Simone Herbert-Lowe is the founder and director of Law & Cyber, where she offers legal advice, risk management and consultancy services to businesses and individuals with a focus on cyber threats. As a popular speaker and regular contributor to Australasian Law Management Journal and the Law Society of NSW Journal, Simone is widely recognised as a thought leader on cyber risks and professional duties in Australia.
We spoke with Simone about her passion to educate lawyers about cyber threats, the common misconceptions lawyers have regarding cyber risks and what steps lawyers and law firms can take to avoid falling victim to cyber crimes.
You've had an impressive legal career spanning over 30 years, including extensive experience in the field of professional duties. Today your work as the director of Law & Cyber focuses on helping businesses prevent cyber incidents. What inspired your interest in cyber security and cyber risk?
I first started working in this area a few years ago as the Senior Claims Solicitor and the Manager for Strategy and Innovation at a leading professional indemnity insurer for lawyers.
I had previously handled around 2000 professional indemnity notifications by law firms, but once I started to manage claims involving email fraud and cyber incidents, it struck me that cyber was very different to other professional risks. While professional negligence claims are often caused by issues related to communications, such as a failure to advise, or a missed limitation period, for example, cyber risk has very little to do with your abilities as a lawyer.
Once I started to manage claims involving email fraud and cyber incidents, it struck me that this was very different to other professional risks.
Through that work, and other legal work I’ve done since, I've seen firsthand how cyber events and email fraud could be so distressing for the people involved, as both the lawyer and the client were the victims of a serious crime. The claims often involve substantial amounts of money - for example, a large transaction or the deposit on a house that a client is buying - and the two people who are the actual victims are left fighting about who has to bear the responsibility and the loss. At the same time, the perpetrator gets away with the money and is often not traceable.
From the professional duties perspective, I was struck by how devastating the impacts could be for a legal practitioner who had mistakenly paid money out of their trust account. Actions for breach of trust are difficult to defend once money has been paid in error without proper authorisation. A mistake like this can have disastrous consequences for legal practitioners especially if they aren't adequately insured. I also realised that lawyers and in fact all staff working in law firms, can often make wrong assumptions regarding cyber risks that can get in the way of them taking the necessary steps to protect themselves or their clients.
In combination, all of this made me realise how important this issue is, and I became passionate about educating people on the topic of cyber risk and cyber resilience.
You've highlighted that employees are one of the biggest cybersecurity threats to a business or organisation. In your experience, what are some common mistakes you see employees at law firms make regarding cyber risk?
One of the most common mistakes relates to the assumptions lawyers and law firm employees make about cyber risks. I meet many people who know about cyber risk but think that "my business is too small to be a target" or "I can leave this to an IT consultant." But the statistics are staggering: according to one study, 1 in 3 people in Australia has been affected by cybercrime; and Cybersecurity Ventures states that if cybercrime were a country, it would be the world's third-biggest economy. So the reality is that people can no longer afford to think, "this won't happen to me".
Issues can also arise when both junior and senior people in a law firm assume that only other people need to be trained on cyber security. These sorts of beliefs often prevent lawyers and law firms from taking the necessary steps to protect themselves. The truth is, anybody in an organisation can receive a fake email - and because of their level of authority and the information they have access to - the most senior people can be most at risk.
... people can no longer afford to think, "this won't happen to me".
Another big mistake is assuming that in order to prevent cyber risk, you only have to focus on technology solutions. Having proper technology in place is essential. But in the case of law firms, one of the most significant risk areas is what's known as Business Email Compromise (BEC).
Business Email Compromise or BEC can happen in two ways. First, a cybercriminal can gain access to a business' email account, and the hacker will then send fraudulent requests for payment that appear to be from somebody authentic. Strong password controls and multi-factor authentication can go a long way in preventing these types of attacks. Second, BEC can also occur when someone sends a fake email that impersonates a business. This requires no skills in computer coding at all, and anyone with access to the internet can do it. All they need to do is set up a fake email, replace their own name in the “From” field with the name of the person they are impersonating, and trick someone in that way. While technology such as spam filters can screen out many generic emails, BEC emails can be highly targeted and appear to be sent by a person the recipient trusts, so spam filters don’t pick up all fraudulent emails. The only solution to this type of crime is greater awareness within the profession that electronic messages, especially relating to money transfers, cannot be assumed as genuine without careful and meaningful verification.
We always need to keep in mind that cybercriminals get better and increasingly sophisticated, and our detection skills need to continue to adapt. Artificial intelligence is already able to produce correspondence that sounds like it was written by a particular person, so more and more criminals will be able to use AI to create fraudulent communications that appear to be authentic.
In your course "Cyber Risk for Lawyers and Law Firms", you discuss the concept of "social engineering". Can you tell us a little more about this concept, how it works and how social engineering scams usually work in a law firm setting?
