October is Cyber Security Awareness Month and this year’s theme is Cyber Security is Everyone’s Business.
And for Cameron McCollum, the Director and Principal Consultant of Riposte, cyber security is very much his business.
Cameron runs a boutique cyber security consultancy founded with a vision to bring high-end cyber security to small and medium-sized businesses, with a particular focus on the legal profession in Queensland.
With a background in military intelligence, a Master’s Degree in Cyber Security Operations, and six years of hands-on experience working closely with the legal profession in Queensland, Cameron brings a unique skill set to addressing the cyber risk profile of law firms.
His deep understanding of the challenges faced by the legal sector enables him to offer unique insights into the specific cyber risks impacting the profession.
Since founding Riposte in 2022, Cameron has been a member of the Queensland Law Society’s Business Advisory Service (BAS) panel.
He has worked with more than 50 law firms, helping them to understand their cyber risk profiles and align their systems, policies, and procedures with their compliance and regulatory obligations.
Cameron shared the following insights in response to Proctor’s questions:
What are currently the biggest cyber risks for law firms?
“I’m often asked about the biggest cyber risk to law firms. Since becoming involved with the legal profession in Queensland back in 2018, I’ve seen and analysed a vast number of cyber incidents, many involving Business Email Compromise or Ransomware. It would be easy to focus solely on these threats and discuss how to mitigate them.
“However, the reality—much like the legal profession itself—is more complex than it seems. Just as no law firm is the same as another, the cyber risks each firm faces are also unique. Despite this, a common theme emerges.
“The biggest cyber risk for law firms isn’t the sophisticated cyber criminals or “advanced persistent threat” actors that many might imagine. While these threats are real, the more significant and often overlooked risk is a lack of visibility and understanding of their own systems and data.
“Visualisation of interconnected data points and nodes associated with law firm’s internet footprint. The firm’s web-domain is represented by the red dot.
“This lack of visibility is, by far, the most prevalent cyber risk I’ve observed across the profession. As a result, many law firms are blind to their cyber risk exposure.
“They may be unaware of the data they hold, the systems on which they store, process, and transmit that data, the state of that data while in storage and transit, and the extent to which data has proliferated across the network and the internet more broadly. And this is before they even begin categorising their data from a sensitivity perspective.
“Without that level of understanding, many law firms operate in a porous environment. While investment has been made into ICT and, in some cases, mandated security controls have been implemented, these measures are often incomplete due to a lack of comprehensive visibility and awareness of the firm’s ICT footprint.
“Furthermore, servers and hosts that are part of the firm’s ICT infrastructure can become increasingly riddled with software vulnerabilities, remaining unmaintained and unobserved. As a result, the firm remains blissfully unaware of the gaping holes in its security.”
What simple tips can you offer that firms should be doing now to protect themselves?
“Unfortunately, there are rarely ‘simple tips’ when it comes to protecting a law firm from cyber threats. I’ve often said – perhaps a bit tongue-in-cheek – that managing cyber risk involves working with people, processes, and ‘puters (or computers), with the objective being to ensure: people understand the risks and how their actions can mitigate them; processes are designed with risk mitigations built-in, rather than bolted on; and computers are appropriately configured to balance security with productivity.
“However, to offer a more nuanced perspective, I’ve found that real value for law firms comes from taking a deliberate approach to mapping their ICT and data, and then measuring the results against the CIA-triad (Confidentiality, Integrity, Availability).
“This approach not only enables a law firm to understand what ICT and data they actually hold, but also to visualise which assets should be considered “business critical” or high-value. It helps firms comprehend the potential impact if a specific risk materialises and, by extension, identify which risks are high-priority from a mitigation perspective.
“This foundational work is often overlooked but is crucial for enabling law firms to deploy targeted and efficient security measures that are tailored to control the risks relevant to them.”
What is your role on the BAS?
“While it’s challenging to cover everything in the available time, my principal role under the QLS’ BAS program involves working with law firms to map their compliance obligations as outlined by Lexon’s “Cyber Protocol,” the Legal Profession Act 2007 (QLD), the Australian Solicitors Conduct Rules, and, where applicable, the Privacy Act 1988, as well as other relevant subscriber agreements, such as PEXA’s Subscriber Security Policy.
“I conduct a “desktop review” to identify any gaps in compliance, helping firms ensure that they meet their various regulatory and contractual obligations.
“I also assist law firms in identifying appropriate security frameworks and baselines that they, or their IT service provider, can work towards to ensure their systems are compliant with these obligations.
“As a bonus for BAS referrals, I run OSINT (open source intelligence) tools to identify any potential risk points for subsequent validation and remediation.
“Additionally, I’ve conducted basic OSINT investigations to assist law firms that have been targeted by scammers attempting to execute a ‘brand hijack’, and provided tailored advice on specific aspects of cybersecurity and cyber risk when requested.”
Anything else you would like to add about cyber security?
“Alas, my observations of the legal profession are marked by many tragic stories, often the result of trying to save a dollar in the wrong place. The one thing I would implore every law firm to remember is that prevention is far better than cure.
“While investing in specialist services or deploying high-end systems may seem costly at first glance, these expenses are insignificant compared to the financial, reputational, and psychological tolls that a cyber incident can inflict on a law firm.”
The Business Advisory Service (BAS) offers guidance to members and their practices who need assistance in a range of areas including technology and cybersecurity. Contact the QLS Ethics Centre on 3842 5843, ethics@qls.com.au or via https://www.qls.com.au
Share this article