Cybercrime is a large problem that every business must deal with.
It seems that almost every day there is another news story about a cyber-attack or data leak from a major company. Companies the likes of Dropbox, Yahoo, Ebay, Sony, and even Apple have all been victims. And the list continues to grow. When large companies fall victim to cybercriminals, it is not unheard of for millions of customers have their personal details and information stolen. The size of these cyber-breaches might come as a surprise. For an interactive info graphic on the world’s biggest data breaches view here.
The reality is that cybercrime and cyber security are serious issues and everyone who goes online needs to be aware of the extent of the problem. Lawyers hold personal and commercially sensitive information about their clients. If a lawyer’s practice is the victim of a cybercrime the consequences can be devastating for both the lawyer’s clients and the lawyer’s business. There is no doubt that cybercrime is the most pressing issue for business operating in today’s digital world.
Without overstating the problem…
Cybercrime is now considered one of the leading risks to the global economy.
CEO of IBM Corp Ginni Rometty, observed the following in relation to the threat of cybercrime:
We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.
Australia is not immune to this global problem. Every year more Australian businesses are falling victim to cybercriminals, with the information that is compromised being held for ransom or sometimes sold on the dark web.  The Australian Cyber Security Centre in their 2016 annual report notes that the Australian government and Australian businesses continue to be targets of persistent and sophisticated cyber espionage and cybercrime. And while the Australian government treats cybercrime as a high priority issue, some Australian law firms may be underprepared when it comes to protecting their digital assets.
What is the cost of cybercrime?
Cybercrime costs businesses both money and time.
With the global cost of cybercrime now exceeding the cost of illegal drug trade, cybercrime is a lucrative criminal endeavour. It presents to the perpetrators a lot less risk of being caught than other criminal enterprises. McAfee (also known as Intel Security), one of the world’s leading computer security software companies, estimated that in 2014 the cost of cybercrime equated to US$445 Billion of global GDP. In terms of Australian businesses in 2014, it was estimated that the average cost to a business of a cyber-attack was $276,323, with the average time to resolve the attack being 23 days, rising to 51 days if the attack with by an employee or contractor.  At both the macro and micro levels, the cost of cybercrime can be extremely damaging for the victims.
What is the likelihood of my practice being a cybercrime victim?
Cybercrime is sophisticated and every business can be expected to be targeted in some form.
Cybercriminals are becoming more sophisticated and more discerning in choosing victims. The techniques used to commit cybercrime are varied and can be both indiscriminate and targeted.
Businesses that are most at risk of being targeted are those that hold personal or sensitive information on a lot of people or on particular individuals. Professional services such as law practices are at particular risk because they hold large amounts of detailed data about individuals. This is attractive to criminals for several reasons. First, obtaining large amounts sensitive data about a person can be value and used for ransom against the lawyer and their client. Coinciding with that, law practices will be particularly keen to keep their information confidential. In addition, many law practices may be perceived by criminals to have deep pockets and be in a position to pay such as in the case of a ransomware attack. Also, cybercriminals work with the knowledge that small to medium sized businesses usually have less cyber security protection, thus making them an easier target.
Even if your law practice’s computer system is not specifically targeted, indiscriminate cybercrime campaigns can cause significant problems. Spam campaigns deliver thousands if not millions of infected emails in the hope of catching victims. For example the Locky ransomware malware released in 2016 was spread by spam email. The email contained a fake invoice (usually in Microsoft Word or Excel format) that allegedly required payment. The attached document contained malicious macros that when activated encrypted all the files on a computer system. The victim then had to pay a ransom to have the files decrypted.
What is the future of cybercrime and cyber security?
Cybercrime is going to continue to be a major problem with new risks constantly emerging.
In a lot of ways the future of cybercrime and cyber security is scary, especially for the unprepared. Both criminals and security firms are taking advantage of artificial intelligence and the possibilities that it offers. Quantum computing is also on the horizon. This form of high powered computer processing is going to change the way computers operate and it presents a new frontier in the cyber domain.
As business moves more into the digital realm legal practices must get expert advice today to be secure and prepared for the growing digital world. Those who are not prepared can expect to face costly repercussions to their business and reputation. They may in addition be subject to professional disciplinary sanctions for breach of client confidentiality and/or penalties for breach of Commonwealth or State or Territory privacy legislation.
 The Dark Web is the part of the Web that cannot be found using search engines like Google and is where cyber criminals undertake various activities online. See: ‘Australian cyber crime threats: Four Corners investigates how hackers are hacking into our information’, news.com.au (online) 30 August 2016
 Australian Cyber Security Centre is a project of existing cyber security capabilities across Defence, the Attorney-General’s Department, Australian Security Intelligence Organisation, Australian Federal Police and Australian Crime Commission. See: Australian Cyber Security Centre, ‘ACSC Threat Report 2016’ (2016) <https://www.acsc.gov.au/>