marco explains, cyberattacks are not random. They follow a deliberate chain of events to gain access, increase privileges, and deploy malicious code. Attackers often target vulnerabilities in older systems or software, or even new, undiscovered flaws called zero-day exploits. This makes it critical to detect and respond to attacks quickly.

A  central common weak point is the lack of basic security measures, such as properly configured firewalls and multi-factor authentication, which can easily lead to compromised accounts. Because modern IT environments are interconnected, an attacker can also gain entry through a third-party vendor or a supply chain connection.

“Ultimately, it’s really more about your detection, your ability to understand something unusual is happening within the environment and lock it down,” he says.

Herbert-Lowe says, a data breach can expose a law firm to multiple legal risks. If inadequate safeguards led to the breach, firms may face civil claims for negligence, breach of trust, or breach of confidentiality where trust funds have been stolen.

Additionally, the Legal Services Board and Commissioner have set minimum cybersecurity standards in Victoria. Failing to meet these standards can be considered professional misconduct. According to Herbert-Lowe, these standards could set a precedent for other Australian states due to similar nationwide civil liability legislation. “I think it’s interesting that if the Victorian commissioner is saying this is what the standards are, it would be difficult to say those things aren’t reasonable in New South Wales,” she says.

Furthermore, as seen with Optus and Medibank, a growing trend of class actions and increased regulatory enforcement against organisations experiencing significant data breaches underscores the escalating legal liabilities.

Di Marco believes maintaining operational continuity is a unique challenge for law firms. Unlike other businesses that might shut down temporarily, law firms have urgent court deadlines and client matters that can’t be put on hold. He emphasises that a firm must balance its response to an incident with the need to keep critical legal work running. “Pulling the plug” is rarely an option, so a nuanced and balanced approach to incident response is essential.

AI is supercharging cybercrime

The cyber threats confronting law firms extend beyond technological vulnerabilities. Social engineering tactics exploit human psychology and trust and manipulate individuals into performing actions or divulging confidential information, and the risks are only amplified with the advent of artificial intelligence (AI).

Herbert-Lowe says tools like ChatGPT enable threat actors to craft highly convincing and grammatically flawless fraudulent emails and communications that are difficult to distinguish from legitimate ones, moving beyond easily spotted phishing attempts. 

“I think that’s why it’s so important that people understand that cyber risk isn’t just about clicking on links … social engineering techniques are really, really important,” she says.

Di Marco explains that while AI has been around for decades, the advent of Large Language Models (LLMs) and similar recent technologies has significantly increased its mainstream availability and capabilities, particularly in language prediction and user interface. For law firms, AI represents the “next wave of legal tech,” offering substantial productivity gains through tools like internal ChatGPT instances, chatbots, and document automation. However, integrating AI into a law firm’s environment introduces inherent cyber risks. He says many new AI tools lack robust cybersecurity and data governance postures, creating vulnerabilities that malicious actors can exploit. Firms must prioritise secure procurement, vendor assessments, and careful configuration of these AI systems to mitigate these risks.

A  significant challenge arises from the nature of AI systems: they often cannot be “sandboxed” or isolated, as their utility relies on broad access to an organisation’s data—chats, documents, emails, and more. This creates a tension where AI’s desired connectivity conflicts with the best-practice cybersecurity principle of least privilege, which dictates that users, applications, and systems should only be granted the minimum necessary permissions and access to perform their specific tasks or functions.

AI also brings data governance to the forefront. It necessitates a deep understanding of where sensitive data is stored, how user prompts interact with it, and the risks associated with external LLM systems or potential model poisoning (when an attacker manipulates the outputs of an AI or machine learning model by changing its training data). 

Di Marco notes that the rapidly evolving nature of AI also means that a clear regulatory framework is still emerging, requiring organisations to dynamically revisit their practices and ensure legal compliance as AI technology and its associated legal landscape continue to shift over the coming years.

Richard Buckland also believes that AI will significantly complicate the detection of social engineering tactics, primarily by “supercharging” the attacker’s ability to impersonate and deceive. He argues that while AI isn’t enabling fundamentally new attacks, it’s making familiar tactics, such as phishing and fake websites, incredibly difficult to spot. AI can now generate compelling counterfeit websites with realistic-looking subpages, reviews, and references, creating what he dubs “Truman Show level deception.” 

For Buckland, the core issue is the fundamental authentication problem in the digital world. He states that it’s inherently difficult to know if the person you’re talking to or the site you’re interacting with is genuine. AI exacerbates this by making it easy to impersonate individuals, including CEOs, and create deceptive digital presences that look and sound authentic. 

To combat this, Buckland stresses the need for organisations to train their staff to be “super sceptical,” and to re-evaluate and improve their authentication procedures constantly. The ultimate goal is to build a resilient system where even if an attacker successfully impersonates a key employee, the resulting damage is contained and it’s not “game over.”

Examples like the recent Qantas breach, where an attacker impersonated help desk personnel to gain access to sensitive systems, demonstrate how social engineering can lead to massive data breaches through seemingly innocent interactions. The pervasive nature of technology now enables fraud and deception on an unprecedented scale. 

This new landscape, compounded by emerging threats like deepfake videos and fake audio, necessitates comprehensive education on all forms of cyber fraud. 

“[P]eople have to really understand the degree to which technology has enabled fraud and deception on a scale that was never previously possible,” Herbert-Lowe warns, “that then comes back to educating people to really understand what the risks are.”

Limitations of Professional Indemnity Insurance

While crucial for law firms, professional indemnity (PI) insurance has distinct limitations, particularly concerning cyber incidents. As Herbert-Lowe explains, PI insurance is primarily designed to cover third-party claims, which protects a firm when a client or another party brings a claim against it due to professional negligence or breach of duty. While schemes like Lawcover provide a baseline of $2 million in indemnity (with firms often purchasing more), this coverage does not extend to “first party” financial losses if the firm is tricked into making a fraudulent payment from its own funds, highlighting a significant gap that separate policies are needed to address.

Di Marco further elaborates on the necessary layers of insurance, emphasising that a robust cyber resilience strategy requires a combination of policies. 

The critical component for covering a firm’s internal costs related to a cyber incident is a dedicated cyber liability insurance policy. This policy is designed to cover the immediate and often substantial expenses of incident response, including forensic investigations to determine the root cause, regulatory compliance costs related to privacy laws and critical infrastructure, and the coordination of essential crisis management vendors such as forensic experts and crisis communication specialists. He says a cyber liability policy typically covers business interruption losses, including lost revenue and increased operating costs due to a cyber event. It can even cover ransom payments, negotiation expenses in cyber extortion cases, and the costs of restoring impacted systems.

Lawcover’s  cyber risk policy offers up to $50,000 in crisis assistance and protection for a firm’s computer systems. This policy complements an existing Lawcover professional indemnity insurance policy. While cyber liability insurance addresses the firm’s direct costs, professional indemnity insurance remains vital for covering third-party claims arising from a cyber incident, such as those from clients impacted by data loss or service disruption. 

Di Marco highlights the importance of ensuring the PI policy’s breadth covers cyber-related exposures and consequential risks. However, he also cautions that law firms must meticulously review their cyber liability insurance policies, given their unique cyber exposures. Off-the-shelf policies often lack the necessary extensions and coverage benefits, so firms must carefully examine exclusions and understand how to effectively leverage the policy during a significant cyber event to maximise protection. 

Injunctions as a tool against persons unknown

After a data breach, law firms and other organisations are increasingly using an injunction against “persons unknown” to stop stolen data from being spread, even if they can’t identify the hackers.

Traditionally, injunctions are issued against named individuals or groups. However, since cybercriminals are often anonymous, lawyers define them by their actions. These injunctions aren’t meant to force criminals to comply but to pressure third parties, like journalists or website hosts. If these parties knowingly publish the stolen data despite the injunction, they can be held in contempt of court.

This strategy has a long history, but its modern application in cyber incidents began in 2003 with a Harry Potter book manuscript theft. In 2023, Australia saw its first “persons unknown” injunction as a response to the HWLE attack, setting a new precedent in Australian cyber law.

