CYBER RISK ASSESSMENT

Software and virus protection

1/20

Do you have a process in place to ensure that new software patches are applied to your operating system and software?

  • No
  • Not sure
  • Yes

Software and virus protection

2/20

Do you have antivirus protection in place and is it kept up to date?

  • No
  • We have antivirus protection but I don't know if it's up to date
  • Yes, we have antivirus protection and we have a process to ensure its kept up to date

Data storage and back-ups

3/20

How often do you complete data back-ups?

  • Never
  • Monthly
  • Daily

Data storage and back-ups

4/20

When did you last check that your back-ups are readily accessible and able to be used/not corrupted upon retrieval?

  • Never
  • Within the last 12 months
  • Monthly

Data storage and back-ups

5/20

Where are back-ups stored?

  • We have no back-ups
  • On-site
  • Off-site (including in the cloud)

Data storage and back-ups

6/20

Where data is backed up in the cloud, what authentication procedures are required by the cloud provider to ensure that unauthorised users are not able to access the practice's data?

  • I don't know
  • This issue has been outsourced to an IT consultant; I am unable to answer this question
  • I have received written confirmation from either an IT consultant or the cloud provider that stringent authentication processes are in place

Payment processes

7/20

Do you accept and act upon a client's directions for payment that are:

  • Provided by email only
  • Given at the commencement of the retainer
  • Where provided by email, also verified by a phone call (using a phone number recorded at the time initial instructions were taken, not a phone number included in the same email as the directions for payment)

Payment processes

8/20

Do you inform your clients in writing that you will never send them an email changing your trust account details or asking for money to be sent to an account other than your trust account for property transactions or other major payments?

  • No
  • Yes
  • Yes and we advise clients in writing to contact us urgently if they receive an email from us purporting to change our payment details

Payment processes

9/20

Have all staff members been advised to telephone to check payment directions received from other solicitors, when these are received by email?

  • No
  • Yes
  • Yes, and they have been advised to verify the directions using a phone number recorded in correspondence other than the email requesting payment

Payment processes

10/20

What are the possible consequences for the law practice if it transfers monies held on trust to the wrong bank account via internet banking?

  • The bank is required to check the account holder's name against the account details so it's the bank's problem if the wrong person receives the payment
  • There will be a few days before the funds are transferred so there may be time to stop the transaction
  • In many cases funds are now transferred instantaneously; if the funds are paid to the wrong person and are unable to be recovered, the principal/s of the law practice will be required to repay the money

Staff risk-awareness and training

11/20

Have you incorporated cyber risk awareness in your staff policies and training?

  • No
  • Yes
  • Yes and we regularly issue reminders and updates

Staff risk-awareness and training

12/20

Does your practice have a BYO device security policy for staff members who are able to access work files on non-company devices such as smart phones, tablets or home computers?

  • No
  • Yes
  • Yes and we provide training on using remote devices securely

Staff risk-awareness and training

13/20

Have you advised all your staff members in writing of the importance of using passwords that are unique to the workplace only?

  • No
  • Yes
  • Yes, and it is mandatory to use strong passwords (e.g. a minimum of 15 characters with a mix of letters, numbers and symbols)

Staff risk-awareness and training

14/20

How often are you and your staff automatically required to regularly change your passwords?

  • Never
  • Every few months
  • Every few weeks

Staff risk-awareness and training

15/20

Have you discussed with staff the risks associated with clicking on attachments or hyperlinks in emails that look unusual or suspicious, and which could contain viruses, ransomware or other malware?

  • No
  • Yes
  • Yes, we also issue reminders and run compliance checks

Staff risk-awareness and training

16/20

Have you discussed with staff the risks associated with using free or unsecured WiFi, importing material onto the law practice's computer network through a USB drive, and taking confidential material outside the workplace via USB, mobile phone or laptop?

  • No
  • Yes
  • Yes, this is included in our induction material for new employees and regular reminders are given

Staff risk-awareness and training

17/20

Are you and your staff aware of the risks of sending confidential information by unencrypted email or text message?

  • No
  • Yes
  • Yes and we regularly issue reminders

Data security breaches and privacy protection

18/20

Have you considered whether the Mandatory Breach Reporting regime under the Privacy Act 1988 (Cth) will apply to your law practice?

  • No
  • Yes
  • Yes it is possible/likely that the new provisions will apply to at least some information held by the practice and we have amended our policies and procedures to note the importance of reporting relevant data breaches

Planning ahead

19/20

Do you have an emergency response plan for what to do in the event of a cyber-attack?

  • No
  • Yes
  • Yes, all relevant staff are aware of this plan, and this plan includes seeking crisis assistance under the group cyber risk policy purchased by Lawcover

Protection under the group cyber risk policy purchased by Lawcover

20/20

Are you aware that Lawcover has purchased a group cyber risk policy that provides foundational cover of $50,000 for all its insured law practices, and that this includes crisis assistance and technical support following a cyber event?

  • No
  • Yes
  • Yes I am now! I am also aware that the contact details for crisis assistance relating to a cyber event are
    Phone: 1800 273 224
    Email: lawcyber@cbp.com.au