Cybersecurity: Best Practices for Firms and Employees During COVID-19

Amidst the global pandemic, many legal businesses are having their work-from-home and cybersecurity readiness tested in real time.

COVID-19 has forced not only law, but the majority of global industry to move to remote work wherever possible. While this has allowed businesses to continue operating, it has also drastically fragmented business cybersecurity systems and provided ample opportunity for online scammers - one they are capitalising on.

As of March 20, Australian Competition and Consumer Commission’s Scamwatch had reported almost 100 scams playing on people’s uncertainty around COVID-19, with that figure continuing to rise.

In a concerning example of an online scam, the Australian Cyber Security Centre was alerted to a text message purporting to be from the Government with directions on COVID-19 testing that contains a malware link designed to extract bank details.

The increase in digital vulnerability has been felt by businesses across the country, prompting the Australian Signals Directorate to release a checklist for businesses struggling to boost cybersecurity protocols to meet the demands of our new environment.

Cybersecurity is, understandably, a make-or-break concern for legal businesses. As trustees of their clients’ highly sensitive information, a breach can cause irreparable reputational damage, regardless of the cause.

A recent survey of employees from large businesses around the world found that 57% of respondents from the legal industry acted in a way that amounted to intentionally putting data at risk, either through recklessness or lack of understanding of correct data management protocol.

This correlates with a 2019 LexisNexis study which found that 58% of respondents felt that lawyers were somewhat or not at all aware of what was required to maintain good cybersecurity.

Where are law firms most vulnerable?

In 2019 the Australian Information Commissioner found that 60% of data breaches were caused by criminal or malicious attacks, with an additional 35% caused by human error.The apparent lack of legal practitioner knowledge and effective cybersecurity practices is an area of concern during the COVID-19 pandemic.

Just like the coronavirus itself, most malicious attacks require a human vector to gain access. Consider for example the anatomy of a phishing scam (the most common cause of data breaches in Australia): a practitioner receives an email addressed to him or her that seems to be legitimate, asking them to click a link. If the practitioner clicks the link, malware or ransomware can be installed giving the attacker access to the practitioner’s, and potentially much of the firm’s data.

“We sent a phishing simulation email to 150 staff members - and only one person actually failed. If you look at the statistics, that’s fantastic - it’s a 99.3% success rate. But one failure is all that’s required.”

Marco Marcello, Manager of Information Systems, Lavan

Decoding Cybersecurity: Clause and Effect

The lack of effective cybersecurity practices and demanding workloads of legal practitioners increases the risk of reckless data safety practices. In addition, with practitioners using work hardware at home, they are more likely to blur the line between business and personal use - accessing a wider variety of websites and third-party platforms on their machines. Employees are also using their own broadband and wifi solutions with weaker security protocols.

What should firms do to protect themselves during the pandemic?

The Australian legal landscape ranges from full service international firms providing expertise across industry sectors to sole practitioners specialising in single practice areas. So it’s safe to say the cybersecurity knowledge and resources available vary drastically between firms.

There are however basic concepts that apply across the board, and these can be followed by anyone. It may be helpful for firms to consider their cybersecurity measures under three broad umbrellas: people, process and technology.

People

This may be the most important factor to focus on during the COVID-19 pandemic. Ensuring that all firm employees are well trained and know what is expected of them.

  • Employees must be familiar with the business's cybersecurity controls and empowered to speak up if they feel these are lacking or suspect anything untoward.
  • All staff must be continuously trained using techniques such as phishing tests and incident responses to spot breaches whilst working from home.

Process

Legal firms should already have processes in place around data breach prevention and incident response plans ready to be enacted if a breach occurs.

  • Firms should establish specific guidelines and best practice when working from home that are regularly communicated to employees during the pandemic.
  • Firms should, within reason and without breaching privacy, monitor employee practices while working from home and where necessary increase training to reinforce cybersecurity protocols.
  • All cyber resilience and incident response strategies should be reviewed for points of weakness within the context of the current environment. Procedures should be updated and communicated to all staff.

Technology

For larger firms with complex platforms and networks, managing technology and cyber threats may be the specific realm of the IT department. Smaller firms and sole practitioners may lack IT support and feel underqualified and overwhelmed by cybersecurity threats and technology in general. There are however fundamental actions which apply across the board.

  • Firms using online practice management solutions should ensure the platform offers secure features such as configurable client extranets to facilitate the safe transfer of files, documents and other materials from remote locations.
  • Software companies release updates or patches as they learn of vulnerabilities in their platforms. Practitioners should ensure that all technology and software is updated regularly. Closing these gaps reduces the risk of breach.
  • Centralise data as much as possible. The fewer platforms or servers involved with storing or transmitting data, the fewer opportunities for a security breach.
  • Request two-factor authentication. Requiring proof of authenticity through an email address and a phone number, for example, makes it far more difficult for credentials to be stolen and misappropriated.

“I think the key takeaway is to really understand your obligations and improve the awareness of cybersecurity as an issue in your organisation... Be aware and educate.” 

Ravi de Fonseka, Partner, Johnson Winter & Slattery 

Decoding Cybersecurity: Clause and Effect

What practical steps should employees take?

The emerging COVID-19 motto, “we’re all in this together”, applies equally to cybersecurity: it is the responsibility of all employees and individuals, not the domain of IT professionals. There are basic actions all employees should be taking while working from home.

Always verify sensitive emails

Make it a regular practice to follow up important or confidential emails sent or received with a phone call to verify the contents, dollar figures, bank details or other sensitive information to ensure the communication has not been intercepted or fabricated.

Always err on the side of caution 

If you suspect an email may be phishing or malicious, try to verify it by contacting the sender. If you can’t, don’t act on it. It’s better to be safe than sorry.

Accept software updates when prompted

Enduring that five-minute software update may save a lot of difficulty down the road.

Never use third-party email

Spreading sensitive data across multiple email servers increases vulnerabilities and the possibility of breach. Be aware that free email providers like Gmail and Hotmail are among the most common targets for hackers.

Never communicate over unsecure wifi

WPA2 security is standard for most home wifi connections, and this is the minimum acceptable standard. Free and public wifi is frequently less secure and more vulnerable to breach.

By following these suggestions and processes, law firms and their employees can maintain cybersecurity best practice and minimise the chances of a damaging data breach during the changed working environment of the COVID-19 pandemic.

More information

Find the latest news, business updates and research materials to keep you on top of the current pandemic crisis at LexisNexis' exclusive COVID-19 information centre