Demystifying the threat

Law firms are being presented with a challenge to adopt new technologies to meet client demands, remain competitive and have a point of differentiation, whilst simultaneously addressing fears about change management, data security, confidentiality and security head on.


In our white paper - “M&A 2025; embracing technological advancement for a competitive and sustainable future” - we discussed how the law sector is not alone in experiencing a fundamental transformation as technology changes the delivery of services across multiple industries, globally.

Law firms are being presented with a challenge to adopt new technologies to meet client demands, remain competitive and have a point of differentiation, whilst simultaneously addressing fears about change management, data security, confidentiality and security head on.

Here we explore how technology creates not only better security for our processes, documents and communications than ever before, but also addresses questions and concerns over the fidelity of the infrastructure supporting these services.



Clients are demanding that law firms comply with requests to receive files via cloud storage whilst security threats discourage firms from complying.1

It’s no longer a case of ‘business as usual’. Now law firms are in a competitive balancing act, in both time and money, between multiple and conflicting forces: offering upfront and/or fixed fees, investing in and demonstrating innovation whilst operating within information security procedures, growing revenue and generating profit.

In an online survey that showed almost 50% of the systems used by larger law firms were today run in a cloud-hosted environment2, we’re seeing an increase in firms deploying technology for some of the work and processes rather than paper-based, double handling which has become irrevocably inefficient.

We can say with confidence that this will be a topic of conversation at the lawtech conferences and conventions throughout the world again this year; whilst we can also suggest firms will continue to be unsure as the ‘best’ way to stay on top of everything they need to know on the subject.



Cyberspace: the notional environment in which communication over computer networks occurs.

Firstly we should start with a quick exploration of what cyber crime is.

Crime which once originated in, and affected the physical world, is now being perpetrated in cyberspace. It is internet or technology crime.

Cyber security is the protection of a business and its systems to prevent these threats from occurring.

Any connection is a doorway, be it malicious software deployed in a smart TV or a data breach in the Cloud.


Cybersecurity is just another risk that all organisations have to manage in their day-to- day business. However, the difference is the volume, variety, and velocity of the attacks, the increasingly interconnected nature of our world, and the vast quantities of data that can be compromised through a cybersecurity breach.3

In short, it applies in much the same way as it would to any other organisation using digital solutions and technologies to support their services and infrastructure.

Perhaps unlike other organisations, law firms have more than just a reputation for inherent trust but an entire culture, set of processes and controls in place to deliver on their professional responsibilities. The adoption of technology that replicates some of those processes and achieving reassurances around them being carried out with the same immutable security and controls is where the risk lies.


Additionally the international structures of law firms creates increased risk and if that’s not enough, law firms become a target because they store large amounts of data for companies. Again, the principle is not new but the methods employed to carry out the work are.

Law firms are used to, and therefore comfortable with, common reputational financial and compliance risks. IT security and infrastructure presents a new challenge in this traditional industry.


Law firms are no more or less susceptible to cyber attacks or security breaches than any other organisations per se. The late adoption of technology in this sector along with cloud hosted software are perhaps the defining factors that present today’s challenge. This means that security is now becoming higher on the organisation-wide agenda. Where it had previously been confined to an IT department looking after on-premise software, it’s now making agenda items in board meetings with partners, CIOs, GMs and CEOs.

In fact, MIT reports and predicts four key areas where cyber threats are most likely to occur4:

  • Cyber-physical attacks
  • Attacks on transport systems, electrical grids and infrastructure
  • Hijacking of computing power to mine cryptocurrencies
  • Attacks aimed at influencing election results


The Australian Government’s Cyber Security Centre highlights the unique risk profile for businesses, the factors that make them and law firms a target, particularly those firms dealing with transactions, commercially sensitive information, client information, bulk-data containing personal information about the public, sensitive legal advice, and proposed negotiating positions.


Innovating the delivery of legal services through process improvement and project management, enabling the sharing of information across organisations and countries, and automating legal services using digital tools - just a summary of the benefits we’re seeing lawtech have across the industry.

When firms create and store huge amounts of sensitive data during any commercial or corporate deal, it’s an imperative to know that you can expect and achieve immutable information security and secrecy across the deal lifecycle.

Laywering in the age of smart machines is both a challenge and a benefit. Amongst Australia’s 36 law schools, a growing number have elective courses dedicated to legal technology, many of which stress the importance of digital literacy in their syllabus. These Gen Y Graduating lawyers who have grown up with technology might feasibly sit alongside three different generations of lawyers that have not.

So how do you educate the rest of the organisation and ensure the right security protections are in place?



