The latest Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OAIC) confirms that half of the reported data breaches in July to September 2018 quarter are attributable to phishing.
According to the report, the top five sectors by data breach notifications in the last quarter were:
- Health service providers
- Legal, accounting & management services
- Personal services
Out of these top vulnerable industries, ‘Legal, accounting & management services’ is the most affected by a diverse range of hacking and phishing attacks (categorised as ‘cyber incidents’) – as the latest Notifiable Data Breaches Quarterly Statistics Report confirms.
Australian businesses at risk of cybercrime
The OAIC report corresponds to the often cited Verizon Data Breach Investigations Report stating that 90% of data breaches involve phishing. The breakdown of the ‘Cyber incidents’ category demonstrates that Australia is no different from the United States. Nine out of the fifteen reported incidents (Legal, Accounting & Management services) involve phishing.
It may come as no surprise that according to the Law Society of NSW, over 95% of Australian legal practices have less than 5 employees. Small practices are particularly attractive targets for cybercriminals, because:
- They often manage settlements above $100,000; and
- Handle sensitive documents on a regular basis (e.g. 100 points checks).
In parallel, these legal practices:
- Receive no cybersecurity advice or get bad advice;
- use IT infrastructure that is critically underfunded and/or
- not managed by security professionals.
Legal practices, like other small businesses tend to hire a website designer for building a website, with the website often bundled with email services such as Office 365. Even when legal practices do hire a service provider to manage and support their IT, often very little is done to address the cybersecurity threats of today including phishing, business email compromise (BEC) fraud, CEO fraud and payment redirection scams.
Neither the website designer nor the IT service provider have the experience to address the ever-growing sophistication of these cyber threats. Is no wonder that organised crime target legal and other professional services with a high success rate – as the latest OAIC report perfectly demonstrates.
What should law firms do to avoid becoming a statistic in the OAIC report?
First of all, if there is only one thing you do today to improve your business’s cybersecurity posture, it should be to turn on two-factor authentication for email services for all of your staff.
According to the OAIC report, stolen or compromised credentials are behind 77% of the cyber incidents reported under the NDB scheme. The big secret is that criminals simply use on your employee’s password to gain access to email accounts, rather than high-tech state-sponsored hacking.
Secondly, business owners or decision makers must start hiring cybersecurity experts. Just like we hire professionals to do our tax returns or fix that tooth ache, a cybersecurity expert can identify the pain points of your IT infrastructure. They can then suggest and implement the best combination of solutions in order to protect your business from the latest cyber scams and digital threats.
End-user education and security awareness training are important pieces of the puzzle. When technology fails, your staff become the last line of defence. Ultimately, it is human which decides whether to click on a password-stealing web link or to follow the new payment instruction in a phishing email.
Finally, cyber insurance can cover the residual cyber risk. While solicitors in NSW are covered by Lawcover’s cyber insurance policy which pays up to $50,000, other professions and solicitors in other states are unlikely to have cyber insurance as part of their professional indemnity and public liability insurance. Only cyber insurance policies will cover expenses such as ransomware payments and digital forensics. Cyber insurers also provide incident response services in response to a cyber attack.
- The legal services sector is an attractive target for organised cybercrime;
- The success rate of cyber attacks (targeting the legal services sector) is high;
- The majority of data breaches occur within the legal services sector due to phishing, compromised credentials and social engineering;
- Legal practices can address the cyber risk with a combination of cybersecurity professionals, security awareness training and cyber insurance.
Originally published at blog.ironbastion.com.au on November 7, 2018 and was co-written with Nicholas Kavadias.