The human factor: building a cyber-aware culture in your law firm

This article was first published on 20 September 2023 in the Law Council of Australia’s Australasian Law Management Journal Law Management Hub

Running a cyber-incident tabletop exercise is one of the smartest ways for a law firm to minimise cyber risks for its firm and clients, writes Simone Herbert-Lowe.

In the world of cyber risk, it is often said that “humans are the weakest link”.

This can be an exercise in blaming and shaming that is hardly helpful and puts a huge and unfair responsibility on individuals who may make a single, understandable mistake.

It is true, though, that humans are now the largest attack vector for cybercriminals, who exploit human vulnerabilities by tricking people into inadvertently opening the door to a network or online account.  This can occur in a range of ways, such as clicking on a malicious link and accidentally giving away login credentials, or through multi-factor authentication (MFA) fatigue, which occurs when a hacker already has access to the victim’s password, and pushes notifications repeatedly to the victim’s devices.

These push notifications will have a simple ‘Yes’ button to click, so the hacker will have complete access to an online account if the victim gets tired or confused by the number of notifications they are receiving.

How law firms should respond

In the case of law firms, another major risk is payment redirection fraud, which occurs when a hacker manipulates someone (either the law firm, or the client) into paying transaction monies into the wrong bank account.

Meaningful and compelling cyber-risk education for everyone in a law practice should challenge people’s assumptions that “it can’t happen to me” and explains the reasons why managing cyber risk is now an important professional duty for lawyers. This should be done in a way that is designed to create genuine behavioural change, as opposed to a box-ticking exercise.

New employees should be required to complete this training before gaining access to the firm’s email service, and existing employees should regularly update their training.

As an aside, the largest breach of trust case I know of against an Australian law firm involved a senior partner of the firm who was deceived into paying tens of millions of dollars into the wrong bank account after a series of fraudulent emails from his own client. So, excusing senior people from training not only sends a poor message but can have unfortunate consequences, too.

A cyber-aware culture recognises that protecting the firm from data breaches is not the responsibility of the IT department only – the onus belongs to everyone in the business. Such a culture empowers people through education, vigilance and experience, and it adopts a no-blame approach that means people will be willing to report their concerns or mistakes promptly.

Put your cybersecurity to the test

An effective way to test your firm’s ability to respond to the impacts of a cyber event is to run a cyber-incident tabletop exercise involving the firm’s leadership team.

This exercise involves an experienced facilitator presenting one or more scenarios in a cyber incident, with the situation evolving as new ‘injects’ are revealed throughout the exercise.

Participants role-play their reactions and responses, and determine the decisions they would need to make while managing a real cyber event. While these sessions can be confronting, tabletops can be an engaging form of team building and they effectively shine a light on practices that need changing; for example, keeping sensitive personal or commercial information well after it has served its purpose and is no longer required.

One of the first questions the team will inevitably want to know is the information to which the threat actors have access – and the resultant implications for the business, its clients and other stakeholders.

While many people continue to think of cyber risk as solely the responsibility of the IT team, a tabletop exercise brings home to everyone that cyber events are a whole-of-business risk. Issues that usually arise include appropriate communications, including disclosures to staff, clients and others; regulatory issues, such as the mandatory reporting of notifiable data breaches under the Privacy Act 1988; legal issues, such as whether the firm is willing to make a cyber-extortion payment; and engagement with insurers and government agencies.

The purpose of the exercise is to test the firm’s cyber-incident response plan, identify key areas that require review, such as changes in process and co-ordination or communication, and to create “muscle memory” so that, in the event of a real cyber-attack, the leadership team is familiar with the issues and appropriate responses.

While business leaders will often want to delay a tabletop until the organisation is ‘ready’, in reality a planned tabletop exercise will often encourage participants to speed up necessary cybersecurity preparations and bring areas needing improvement into sharp focus. They can also prompt on-the-spot discussions and decisions that can immediately move the business’s cyber-event readiness forward.

Stay ahead of the cyber-criminals

Cybersecurity is a concept that focuses on the technical aspects of information security breaches and cyber-attacks, while cyber resilience involves the assumption that an incident will occur and outline preparations to safeguard a business.

In combination with meaningful and effective education for your team, an effective cyber-incident tabletop exercise will support the growth of a cyber-aware culture in your law firm by illuminating the likely impacts of a cyber incident and the changes to business systems that may be required – before the real thing occurs.

AUTHOR

Simone Herbert-Lowe

Simone Herbert-Lowe is the founder and legal practitioner director of Law & Cyber, a provider of cyber-resilience education and cyber tabletop exercises for executive teams.