Tamir Maltz, Barrister of 12 Wentworth Selbourne Chambers, acted as counsel with the HWLE Lawyers cyber law team to secure the injunction. He explains that while it isn’t a complete solution, these injunctions are a valuable tool for managing the fallout of a cyberattack. They help keep data confidential, limit who can access it, and prevent it from being widely shared online.

However, he says it requires careful consideration. Although the costs have decreased, a contested application can still be expensive. It’s often a good choice for professional firms handling sensitive information, but it may not be practical for low-value data or information that has already been widely shared.

Beyond the firewall

Richard Buckland defines cyber resilience not as a means to prevent all attacks but as an organisation’s capacity to cope effectively when an attack inevitably occurs. 

Drawing an analogy to physical health, he explains that everyone might catch a cold, but true resilience lies in whether it leads to severe illness or if you can shake it off. 

For Buckland, resilience is distinct from defence, though related; it’s about ensuring an organisation remains operational and secure even in the face of a breach. This involves rapid response capabilities—quickly identifying and appropriately addressing the incident—and robust mitigation strategies, akin to the compartmentalisation of the Titanic, where theoretically a breach in one section doesn’t compromise the entire vessel. Mature cyber organisations implement these “bulkheads” to prevent a single breach from becoming a catastrophic failure.

In the past, breaching the outer defences meant immediate access to all valuable data. However, modern cyber resilience dictates that even if attackers penetrate the initial perimeters, they should encounter further obstacles—data locked in digital “drawers” with alarms, robust backup plans, and contingencies. Buckland tells of his shock with the recent Qantas incident, where the issue wasn’t just that attackers got in, but the extent of data they could access once inside. This highlights the importance of not having all “eggs in one basket” and ensuring that even if one defence fails, there are subsequent layers to limit damage and facilitate recovery.

Buckland strongly encourages lawyers to adopt a hacker’s mindset when considering cybersecurity, not because it will make them perfect defenders, but because it’s a crucial first step toward identifying vulnerabilities. He emphasises that a “defender mindset” is often hampered by overconfidence and a failure to anticipate new threats. By thinking like an attacker—constantly asking “what if?” and considering how their systems could be exploited—law firms can move beyond a reactive stance and uncover previously “unknowns”, such as the threat of data leakage as part of a ransomware attack. 

His advice extends beyond this change in perspective to a practical, collaborative approach. Buckland recommends that after a firm has conducted its own “what if” exercises, it should get “other eyes on it.” He uses the 1979 Three Mile Island nuclear disaster as a powerful analogy where operators misinterpreted data and made critical decisions due to confirmation bias and other forms of bounded rationality under pressure. It’s an example that illustrates how cognitive biases can prevent individuals from seeing flaws in a system they are too familiar with. 

By involving outside experts, lawyers can ensure a more comprehensive review of their security protocols, preventing them from falling victim to a “first cab off the rank” scenario. This proactive, collaborative strategy is essential for making their systems resilient. Buckland says, “You can’t make it perfect, but you can make it so that if they get in, they don’t get a whole lot of embarrassing information. They can get a small amount … but they don’t get the keys to the kingdom.”

Simone Herbert-Lowe explains that a robust cyber resilience plan acknowledges that complete prevention of incidents may be impossible, even with the best technology, processes, and training. Therefore, the core of cyber resilience lies in adequate preparation for response and recovery. A critical strategy is the development of a comprehensive cyber incident response plan. This plan should not be a “set and forget” document; it must be regularly tested and refined. 

Herbert-Lowe advocates for “cyber incident tabletop exercises,” where executive teams role play responses to evolving scenarios. This practical approach validates the plan’s efficacy and builds crucial “muscle memory” for high-stress situations during a real incident. 

Furthermore, understanding the scope of existing cyber insurance coverage and ensuring it adequately covers potential liabilities is vital, especially given that solicitor limited liability schemes may not cover breaches of trust or fiduciary duty arising from cyber incidents or email-enabled fraud.

Looking forward, Herbert-Lowe points to the significant promise of digital ID as a key strategy for enhancing cyber resilience within the legal profession. While the general public would be familiar with government services like myID (formerly MyGovID), she says expanding digital ID to include state government and private sectors offers a powerful tool for identity verification. 

