You are here

Hackers are targeting Australian law firms with ‘ransom raids’

Government security expert warns that many firms risk being sued by clients

13 July 2015

Add comment

By Manju Manglani, Editor (@ManjuManglani)

Australian law firms are putting themselves at risk of cyber blackmail by failing to adequately protect client data, a security expert has warned.

Dr Suresh Hughenahally, chief information security officer at the Victorian government's state development department, has said that many firms are leaving themselves open to litigation.

"When we talk about lawyers and law firms, the three major issues they are facing is being exposed to litigation within seconds; they could compromise their client data very easily; and their business could be shut down with a loss of licence to practice law," Dr Hughenahally told Lawyers Weekly.

Law firms need to increase their data security to avoid being targeted with 'ransom raids' by hackers.

"In a ransom raid, someone steals your data, encrypts it and demands $30,000 for the key to open it. It happens every day in Australia."

In the UK, Managing Partner'sresearch has found that only 26 per cent of law firms plan to invest in new data security systems over the coming year and just over half have systems in place to monitor and manage data security risks.

Only 17 per cent currently incentivise lawyers to protect client data, even though the majority of data security breaches in law firms were due to human error, according to the Information Commissioner's Office.

It said the most common source of UK law firm security breaches last year was private data being sent to the wrong recipient by post, fax or email. These types of errors accounted for nearly a third of the incidents reported to the ICO.

Close behind was the loss or theft of confidential documents in hard copy format, with 21 incidents reported of this nature.

Failure to secure data stored on mobile devices was also highlighted as a cause of data protection issues. Unencrypted information being stored on devices that were not controlled by the firm accounted for 11 breaches last year.

However, malicious hacking of law firm security protocols accounted for only one reported breach. This is despite rising concerns over increases in targeted cyber attacks worldwide.

Dr Hughenahally has urged Australian law firms to implement security protocols "where people, process and technology are all involved in ensuring your practice and your clients are all protected against information theft".

Document classification tools should also be used to protect lawyers in the event of a security breach.

"If you do not put any classification, anybody can come in and legally access that information, leaving you with no grounds to take them to court. It doesn't cost a lot, maybe a couple of grand, but in a litigation preparation of documents will cost $10,000 alone," he said.

He has advised firms to annually audit their security procedures and conduct penetration testing to identify weaknesses.

RSM Tenon's Sheila Pancholi and David Morris also believe that law firms should regularly test their data protection systems to ensure they are fully protecting client information.

But, they have warned that a testing programme is "a supplement to the control environment and not a replacement for a properly thought-out strategy and set of controls."

See the Managing Partner article 'Data leaks: How to test your firm's data protection systems' for practical guidance on how to perform a maintenance check of your firm's data protection systems.



Categorised in:

Risk & Compliance Technology