Firms at risk of cyber blackmail
Law firms are failing to protect their client data adequately, leaving them open to litigation and even ransom demands, a security expert warns.
Dr Suresh Hungenahally, chief information security officer at the Victorian Government’s department of state development, told Lawyers Weekly many firms are vulnerable to major breaches of data privacy.
In particular, he warned against “ransom raids” if hackers gain access to a firm’s system.
“In a ransom raid, someone steals your data, encrypts it and demands $30,000 for the key to open it. It happens every day in Australia.”
In his experience, regulators come down hard on firms that breach data privacy, often acting immediately if a breach is reported.
A mistake that can lead to security lapses is sending unencrypted emails, which potentially allows third parties to intercept the messages.
Dr Hungenahally also suggested data leakage was a “huge problem” within firms, with lawyers accessing files using unprotected wi-fi networks or mobile phones, personal laptops or USB drives.
To protect data, he urged firms to implement a security management system “where people, process and technology are all involved in ensuring your practice and your clients are all protected against information theft”.
As part of this system, he encouraged the use of “hard controls” such as storing data on a cloud service provider or automatically classifying documents with software.
Document classification – where documents are marked as confidential or sensitive – gives lawyers legal recourse in the event of a security breach, he said.
“If you do not put any classification, anybody can come in and legally access that information, leaving you with no grounds to take them to court. It doesn't cost a lot, maybe a couple of grand, but in a litigation preparation of documents will cost $10,000 alone.”
He also urged firms to carry out an annual audit of their security procedures, including penetration testing where an expert tries to access their system to identify weaknesses.
“It's better to mitigate than to litigate,” Dr Hungenahally said. “Security goes beyond compliance. If you don't comply, you get a fine. If you have a security breach, you could lose your entire practice, no matter how small or big you are.”
Dr Hungenahally will run webinars on cybersecurity via CPD for Me throughout July, August and September.