Best practice for lawyers amid new state cyber standards
As the regulatory landscape evolves in response to the escalating threat of cyber attacks, a cyber lawyer has delineated best practices that legal professionals must adopt to safeguard their practices and protect their clients effectively.
Speaking on a recent episode of The Lawyers Weekly Show, Simone Herbert-Lowe, the founder and the legal practitioner director of Law & Cyber and the recipient of the Innovator of the Year category at the Women in Law Awards in 2022, highlighted practical steps that law firms should take to protect themselves and their clients from the growing risks associated with cyber attacks. She also addressed how adopting these measures not only upholds best practices, but also aligns with the new minimum cyber security standards mandated by the Victorian Legal Services Board and Commissioner (VLSB+C).
Those new VLSB+C standards, she said, impose minimum obligations on Victorian practitioners, lest they avoid findings of professional misconduct or unsatisfactory professional conduct.
While many law firms have frameworks in place, Herbert-Lowe underscored the critical importance of law firms providing education and training to their staff to ensure compliance with the new cyber security requirements.
“Minimum cyber security requirements say that not educating staff who use work devices and networks on how to identify, report and respond to cyber attacks and not providing your staff with up to date cyber security training can be conduct capable of constituting unprofessional conduct or professional misconduct,” she said.
Herbert-Lowe emphasised the importance of conducting comprehensive cyber security training sessions, as a substantial number of cyber security breaches stem from human error.
“The reason for that is that so many things that go wrong happen, unfortunately, as a result of somebody being tricked into doing something that they shouldn’t do,” she said.
She said that some of the most prevalent cyber security incidents resulting from human error include, “paying money into the wrong account, or there’s this whole concept of social engineering, which is manipulating people’s natural tendency to trust, so that they’ll click on an email that has a malicious attachment that then downloads malware, or they give away their login credentials accidentally by going onto a bogus login page”.
To prevent such incidents, Herbert-Lowe noted how law firms shouldn’t treat cyber security education as a “set and forget” process, but rather view it as an ongoing commitment that must be continuously refined and updated as circumstances evolve.
A compelling illustration of the necessity for ongoing education in the face of evolving cyber security threats is exemplified by Herbert-Lowe’s reference to a recent incident that occurred in Hong Kong.
“In Hong Kong, [somebody] in an engineering company in the finance department got tricked into paying $25 million as a result of deep fake images. They thought they were participating in a video conference with three other people, two or three other people from the business,” she said.
“Not to suggest that that is going to be happening to everybody today or tomorrow, but that’s where we’re going. That’s how compelling deep fakes and audio files are becoming.
“By educating your staff, you can go a really long way to reducing cyber breaches.”