Cyber security threats received their highest uptick in frequency in 2015. In 2016, that number reduced significantly. Potentially these statistics indicate that firms are taking cyber security threats more seriously.5

Firstly let’s look at what your legal obligations are. Recognising the significant importance of cyber security resulting from the impact of breaches in the last few years, new government legislation has been introduced.

Last year, Australian parliament passed the Privacy Amendment (Notifiable Data Breaches) Act6 2017 (NDB scheme) which came into force on the 22nd February 2018 and states clear obligations for organisations to report eligible data breaches7. This includes the completion of a breach assessment within 30 days, and notification of individuals if a breach is verified. The Australian Information Commissioner must also be supplied with a copy of the assessment.

In the European Union, a new policy is being introduced called the General Data Protection Regulation or GDPR. The impact of this legislation is not limited to only the EU as it applies to organisations that hold, process or facilitate the processing of personal data. Which will be the case when you are running a deal with stakeholders all over the world. Organisations with interests in the EU need to assess the impact of this new legislation to understand their obligations which comes into force from 25th May The adoption of new tech means firms are having to not only respond to this type of legislation but also update or create their own policies to protect their own and customers’ data.


It will be essential for enterprises to become more strategic in their thinking and combine machine learning with human intellect and intuition to understand these new risks and anticipate where they might come from.8

Outsourcing technology services means that law firms need to look at the security within the whole of the supply chain, not just their internal IT infrastructure.

With the average time to detect a data breach event is well over 500 days, firms need to have support structures and processes in place to prevent, identify and eradicate risks. Smaller firms can’t necessarily afford to employ a full-time, in-house information security expert and so may rely on their providers to check their own security standards.

The most common factors that you should ask about in your solutions and technology platforms when running due diligence on a new provider include:

  • 1. Multi-factor authentication with device trust for limited time
  • 2. Endpoint security policies and infrastructure to ensure minimum access requirements and constant monitoring
  • 3. Guaranteed data sovereignty so data resides in geographic region of origin at all times, including backups.
  • 4. Web Application Firewall to monitor, filter and block malicious attacks to and from the web application.
  • 5. DNS security to prevent DDoS attacks and mitigate forgery and manipulation
  • 6. Compliance with industry standards such as SO/IEC 27001 & 27018, CSA STAR, CJIS Security Policy, HIPPA BAA and IRS 1075.
  • 7. Advanced HADR infrastructure to include automatic failover, redundant servers, backups and a robust disaster recovery plan.
  • 8. Advanced Encryption for all data whether at rest and in motion
  • 9. Regular Penetration testing to, at minimum, OWASP 10 standards plus infrastructure auditing
  • 10. 24x7 real time monitoring for malicious activity, unauthorised access and zero day vulnerabilities

Law, as a sector, is relatively late in it’s adoption and integration of technology into service solutions. The changing nature and pressure of clients’ demands is necessitating its application and widespread use. The emergence of cloud technologies has given rise to increased access to technology for traditional organisations. This is met with the equal challenge of ensuring information security and compliance with best practice infrastructure to ensure client information remains safe.


The Australian Government’s Cyber Security Centre reports that compromised system and malicious email together make up 78% of the private sector self-reported incident types.

The Internet of Things projected to connect: 21 Billion devices by 2020.

It was not so long ago that firms were hesitant in their adoption of cloud, yet now only 24% of firms stated that ‘on-site’ systems are their first preference. The average time to detect a data breach event is well over 500 DAYS.

In November 2017, Forbes reported the top five cloud- computing vendors as: #1 Microsoft, #2 Amazon, #3 IBM, #4 Salesforce, #5 SAP.


  • 1 The Legal Forecast, Angus Murray and Daniel Owen, September, 2017
  • 2 NextLegal, Lawtech survey results and overview, September 2017
  • 3 Navigating the Digital Age. The Definitive Cybersecurity Guide for Directors and Officers - Australia. Forbes, 2016
  • 4 Six Cyber Threats to Really Worry About in 2018, MIT Technology Review, Martin Giles, January, 2018
  • 5 The Legal Forecast, Angus Murray and Daniel Owen, September, 2017
  • 6 The Notifiable Data Breaches (NDB) Scheme, Australian Government
  • 7 Australia introduces mandatory data breach notification regime, PwC, February 2017
  • 8 Cybersecurity trends for 2018, CSO Online, Debbie Garside, December 2017
  • 9 Australian Cyber Security Centre Threat Report, Australian Government, 2017
  • 10 NextLegal, Lawtech survey results and overview, September 2017