Social engineering refers to the manipulation of people's natural tendency to trust. Imagine a scenario where a solicitor or a member of an accounts team receives an email that appears to have been sent by the managing partner, a client, or someone whose name they know or recognise. In a situation like this, it's easy to believe that the instructions in the email are true and so the employee will action the request – possibly without checking that the information in the email is actually correct. This can be a typical example of how social engineering is used when targeting law firms.
There are some excellent technology protections in place for businesses, so cybercriminals have learned that the best way to get into the network is via the people.
Over the last 3-4 years, law societies and insurers have recommended that payment instructions received by email be independently verified by a phone call. Although this is an excellent risk management tip, phone verification shouldn’t be a simple “tick the box” exercise. There have been a number of cases where people have made a phone call to verify but have telephoned the wrong person, so we should always be aware that phone verification need to be done in a careful and meaningful way.
There are a few ways in which you can do this, which we discuss in the course.
Some of these might sound like minor things, but failing to implement them can have significant consequences particularly if money is paid out of a trust account in error.
There are some excellent technology protections in place for businesses, so cybercriminals have learned that the best way to get into the network is via the people. For example, in 2020, the Twitter accounts of some very prominent people were hacked after cybercriminals tricked Twitter staff into providing information that allowed the hackers to access those accounts. Significant technology breaches like this often come about through social engineering and manipulating people to do something before they have a chance to think about what they are actually doing.
You've noted that cyber risks affect everyone - regardless of the size of the law firm. What is one piece of practical advice you can give to law firm leaders to act on today to reduce the risk of them falling victim to cybercrime?
When you're considering technology solutions, don't discount the human factors in cyber risk. This can involve having a weak or re-used password, clicking on a malicious link, inadvertently giving away login credentials by visiting a fake website, or believing the contents of an email without first verifying them - particularly if they contain directions regarding sensitive information or funds transfers.
Law firm leaders need to make sure that everyone in their firm receives training about how cyber events and email fraud occur and what role they play in preventing these from happening, and the training needs to be repeated regularly so that it remains front of mind.
You've been advocating for lawyers and law firms to take a more proactive approach to cyber risk for several years. Do you believe that we are starting to see a shift in how lawyers view cybersecurity? Or do you think lawyers still underestimate the potential risks?
Our profession is a very broad church that includes everyone from solo practitioners to large law firms. Many people in the profession are very concerned about cyber security, particularly those who experience real-life examples and see how it impacts people.
However, while many lawyers and businesses have taken proactive measures, those in smaller practices often do not know where to start. People are now much more conscious of it and want to get to grips with how they respond to this risk, but at the same time, they are very busy and feel like this is something they can put off until later.
There is a tendency to focus on fund transfer frauds...But there are a lot of other hidden risks involving legal professional duties like accepting and holding confidential information.
There is a tendency to focus on fund transfer frauds, an especially obvious cyber risk as money goes missing. But there are a lot of other hidden risks involving legal professional duties related to the holding of confidential information, especially as ransomware or cyber extortion is often accompanied by threats to publish confidential information belonging to clients if the ransom isn’t paid.
I expect we will see a greater concern for data protection where lawyers and law firms ask themselves, "what are we doing to protect our data?" or “is our data stored in Australia under Australian laws, or somewhere else where different rules may apply?". More sophisticated clients are now requesting information barriers to limit the number of people in a law firm who can have access to the client’s information.
Other resources you might like:
With the rise of new technologies, the nature of cyber threats is getting increasingly sophisticated. What are some trends that you see for the future of cybersecurity, particularly as it relates to lawyers and law firms?
Many lawyers still believe that managing cyber risk is something they can delegate or outsource to someone else. But, that could be a false dichotomy because while you can delegate some aspects – for example you might outsource some aspects of your IT management - you are still subject to the same professional risk of protecting the money you hold in trust or the information you are obliged to protect.
If I had to predict a trend, it would be an expansion of a lawyers’ requirement of competency in the practise of law to include an understanding of and proficiency in the technology they use.
We have seen this trend develop overseas. For example, in the USA, the US Bar Association's Model Bar Rules now require a duty of technological competence. This means that a lawyer's duty of competence extends to understanding the risks associated with the technology they use and how to mitigate those risks. A majority of bar associations across America have accepted the concept of technological competence as a part of the legal profession’s duties. While that hasn’t formally been recognised in Australia, if a court were called upon to decide that issue, it might well find that this type of competency is implied in the lawyer's duty of care. If I had to predict a trend, it would be an expansion of the concept of competency to extend beyond knowledge of the law and to at least a general understanding of and proficiency in the technology you use. For example, you might be held to have breached your duty of care if you use an email service that isn’t protected by two-factor authentication or if you haven’t trained your staff how to recognise scam emails.
To finish up, we've got three quick questions for you which we ask all of our leaders in law interviewees:
- What's your favourite way to wind down? My favourite thing is sailing in the Friday night twilight races on Sydney Harbour. I love spending time with my sons too.
- What's one thing you would tell your 15-year-old self? Be more confident and brave.
- And last but not least, are you a cat person or a dog person? Totally a dog person! You know what they say - dogs have masters, and cats have subjects.
Other resources you might like: