Basic cyber steps can block most attacks

October is Cyber Security Awareness Month, and the Australian Government has identified three critical basic areas for focus. These three simple steps can block or reduce 85 to 90 per cent of the impact of main attacks on small law firms^* – a lot of protection for not a lot of effort.

First, we take a quick look at critical area one: Keeping software up to date.

The ethical and professional duty

Law firms have an ethical duty and, in many cases, a statutory obligation to take “reasonable steps” to protect the confidentiality of client information.¹ We also face a strong practical imperative to keep our systems as secure as possible to prevent fraud and catastrophic damage to client relationships.

In an environment where criminals thrive on chaos and disruption,² maintaining basic cybersecurity standards is not optional – it is fundamental to our duty of care to clients. The good news is that basic measures can have a big impact on your firm’s risk.

What is patching and why does it matter?

There is a permanent cold war between software companies and hackers. Hackers find vulnerabilities in systems and the vendors release a way to prevent these being exploited – “patching” the hole. Unfortunately, these patches only protect you if your firm’s (and your employees own devices) have applied the patch. The longer you and your staff take to apply updates the larger the window criminals have to attack your business.

Patching matters because unpatched systems are low-hanging fruit for cyber criminals. Once a vulnerability becomes public knowledge (which happens when a patch is released), attackers have a roadmap for exploitation. Every day a critical patch remains unapplied is a day your firm remains unnecessarily exposed to attack.

Real-world consequences: A UK example

The consequences of failing to patch are not theoretical. In March 2022, the UK Information Commissioner’s Office (ICO) fined a small firm, Tuckers Solicitors £98,000 following a ransomware attack that encrypted nearly one million of their files, with 60 court bundles published on the dark web.³ Tuckers had delayed patching a critical vulnerability in Citrix software for several months.

The ICO concluded that while the attacker bore primary culpability, Tuckers had given them a “weakness to exploit” and failed to implement appropriate security measures.⁴ The regulator specifically noted that given the highly sensitive personal data Tuckers was processing – including special category data of very vulnerable individuals – the firm should have taken reasonable steps to identify and mitigate risks. The fine was on top of the several hundred thousand pounds spent fixing the damage caused by the attackers and unquantified costs from lost clients and productivity.

Financial Incentives: Insurer’s expectations

QLS Member Firms^** have the benefit of the Cyber Essentials insurance policy – base insurance of $50,000 to help repair damage after an attack. The policy requires firms to ensure all software patches are applied promptly, with a progressive penalty excess applying for patches not applied within 45 days of becoming available.⁵

This means that failure to patch not only increases your cyber and regulatory risk but can also reduce your insurance coverage precisely when you need it most. Your firm’s cover may be reduced if you do not protect your network environment appropriately, and this includes keeping systems current with security updates. Lexon, Pexa and other stakeholders have similar expectations.

Not just firm-owned devices

Like a virus – infection and intrusion can spread between hardware and accounts. It is quite common for law firm data to be lost because of an attack on a staff member’s personal phone or computer. This arises either because firm data was accessed on the private device or because intrusion on one devices was used to access the main network.

Staff should be made aware of the issue and encouraged to ensure their home network is as secure as possible. (See the QLS Guide here)

How to keep software up to date

Implementing effective patch management does not need to be overwhelming, even for smaller firms. Here are the essential steps:

Enable automatic updates

For most systems, automatic updates should be enabled wherever possible. Modern operating systems (Windows, macOS, iOS, Android) all offer automatic update capabilities. This is your first line of defence.

Responsibility: If it is nobody’s job, nobody will do it.

Not all updates are automatic. Some need to be prompted or might need a download process with a bit of technical knowledge required. Develop a clear policy that defines:

• Who is responsible for monitoring and applying patches (ideally your IT support person or provider, who should be able to do this for a modest cost);
• Timeframes for applying different severity levels of patches (critical patches should be applied within 14 days, ideally sooner);
• Testing procedures for critical systems before rolling out patches (to ensure anything which stops working can be fixed before it interferes with work requirements);
• Documentation requirements.

Work out how many devices have access to your data

You cannot patch what you do not know exists. Maintain a current inventory of all devices, software, and systems in use across your firm, including:

• Desktop and laptop computers;
• Mobile devices (phones and tablets);
• Servers (including cloud-based systems);
• Network equipment (routers, firewalls);
• List of software;
• Third party devices owned by staff or contractors with access to your systems.

Prioritize critical risks

Not all patches are equally urgent, although keeping track of what is or isn’t urgent is probably a job for an IT pro. New risks are evaluated and given an identification (CVE) number and a risk Score (CVSS) rating from one (less serious) to 10 (stop-everything-and-fix-it-now).

High rated incidents might need to be addressed earlier than waiting for your usual patching schedule. Ideally you should have an arrangement with someone to match new incidents against software in use on your network to decide how urgent it is that action be taken. Simply having new CVEs sent to (say) the firm’s principal without filtering will quickly end up the same way as a fire alarm that squeaks at 3am.

Stop using obsolete software

When vendors no longer support hardware or software (end-of-life), no new patches will be released. This can be annoying as the system may still work well and everyone is used to it. However, it is no longer appropriate for professional use and will be an ongoing and increasing risk. Plan for replacement, and don’t let a Partner’s annoyance at having to put up with changes to their laptop put you off.

Legacy software which is still needed occasionally but can’t be updated should probably run on a stand-alone device with no internet access if no other option is available.

What all law firms should do

Every law firm, regardless of size, should:

1. Do a quick audit – Understand what devices and software you have and their current patch status;
2. Assign responsibility – Designate someone (internal staff or external IT provider) to monitor for and apply security updates;
3. Implement automatic updates wherever possible;
4. Establish a testing and deployment schedule for critical systems;
5. Document your patch management processes for compliance and insurance purposes;
6. Train staff to recognize update notifications, understand why they matter and not click “update later” for weeks on end.

For firms without dedicated IT staff, engaging a qualified managed service provider can ensure patches are monitored and applied systematically.

For additional cybersecurity resources and guidance, visit the QLS Cybersecurity page at qls.com.au/Practising-law-in-Qld/Resources/Cybersecurity

Footnotes
¹ Proctor. (2025, August). “Cyber security course for QLS members.” https://www.qlsproctor.com.au/2025/08/cyber-security-course-for-qls-members/
² InfoTrack. (2024, August). “Spotlight on QLD: Cyber Security and the transition to e-conveyancing.” Interview with David Bowles, Queensland Law Society. https://www.infotrack.com.au/news-and-insights/spotlight-on-qld-cyber-security-and-the-transition-to-e-conveyancing/
³ Legal Futures. (2022, March). “Top criminal law firm fined £98,000 for cyber-security ‘negligence’.” https://www.legalfutures.co.uk/latest-news/top-criminal-law-firm-fined-98000-for-cyber-security-negligence
⁴ Information Commissioner’s Office (ICO). (2025, April). “Law firm fined £60,000 following cyber attack.” https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/law-firm-fined-60-000-following-cyber-attack/
⁵ Queensland Law Society. “QLS Cyber Essentials Insurance.” https://www.qls.com.au/Services/Business-Services/Cyber-Essentials-Insurance
Additional reference: Cyber Wardens. “Simplified Cyber Security for Australian Small Business.” https://cyberwardens.com.au/
Additional reference: CyberCert. “Certified Cybersecurity Simplified for SMBs.” https://cybercert.ai/
*32 per cent of cyberattacks begin with an unpatched vulnerability, while 60 per cent of all data breaches are directly linked to (or made worse by) unpatched software Patch Management and Software Updates A Practical Guide – CommSec Cyber Security. Phishing and password re-use also contribute to more than 50 per cent of successful attacks: QLS review: password policies.
** Firms (1) insured by Lexon and (2) in which ALL “Principals” are full or honorary QLS Members.