Login
5 important cyber security takeaways for law firms
From where and how to spend your money on security to how to prepare for the inevitable security incident, here are five essential learnings for every Australian firm.
David Hollingworth
Editor’s note: This article originally appeared on Lawyers Weekly’s sister brand, Cyber Daily.
- Help is out there – don’t be afraid to use it
According to Mr Redhead, the Australian Securities and Investments Commission (ASIC) has a very good, very straightforward document called “Cyber resilience good practices”, which is a great place to start. It features advice on governance and risk management, information sharing, asset management, detection systems, and more.
- Understand your risk appetite
“So think about those assets, the kind of damage they can sustain, the cost to the business in terms of a range of things,” Mr Redhead said. “These could be short-term operational costs, loss of revenue, long-term repair and recovery costs, increase in insurance premiums, and so forth, possible fines, and so on.”
Once you know what you need to protect, that’s where you start.
- Follow what’s happening overseas and prepare for regulations to change
“Follow the class action bandwagon that’s been going in the US for quite some time now, surrounding breaches, and loss of sensitive information,” Mr Redhead said. “I think we’re just starting to see the first part of that train coming into Australia – I don’t see any reason why that’s not going to continue.”
- Consider the right cyber insurance for you
According to Mr Redhead, insurers are starting to become much more cyber savvy, and they will ask you hard questions about your resilience and readiness. However, this is where the first point comes back into play because if you’re following an established playbook, your cyber maturity journey is already well underway, and you should have the answers to those hard questions.
“Did you implement multifactor authentication? Do you have endpoint management? Do you have a way of managing and monitoring what goes on in your organisation? And so forth? If you’ve got those in place, you’ll probably get paid out,” Mr Redhead said. “But if you don’t, then I guess you’re at the mercy of the insurer at that point. And that answers your question: what would they pay and what they won’t? It’ll depend on what the causes are.”
- Understand who the bad guys are and the scale of their operations
“It’s proper organised crime,” according to Mr Redhead, complete with support desks to help their victims navigate paying a ransom, and often with a range of affiliate organisations backing them up.
“There are hacking groups that create and sell tools and software for a profit,” Mr Redhead told Cyber Daily. “So they’re basically … attack-as-a-service. And if I’m not very smart, but I do want to get into some phishing and business email compromise, and I can go to these, pay some money – it’s not so expensive, a couple of $1,000, usually first – and you get a good starter kit.”
These points are just the tip of the iceberg of what we discussed with Mr Redhead, and if you did miss the live stream, you can still watch it right here.
