Share this article on:
A new report from an Australian cyber security company has revealed that a quarter of Australian law firms polled have suffered a security breach in the last two years.
The survey was commissioned by DotSec, and the polling itself was conducted by Momentum Intelligence in partnership with Cyber Security Connect’s stablemate, Lawyers Weekly. A total of 500 responses were received, with 384 fully completed. This equates to an acceptable margin of error of +/- 4.99 per cent.
The companies polled ranged in size from small operations of between one and 10 people, which made up 33 per cent of the sample, up to much larger firms with more than 10,000 employees — only 3 per cent of companies polled boast that size.
When it comes to security breaches, 25 per cent of respondents said their firm had been affected by either minor or major breaches. Fifteen per cent said they were certain they had not been affected, but possibly the more alarming figure is that 59 per cent of those polled said that they had not been breached — as far as they know of.
According to the report — The 2023 State of Cyber Maturity for Australian Law Firms — these numbers suggest that many firms lack a mature incident detection and response process.
Of those incidents that were detected, however, only 49 per cent were detected by internal processes. External security providers detected 22 per cent of breaches, while an alarming 32 per cent of firms had incidents pointed out to them by concerned third parties, such as clients or banks.
“That indicates that the attackers were at work within the firm, without the firm’s knowledge, and continued with their nefarious activities until the damage was discovered by a third party,” the report stated.
Given the data, it is perhaps unsurprising that 51 per cent of law firms are not confident in their detection and response measures. In fact, one in 10 firms is certain they are incapable of detecting a cyber incident until after the attack has already succeeded.
What is clear is that nearly all firms are at least aware of the importance of cyber security. The threat of reputational or financial loss is a key motivator to improve and maintain security for 95 per cent of firms polled. And while 48 per cent of the firms polled believe their level of security investment is up to the current challenge, the rest feel their efforts are lacking due to either a lack of understanding, the lack of a solid business case for investing in security, or simply not being able to afford the expertise needed, either in-house or from third-party providers.
“What the survey findings reveal is a lack of consensus and clarity on who is responsible for the organisation’s security and risk management,” said DotSec owner Tim Redhead in an announcement. “This can create confusion, overlap, or gaps in responsibilities, leading to a fragmented and less effective approach to cyber security.”
“Security frameworks and standards exist to provide a common point of reference, allowing an organisation to be confident of its own security maturity while also being able to demonstrate that maturity to a client, partner, insurer or other third party,” Mr Redhead said.
“The fact that 75 per cent of legal professionals were either unsure or were certain that they complied with no well-accepted standard or framework is a major concern for Australia’s law firms.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.