Confidential and highly sensitive client data is at risk of exposure according to the authors of new research on the cyber security practices of lawyers.
Professor Craig Valli, Associate Professor. Mike Johnstone and Ms Rochelle Fleming from Edith Cowan University’s Security Research Institute (ECUSRI) surveyed 122 lawyers on their cyber security practices and revealed a worrying lack of knowledge among the profession.
The research was conducted in partnership with the Law Society of Western Australia. It is part of a wider professional development program between the Law Society and ECUSRI.
The findings revealed that 11 per cent of lawyers had no anti-virus protection on their work computer and that 41 per cent did not know what cyber security countermeasures were in place on their smartphones.
Furthermore, 64 per cent reported using home or free public Wi-Fi, 41 per cent didn’t have automatic updates switched on for their work computer and 53 percent forward work-related emails to a non-business email account such as Gmail or Hotmail.
94 per cent use email to send confidential data however only 9.4 per cent use encryption to protect client data.
Associate Professor Johnstone said there were some serious but not insurmountable flaws in the way lawyers were protecting themselves from cyber-attack.
“Lawyers, along with doctors are the two professions which handle most of our confidential information on a day-to-day basis,” he said.
“It’s incredibly important that their cyber security practices are improved to protect their clients and themselves.
“Imagine if a lawyer you’d engaged to draft a will had their email compromised and a cybercriminal gained access to all of the information contained in that will?
“Trials could also be affected if key documents related to arguments are inaccessible due to a ransomware attack like the Wannacry attack in 2017.”
Indeed, one of the largest law firms in the world, DLA Piper, was one of hundreds of businesses hit by the NotPetya attack in 2017. The attack reportedly shut the firm down for a number of days until their systems were restored.
Professor Craig Valli, (ECUSRI) said that cyber security vulnerability is not unique to the legal profession.
“ECU is working with the Law Society of WA to provide professional development opportunities for lawyers aimed at improving their knowledge of cybersecurity,” he said.
“What is powerful is the proactive position the Law Society of Western Australia has taken in understanding this and the speed in which training has been deployed against these insights” said Professor Valli.
The researchers offered five key steps lawyers and other professionals could take to protect their client’s data from theft, intrusion and misuse.
Just as businesses are constantly urged to practice basic ‘security hygiene’, so lawyers should also turn on automatic software updates on all devices and utilise cybersecurity countermeasures like antivirus and firewalls on computers and smartphones.
Professionals should also encrypt sensitive client data, especially when sent via email, limit the use of third-party email services such as Gmail and Hotmail and report cyberattacks to government initiatives such as the Australian CyberCrime Online Reporting Network (ACORN).
In 2017 ECU was named as one of just two Academic Centres of Cyber Security Excellence in Australia by the Federal Government. ECU’s Joondalup Campus is also home to the headquarters of the Cyber Security Cooperative Research Centre, established in April 2018 with $140 million in funding.