In an age where deepfake technology can convincingly mimic voices and even video, relying solely on email chains or phone calls for identity confirmation is increasingly precarious. Digital ID systems would allow lawyers to definitively confirm the identity of individuals, mitigating risks associated with impersonation and email fraud. This proactive adoption of secure digital identity verification could be a game-changer for a profession that heavily relies on trust and the integrity of communications.

“[J]ust making a telephone call to someone may not offer the same protection now or in two years’ time, as once upon a time it did,” Herbert-Lowe says.

Di Marco acknowledges that using Digital ID as a form of identification offers clear potential benefits, particularly for streamlining access to government services and enhancing third-party protections. However, he cautions against viewing it as a definitive solution to cybercrime. While modern security measures like multi-factor authentication and physical tokens are already quite effective at preventing simple credential fraud, attackers are evolving. 

Di Marco points out that the next frontier is compromising the device itself, a challenge that a digital ID regime, in isolation, may not fully address. Therefore, while strengthening Digital ID is important, it’s not a “silver bullet” to stop all cyber risks.

He suggests several key strategies for small law firms to bolster their cyber defences. Firstly, he highlights the abundance of free and valuable resources from organisations like the ACSC (Australian Cyber Security Centre) and the Office of the Australian Information Commissioner (OAIC), which offer protection, incident response, and testing guidance. Crucially, Di Marco advises all firms to develop a robust incident response plan regardless of their size. 

This plan should clearly outline the steps for investigating, containing, and recovering from an incident and addressing regulatory and client reporting requirements. It also serves as a critical framework for identifying and pre-selecting external expert vendors—such as forensic specialists, legal counsel, and communication firms—that even large firms rely on during a cyber crisis, ensuring these vital relationships are established before an event occurs.

Secondly, Di Marco stresses the importance of scrutinising the capabilities of a firm’s IT provider, especially if they are a sole provider handling all IT functions. 

Small firms must ensure their provider has genuine cybersecurity expertise and is not a potential weak link in their defences. Finally, recognising that many small firms lack the internal bandwidth to vet and manage multiple vendors, Di Marco points to cyber liability insurance as a highly effective solution. Cyber insurers often have pre-established relationships with a network of expert vendors, including forensic investigators, legal advisors, and communication specialists, within their incident response frameworks. Notifying the insurer upon a breach can trigger access to these specialised resources, providing small firms with immediate access to the necessary expertise to manage a significant incident, contain damage, and navigate the complex aftermath.

A collective responsibility

Cybersecurity has transcended its traditional confines within the IT department, evolving into a pervasive concern that touches every facet of an organisation and its stakeholders. 

Buckland likens the modern “attack surface” to a dramatically expanded version of a bank’s physical security in the past. Where once a bank’s vulnerability was limited to its branches, walls, and vaults, the attack surface now encompasses virtually “anyone’s computer adjacent to your computer.” 

This means every organisational device outside the traditional perimeter defences themselves, and crucially, all customers, become potential entry points for malicious actors. The proliferation of remote work has further exploded this attack surface, making it an incredibly vast and complex landscape to defend.

This fundamental shift has become a collective responsibility for “everyone who’s on the attack surface.” Effective cybersecurity now demands a holistic approach, where awareness, best practices, and a security-first mindset must permeate all levels of an organisation. 

From individual employees being vigilant about phishing attempts to robust security protocols embedded in customer-facing applications, the human element and distributed nature of modern work environments mean that cybersecurity is a pervasive organisational challenge, not merely a technical one.

Buckland says if a law firm experiences a security breach, they shouldn’t blame themselves, as even the most prepared organisations can fall victim to determined criminals. 

Instead, he advocates for a collaborative approach and suggests that law firms and their cybersecurity teams should help each other, share best practices, and build professional relationships. This collective effort would allow firms to pull in support during crises.

“[A] healthy cyber profession is going to help everyone … I think together we can actually be far more powerful against the criminals than we can ever be by ourselves,” Buckland says. 

What Robert Tappan Morris warned in 1988 still rings true today: ‘It can happen to you.’ The question is, what will you do about it? Continuous vigilance, proactive planning, and a commitment to ongoing education are the only proper safeguards in this relentless cyber arms race.