Most of us instantly dismiss spam emails telling us we’ve inherited money from a wealthy Nigerian prince. If it’s an email that appears to be from a client, however, we wouldn’t think twice about opening it.
But as the inaugural FLIP Inquiry Series event “Behind The Buzz Words: Cyber Crime” heard, scammers are now using highly sophisticated means of infiltrating emails and IT systems used by the legal profession.
Supported by Lawcover, the expert panel held on 20 June at the Law Society of NSW opened with host Kate Allman, the LSJ’s multimedia journalist, recounting some disturbing statistics.
“A recent survey of 122 lawyers conducted by Edith Cowan University and the Law Society of Western Australia found that 11 per cent of lawyers had no anti-virus protection on their work computers,” said Allman. “Forty-one per cent did not know what cyber security measures were in place on their smartphones, and 53 per cent forwarded work-related emails to a non-business email account such as Gmail.”
The panel discussed that no lawyer or firm is immune from the risk of cyber attacks. Some of the most advanced IT systems in the world have been compromised, as recent breaches in networks run by the Commonwealth Bank, Medicare and the 2017 Australian Census show.
Jim Sofiak, Chief Trust Account Investigator at the Law Society of NSW, said about $2.8 million had been stolen from NSW trust accounts by hackers or malicious actors.
“The systems are not being hacked per se,” he said. “It is more about email fraud. In a majority of cases, we see a hacker gaining the ability to monitor emails between a lawyer and a client, then when they see a bank account nominated, they will step in and alter the bank account details.”
Sofiak said a case in late 2017 saw $850,000 sent to the bank account of a hacker due to a fraudulent email. He also noted it was often the client’s email systems – not the lawyers’ – that had been compromised.
Sylvia Ng, Director of Legal at PwC, said the growth of digital devices and cloud storage was driving risk, but that human error was still a big part of the problem.
“Thirty per cent of security incidents are from current employees,” said Ng. “Many come from inadvertent use of email, insecure use of USBs, or using public Wi-Fi.”
Valeska Bloch, a partner at Allens, said it was essential for lawyers to educate all employees about what to do if they suspected a breach.
“Education is a big thing,” said Bloch. “Someone usually knows they’ve done the wrong thing, but in many cases, they don’t tell anyone until months later when it becomes obvious hackers have used that data. If you have a no-blame approach, people are more willing to tell someone and stop the problem straight away.”
Simone Herbert-Lowe, Manager of Strategy and Innovation at Lawcover, highlighted just how important it is for lawyers to get their cyber house in order.
“As lawyers, we have strict confidentiality requirements and handle everything from Medicare details to M&A information as well as trust accounts,” she said. “Regardless of the size of the firm, there’s an obligation to get your cyber security in order.”
Herbert-Lowe did have some good news, however, saying that Lawcover insurance policies covered lawyers in the event of a breach. She also urged lawyers to try the online cyber risk assessment tool Lawcover offered on its website.
Maria Milosavljevic, Chief Information Security Officer, NSW Government, closed the discussion with some advice on how the legal profession could create a culture of cyber awareness and put plans in place for when breaches occurred.
“The first step is shifting your thinking from cyber security to cyber risk,” Milosavljevic said. “If you’re not ready to respond, then your firm is at risk.”