In the most recent ACSC Annual Cyber Threat Report, during the 2020–21 financial year, there were over 67,500 cybercrimes reported to ACSC, an increase of nearly 13% from the previous period. This equated to one reported every 8 minutes.
Within the increase is malicious actors deploying targeted phishing, spear phishing, ransomware attacks, as well as the exploitation of software vulnerabilities, cyber threats will continue to pose a significant threat to business and Government operations in 2022. In this intense cyber threat environment, the in-house legal department must champion cyber security strategies and cyber awareness across their organisations.
Here are the Top 7 Cyber Security Tips for In-House Lawyers:
Understanding “what are the crown jewels of my company?” and defining the critical assets will provide an insight into what parts of your organisation a cyber criminal might target and the resultant risks. This will be unique to every organisation and could include manufacturing, supply chain, customer databases, payment systems, data, and even rogue employees.
Ideally, put together a multidisciplinary team at the outset that includes legal, IT and operations functions, to conduct a detailed analysis of systems and processes and identify risk areas.
Having legal involved in the planning and risk analysis encourages knowledge transfer and the development of appropriate strategies and plans for prevention and remediation.
Information security awareness training is a crucial aspect to the prevention of most cyber threats. However, with criminal activity in the cybersphere evolving incredibly quickly, training should be ongoing, not just an annual ‘tick and flick’ exercise. Make cyber awareness a regular agenda item at team meetings and encourage the sharing examples of recent phishing emails, dubious text messages or scam phone calls received by team members. Normalising the open discussion of high frequency and high risk cyber threats will assist in educating employees and establish standard routines and procedures to ensure all instances are appropriately identified and reported.
It is important to note that bad actors will target new employees who may not be familiar with company protocols, so ensure that cyber awareness training is conducted immediately when on-boarding a new team member.
According to Dr Ian Levy, NCSC Technical Director, “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.”
Password best practice:
Password security is one of the first lines of defence to protect your organisation, systems, and data from a cyber breach.
When a cyber attack is happening is not the opportune time to identify who should be involved in managing the incident. It is important to plan and identify in advance who needs to be ‘in the tent’ when an incident occurs. A cross-section of key personnel with unique skill sets will bring the best value to handling an attack. Consider including members from the following:
Consider the role of external providers who will have more technical expertise, whether they are hired per incident or placed on a retainer, establishment in advance allows for quick action.
Key stakeholders that are often overlooked are internal staff, customers, and the general public, so ensure that these are identified and considered.
Have a detailed Incident Response Plan that includes procedures, roles and responsibilities, detection and analysis, containment, response, and post-incident analysis. More than simply an operational or technical matter, the Incident Response Plan must align with organisational priorities and its risk profile.
The plan should also consider:
Just as the organisation will conduct a regular fire drill, conduct regular cyber drills and simulations to test the plan.
Cyber insurance is a must-have for all organisations, and it is important to clarify the policy inclusions and limitations. Review coverage for:
If an attack happens, what are you able to draw down from your policy immediately to assist with mitigating the consequences?
Understanding your own cyber risks is one thing, but does your organisation evaluate and monitor the cyber security and data privacy practices of its 3rd party providers across the supply chain?
51% of organisations have experienced a data breach caused by a third-party, according to recent studies.
Part of the procurement processes for all 3rd party providers should involve defining and assessing risk as well as negotiating and clarifying that they meet all the standards set by your organisation for cyber security, auditing, privacy, and compliance. Plus, have provisions in place for if a breach occurs, including a compensation clause and a service level agreement (SLA).
It is in your organisation’s best interests to perform constant checks to ensure that suppliers are adhering to those required standards.
Whilst there is no silver bullet to guarantee the prevention of a cyber attack, an organisation can and should take all steps available to make it harder for cyber criminals to infiltrate. Further, a thorough and tested response plan for when a cyber attack happens will help to ensure that timely, appropriate and measured action is taken to minimise adverse consequences.
Stay on top of this space by subscribing to the following online resources:
Document automation, in conjunction with Lawcadia’s intake and workflow automation, can save time and improve client service delivery.
Transform your legal operations with the intelligent matter and spend management system built for in-house legal teams and their law firms with intake & triage, workflow automation, document automation, collaboration workspaces and BI reporting.