this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

The LIV is currently closed to all visitors.

We are working remotely to deliver member services. For more information visit our 

COVID-19 Hub
Select from any of the filters or enter a search term

The Inconvenient Reality

The Inconvenient Reality

By Ian Bloomfield

Communication Innovation Intellectual Property Technology 


The inconvenient reality - many law firms are failing to act on Cyber Security

The need for law firms to act on cyber security is overwhelmingly compelling. The message from federal government bodies (, Australian Cyber Security Centre, Stay Smart Online, Office of the Australian Information Commissioner) and industry bodies (Law Council of Australia, LIV, LPLC) about the need to act on cyber security is unambiguous and clear. The regular stories in the mainstream media about cybercrime and data breaches highlight the consequences of inadequate cyber security. Yet despite all of this, I believe the response by a large percentage of small to medium law firms is seriously inadequate.

Firstly, I must declare a clear conflict of interest. I am the Managing Director of a company that provides cyber security services to small businesses, including law firms. Nevertheless, my many years of working with small businesses and my expertise in cyber security is a reasonable basis for providing a perspective on this issue, even if it is arguably a biased one.

So, what is the justification for my contention. Over the last 18 months I have carried out many cyber security risk assessments on a wide range of small to medium law firms. This is an assessment against industry best practice, and in every case there were major cyber security deficiencies. The Law Society of Western Australia recently published results of a survey they commissioned that revealed a “worrying lack of knowledge” among the legal profession. I also have my own anecdotal evidence in the wake of the recent PEXA incidents. Our business was inundated with enquiries from conveyancing companies, requesting advice, meetings, cyber security assessments and enquiring about our cyber security services.  In contrast, we received an enquiry from one law firm.

What has led to this outcome? I will posit some reasons:

Not understanding the risk – The great majority of decision makers in law firms today are aware there is a risk. Unfortunately, awareness alone is not enough, and unless there is an understanding of what the risk is, a law firm is unlikely to act.

Misplaced faith in IT providers – Cyber security is a business issue, its implications, the required expertise and the solutions needed to tackle it go beyond the capabilities of traditional IT providers. Law firms would never rely on the advice of a so called “expert” without first ascertaining that they had the necessary specialist knowledge relevant to the field in question, yet they rely on their existing IT provider to advise about their cyber security risk.

Confusion about what to do – Knowing there is a need to do something but not understanding the solution or its effectiveness can lead to inaction. Law firm decision makers need to have a level of understanding, not only about the risks they face, but also about the options to address the risk and any resulting implications for their firm. Without access to simple and concise information about options to address cyber security inadequacies, law firm decision makers are not well placed to make informed decisions.

Clearly more work is needed to better understand the reasons why so many small to medium law firms have failed to act on cyber security.

In conclusion I make this provocation.  If you are a decision maker in a law firm, be it as a sole practitioner, or a director or partner of a law firm with 50+ staff, consider this.  Have you seen anything that makes it clear to you that the cyber security risk in your firm has been assessed and the risks identified? Over the last 12 months has there been any evidence of significant changes in the way your firm works resulting from the implementation of cyber security measures? If the answer to either of these two questions is no, then your law firm is most likely one of the many that are failing to act on Cyber Security.

Ian Bloomfield is the Managing Director of Ignite Systems. Ian has been developing and delivering cyber security solutions for over ten years. As an Affiliate Member of the Law Institute of Victoria (LIV) and a recognised expert on cyber security, he works to educate lawyers about the benefits and risks of using technology. Ian is the author of many articles and guides on cyber security, and has recently authored two LIV LawTech Essentials documents, ‘Cyber Security Essentials for Law Firms’ and ‘Cyber Security Essentials for the Individual’. Ian is also an active member of the LIV’s Technology and the Law Committee.

Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment