Home | Cyber Risk Assessment

Software and virus protection

1/20

Do you have a process in place to ensure that new software patches are applied to your operating system and software?

No
Not sure
Yes

Software and virus protection

2/20

Do you have antivirus protection in place and is it kept up to date?

No
We have antivirus protection but I don't know if it's up to date
Yes, we have antivirus protection and we have a process to ensure its kept up to date

Data storage and back-ups

3/20

How often do you complete data back-ups?

Never
Monthly
Daily

Data storage and back-ups

4/20

When did you last check that your back-ups are readily accessible and able to be used/not corrupted upon retrieval?

Never
Within the last 12 months
Monthly

Data storage and back-ups

5/20

Where are back-ups stored?

We have no back-ups
On-site
Off-site (including in the cloud)

Data storage and back-ups

6/20

Where data is backed up in the cloud, what authentication procedures are required by the cloud provider to ensure that unauthorised users are not able to access the practice's data?

I don't know
This issue has been outsourced to an IT consultant; I am unable to answer this question
I have received written confirmation from either an IT consultant or the cloud provider that stringent authentication processes are in place

Skip

Payment processes

7/20

Do you accept and act upon a client's directions for payment that are:

Provided by email only
Given at the commencement of the retainer
Where provided by email, also verified by a phone call (using a phone number recorded at the time initial instructions were taken, not a phone number included in the same email as the directions for payment)

Payment processes

8/20

Do you inform your clients in writing that you will never send them an email changing your trust account details or asking for money to be sent to an account other than your trust account for property transactions or other major payments?

No
Yes
Yes and we advise clients in writing to contact us urgently if they receive an email from us purporting to change our payment details

Payment processes

9/20

Have all staff members been advised to telephone to check payment directions received from other solicitors, when these are received by email?

No
Yes
Yes, and they have been advised to verify the directions using a phone number recorded in correspondence other than the email requesting payment

Payment processes

10/20

What are the possible consequences for the law practice if it transfers monies held on trust to the wrong bank account via internet banking?

The bank is required to check the account holder's name against the account details so it's the bank's problem if the wrong person receives the payment
There will be a few days before the funds are transferred so there may be time to stop the transaction
In many cases funds are now transferred instantaneously; if the funds are paid to the wrong person and are unable to be recovered, the principal/s of the law practice will be required to repay the money

Staff risk-awareness and training

11/20

Have you incorporated cyber risk awareness in your staff policies and training?

No
Yes
Yes and we regularly issue reminders and updates

Staff risk-awareness and training

12/20

Does your practice have a BYO device security policy for staff members who are able to access work files on non-company devices such as smart phones, tablets or home computers?

No
Yes
Yes and we provide training on using remote devices securely

Staff risk-awareness and training

13/20

Have you advised all your staff members in writing of the importance of using passwords that are unique to the workplace only?

No
Yes
Yes, and it is mandatory to use strong passwords (e.g. a minimum of 15 characters with a mix of letters, numbers and symbols)

Staff risk-awareness and training

14/20

How often are you and your staff automatically required to regularly change your passwords?

Never
Every few months
Every few weeks

Staff risk-awareness and training

15/20

Have you discussed with staff the risks associated with clicking on attachments or hyperlinks in emails that look unusual or suspicious, and which could contain viruses, ransomware or other malware?

No
Yes
Yes, we also issue reminders and run compliance checks

Staff risk-awareness and training

16/20

Have you discussed with staff the risks associated with using free or unsecured WiFi, importing material onto the law practice's computer network through a USB drive, and taking confidential material outside the workplace via USB, mobile phone or laptop?

No
Yes
Yes, this is included in our induction material for new employees and regular reminders are given

Staff risk-awareness and training

17/20

Are you and your staff aware of the risks of sending confidential information by unencrypted email or text message?

No
Yes
Yes and we regularly issue reminders

Data security breaches and privacy protection

18/20

Have you considered whether the Mandatory Breach Reporting regime under the Privacy Act 1988 (Cth) will apply to your law practice?

No
Yes
Yes it is possible/likely that the new provisions will apply to at least some information held by the practice and we have amended our policies and procedures to note the importance of reporting relevant data breaches

Planning ahead

19/20

Do you have an emergency response plan for what to do in the event of a cyber-attack?

No
Yes
Yes, all relevant staff are aware of this plan, and this plan includes seeking crisis assistance under the group cyber risk policy purchased by Lawcover

Protection under the group cyber risk policy purchased by Lawcover

20/20

Are you aware that Lawcover has purchased a group cyber risk policy that provides foundational cover of $50,000 for all its insured law practices, and that this includes crisis assistance and technical support following a cyber event?

No
Yes
Yes I am now! I am also aware that the contact details for crisis assistance relating to a cyber event are
Phone: 1800 273 224
Email: lawcyber@cbp.com.au

Finish

CYBER RISK ASSESSMENT

Software and virus protection

Do you have a process in place to ensure that new software patches are applied to your operating system and software?

Software and virus protection

Do you have antivirus protection in place and is it kept up to date?

Data storage and back-ups

How often do you complete data back-ups?

Data storage and back-ups

When did you last check that your back-ups are readily accessible and able to be used/not corrupted upon retrieval?

Data storage and back-ups

Where are back-ups stored?

Data storage and back-ups

Where data is backed up in the cloud, what authentication procedures are required by the cloud provider to ensure that unauthorised users are not able to access the practice's data?

Payment processes

Do you accept and act upon a client's directions for payment that are:

Payment processes

Do you inform your clients in writing that you will never send them an email changing your trust account details or asking for money to be sent to an account other than your trust account for property transactions or other major payments?

Payment processes

Have all staff members been advised to telephone to check payment directions received from other solicitors, when these are received by email?

Payment processes

What are the possible consequences for the law practice if it transfers monies held on trust to the wrong bank account via internet banking?

Staff risk-awareness and training

Have you incorporated cyber risk awareness in your staff policies and training?

Staff risk-awareness and training

Does your practice have a BYO device security policy for staff members who are able to access work files on non-company devices such as smart phones, tablets or home computers?

Staff risk-awareness and training

Have you advised all your staff members in writing of the importance of using passwords that are unique to the workplace only?

Staff risk-awareness and training

How often are you and your staff automatically required to regularly change your passwords?

Staff risk-awareness and training

Have you discussed with staff the risks associated with clicking on attachments or hyperlinks in emails that look unusual or suspicious, and which could contain viruses, ransomware or other malware?

Staff risk-awareness and training

Have you discussed with staff the risks associated with using free or unsecured WiFi, importing material onto the law practice's computer network through a USB drive, and taking confidential material outside the workplace via USB, mobile phone or laptop?

Staff risk-awareness and training

Are you and your staff aware of the risks of sending confidential information by unencrypted email or text message?

Data security breaches and privacy protection

Have you considered whether the Mandatory Breach Reporting regime under the Privacy Act 1988 (Cth) will apply to your law practice?

Planning ahead

Do you have an emergency response plan for what to do in the event of a cyber-attack?

Protection under the group cyber risk policy purchased by Lawcover

Are you aware that Lawcover has purchased a group cyber risk policy that provides foundational cover of $50,000 for all its insured law practices, and that this includes crisis assistance and technical support following a cyber event?