Simone Herbert-Lowe is the founder and legal practitioner director of Law & Cyber and was the winner of the Innovator of the Year category at the 2022 Women in Law Awards.

Speaking recently on The Boutique Lawyer Show, she outlined best practice for small firms in regard to the evolving cyber landscape and revealed how best boutique firms could navigate cyber issues.

In terms of the state of affairs within the cyber market following the recent Optus and Medibank data breaches, Ms Herbert-Lowe said that these data breaches “at scale” come with a number of impacts, which stem, at least in part, to the ability to keep and store records digitally.

“[The] amount of information that is being collected by organisations is very different to what it used to be, and I think what is particularly relevant to the legal profession, of course, is that we’ve got duties of competency, in particular, duties of confidentiality around the collection of information and maintaining it.

“In the legal profession, in terms of cyber risk and email fraud, there has been a focus on funds transfer fraud, so people who’ve been scammed, tricked into paying money into the wrong bank account, and so on. Not so much this issue around data, but if you think about those kinds of cyber extortion incidents and how they might impact a legal practice, very concerning in terms of the type of information lawyers collect,” she explained.

“When we’re talking about boutique law practices, and I certainly have a boutique law practice as well, the kind of information that you collect is a lot more sensitive than typically small businesses have, and yet you don’t have the same resources that the BigLaw firms have. They’ve got chief information security officers, they’ve got people who are national risk managers and so on, and yet you’ve got the same legal duties as those firms, but a much smaller practice and [fewer] people to support you.”

And despite smaller firms holding smaller amounts of information and data, Ms Herbert-Lowe maintained that boutique firms can still fall victim to cyber criminals.

VIEW ALL

“A lot of malicious software is viral, right? So, it may not be directed at one person in particular. It could be sent. There could be an email blast of thousands, hundreds of thousands of emails with something attached, something malicious, and you’ve never been singled out as a target, but somehow your email address is on that list,” she said.

“Going back to data, law firms collect all sorts of really sensitive information. In terms of cyber risk, [it] technically can mean someone who’s a chief technology officer might be talking about the confidentiality, integrity, and availability of data. But for the rest of us, we think about it as anything to do with the internet, email fraud, and all of that.

“My guess would be that the large majority of these kinds of incidents would impact boutique law firms because they don’t necessarily have the resources. I think that assumption that, ‘I’m too small to be a target,’ can be really dangerous. I’ve heard about one small law firm that had three ransomware attacks, for example. So yeah, I think it’s really important that people don’t assume that, and as I said, you just don’t have all those resources internally that a big firm might have.”

Therefore, smaller firms should consider themselves a target as much, if not more than, BigLaw firms — for a variety of different reasons.

“You might be a target for different reasons. A lot of this stuff can be really opportunistic, right? If somebody is aware of, for example, a property transaction and they send you a scam email. But I think that lack of technical support is really important,” Ms Herbert-Lowe added.

“So, one of the key things you can do to protect your email service is to have two-factor authentication. The insurers have been recommending that for four or five years now, but there are still many people that don’t have it. And one of the absolute things you must do is have multifactorial authentication on your email because it’s so easy for criminals to crack a password just using computer programs that have every dictionary word, for example, that you need to have that second layer.”

To start to implement some of these protective processes, Ms Herbert-Lowe encouraged smaller firms to break tasks up into “more manageable” chunks in order to start to have a plan in place.

“Cyber resilience in terms of preventing something [from] happening is about education, processes, and technology. So obviously, the education piece is something that I work on a lot, and I’m the author of a course that probably, I don’t know, four or 5,000 lawyers have done now, which is designed to make people aware of what the risks are.

“In terms of processes, it’s things like never paying out money upon instructions received by email without verifying that in a different way, but also doing that in a meaningful way. So, lots of times, unfortunately, people might think they’ve verified payment instructions, but somebody’s actually rung the wrong person, for example. Processes like that, the kind of things, warnings that people put on their footers or their engagement letters,” she added.

“You can get into a huge amount of detail, but just hitting the really important things, multifactor authentication, having a professional email service that allows you to have that anti-phishing, antivirus software, make sure you always patch all your systems for any updates as soon as they happen, that kind of thing, and also have regular, reliable back-ups. What you also need to think about is having a bit of a plan for if something does go wrong, what you’re going to do. Make sure that’s in hard copy because if your computers are down, you will need a hard copy of your plan.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Simone Herbert-Lowe, click below: