Cybercrime continues to be a prolific issue in Australian businesses, meaning companies must follow industry practices and guidelines to protect their sensitive data from cyberattacks.

This year, several industry bodies, including the Victorian Legal Services Board and Commissioner (VLSB+C) and the Legal Practitioners Liability Committee (LPLC) have released guidelines covering how law firms should protect themselves. Here is an overview of these cyber security expectations and practices.

The VLSB+C’s expectations are divided into three main categories: Critical Controls, System Controls, and Behavioural Controls. These categories are then split into multiple sub-categories that outline each regulation.

Critical Controls

These are the key guidelines businesses must follow to ensure overall cyber safety. They cover security updates, passwords and logins, and Multi-Factor Authentication. The broad advice is to ensure that all devices, software, and hardware receive ongoing security and software updates. Alongside this, all passphrases must be unique and strong. This means businesses must not reuse passwords across multiple accounts or reuse old passwords. To store passwords/phrases, we recommend that firms use a secure password manager that’s available to all staff. Last but certainly not least, change compromised passwords immediately to avoid dangerous repercussions, including stolen or destroyed data and theft of funds.

Activate Multi-Factor and/or Two Factor Authentication where available to ensure your professional accounts are adequately protected. This small extra step is vital in stopping unauthorised access to your firm’s sensitive data.

System Controls

This area of the VLSB+C guidelines focuses on the more technical side of cybersecurity operations. The Comission recommends that businesses allow IT experts to manage and employ any technical operations.

System Controls refer to Security Software, Access Control, Devices, Information Security, and Backups.

Regarding Security Software, this practice consists of installing and using security software such as anti-virus and other detection tools on devices. Firms should run periodic anti-virus scans to detect and remove any possible malware or viruses. Ensure scans are conducted to check device configuration each time a new user is assigned. General anti-virus scans should occur weekly, using automatic scans if possible.

Physical Security

Considering the safety of the devices themselves, it is critical that devices are physically stored in a secure location when not in use.

Beyond this, be aware of the source and content of any hardrives/USBs you use with your devices. Dangerous software can be transferred into devices through hard drives, so make sure your USBs come from a trustworthy place. Firms must also turn on full disk encryption on devices that store sensitive data, to protect it from being stolen or leaked.

Beyond security software, it is vital that you control who has access to different areas of the company data. This is called ‘Role-based access control’ where employees access only the data relevant to their role and nothing else. This allows practices to track what data is viewed and by whom, limiting damage in the event of a breach.

Backups are essential to protecting your data from hardware failure, accidental deletion, or malicious activity in the event of a cyber breach. Being able to get your data back in these situations is vital. When reviewing your backup system there are many considerations. How often do you need to back up? If you had to restore, would you get your data back from an hour, a day, or a week ago? How long would it take to restore? Having your data on a USB drive is better than nothing, but if it would take 2 weeks to get your systems back up and running that may not be acceptable to you. Are your backups periodically verified? How do you know they will work when you need to restore? Work with your IT person to ensure that your solution meets your needs.

Behavioural Controls

A common cybersecurity misconception is that you (business owners and staff) don’t have to do anything once protection is in place. This idea is what puts so many businesses in danger! The truth is that staying safe is a people-centric practice and you should foster a cyber security aware culture. To highlight this, the VLSB+C has set behavioural regulations to encourage proper cybersecurity.

First and foremost, cybersecurity training for all staff must be provided. Tailor security training to different roles and cover a range of topics. These can include Phishing emails, Social Engineering, password best practices, safe web browsing, and other risks. Businesses must require cybersecurity training during induction for new staff and provide updated training at least once a year. Beyond this, make sure your staff understand their cybersecurity role within the company. They must also know what to do in a cybersecurity emergency!

Cybersecurity Incident Response and Reporting

An important part of having good cyber security posture is understanding that, despite your best efforts, a breach can happen to you. No protection is 100% effective. Once you accept that you could have a breach you can start thinking about what you would do in that situation.

All businesses should have a comprehensive Incident Response Plan. Having a plan you can execute under pressure reduces the risk of a cyber incident turning into a cyber disaster. The plan should outline how you would identify, gauge, mitigate, document, and report incidents to protect your firm. Check out these two Basic Action Lists created by the Law Council of Australia and the LPLC.

Once an IRP is in place, practices must make their staff aware of the plan, and how to enact it. Alongside this, creating a culture of reporting within your firm is vital! Ensure that your staff are confident in reporting suspected issues to your IT team since early identification helps limit damage.

Then, regularly test your IRP and update it to align with current recommendations. This should occur at least once a year.

If you face a cybersecurity emergency, there are protocols you must follow as well as your business’s IRP. The Notifiable Data Breach legislation outlines that businesses mus report some cyber incidents to the Australian Cyber Security Centre, and the Office of the Information Commissioner. Also notify your cyber insurance, the security team at your bank, relevant industry bodies, and clients that may be affected.

Your Conduct

The VLSB+C states that ignoring or incorrectly applying their guidelines is considered Unsatisfactory Professional Conduct or Professional Misconduct, in severe cases. Not employing security software, giving inappropriate data access, and not backing up data in a trustworthy place, goes against proper cybersecurity policy; putting your business at risk.

To discover the full range of practices considered Unsatisfactory Professional Conduct or Professional Misconduct, visit the Minimum Cybersecurity Expectations page.

What can you do to stay secure?

Ultimately business owners and leaders are responsible for the safety of their data, employees, and clients! You need to understand the risks and obligations, and ensure you are comfortable with the protections you have in place.

If you need assitance with this Synapse IT can help! We will work with you to help clarify the risks, understand the requirements, and help you put the necessary solutions in place. Reach out today to discover how Synapse IT can boost your business’ vital cybersecurity processes!