Lucky dip – are you overestimating your cybersecurity safeguards

Rather than being overly optimistic or pessimistic about cybersecurity risks, law firms should take definite actions to protect their businesses, writes Ronwyn North.

Security experts warn that law practices are failing to take cyber risk and cybersecurity seriously enough. Is your law firm one of those practices and, if so, why isn’t management doing more? If your firm is not one of those and it is confident in its cybersecurity safeguards, what’s the risk that such confidence is misplaced?

In either case, one of the biggest challenges in promoting better cybersecurity is dealing with that all-too-common human trait of over-optimism. This column explores the nature of optimism and provides an insight into how to tell if your firm is overly optimistic, or perhaps not optimistic enough, in its approaches to information protection or cybersecurity.

How does your firm rate?

As a starting point, here are three questions your management team should ask.

1. With regard to cyber attacks or data breaches, would you rate your firm’s risk as lower than average, average, or higher than average compared with other law practices?

2. Would you rate your firm’s cybersecurity and information safeguards as better than average, average, or worse than average?

3. Would you rate your firm differently in the earlier questions if winning new work or lower insurance premiums depended on your answer?

Studies have found that the majority of people will rate themselves more favourably than others in terms of the likelihood of experiencing positive or negative events and with regard to their qualities or abilities. Firms may be well advised to keep that in mind when considering their responses to those three questions.

Optimists and pessimists

Optimism is described as a hopefulness, an expectation or a confidence about good things in future. The tendency to look on the bright side with regard to ourselves and see bad things as more likely to happen to other people is called optimism bias. Such bias can be beneficial, or dangerous. It is beneficial in that it helps motivate us to take risks to succeed, expend energy to push past obstacles and bounce back from setbacks. It is dangerous when it leads us into recklessness, or to seriously underestimate the risks, or overestimate our capacity for action and resilience.

The opposite of optimism bias is pessimism bias, which is the tendency to look on the dark side and overestimate the likelihood of bad things and underestimate the likelihood of good. While it is less common than optimism bias, pessimism bias can also be beneficial or dangerous. In a mild form, it may give us a more realistic and accurate view of risks and abilities, but it may also lead to over-cautious risk aversion and unnecessary safeguards. It may also demotivate us from further action because we assume our efforts are doomed to fail.

These are not idle reflections. Optimism bias is so pervasive that many decision-making models now have formulas to adjust for it. For example, financial modelling for infrastructure projects may require reassessment of estimates of time, costs and outcomes to counter optimism bias. At the pessimism end of the spectrum, some readers may remember the over-reaction to Y2K (the computer flaw that many expected to cause problems when dealing with dates beyond December 31, 1999). There were predictions of disaster to the extent that people stockpiled food and companies mounted project upon project in anticipation of system malfunctions when the clocks ticked over at midnight 1999 into the new millennium. And nothing much happened!

Towards better cybersecurity

In cybersecurity circles it is said that there are only two types of law practices; those that know they are being hacked and those that don’t. Which kind of law practice are you and are you paying too little, too much or just the right amount of attention to cyber risk and security? Think about the extent to which you and your people believe that:

• cyber risk is real;
• your firm could be hurt; and
• there are more or better things your firm can do to protect itself.

The overly optimistic will tend to see the risk of cyber crime and data breaches as:

• overstated;
• a bigger problem for other firms than their firm, both in likelihood of occurrence and severity of consequences; and
• adequately addressed by existing safeguards.

The overly pessimistic firms may see the risks as overwhelming and do nothing in the belief that the odds of effective protection are stacked against them. Or they may see themselves as more vulnerable than they are and develop a siege mentality whereby over-the-top safeguards become counterproductive or a waste of time and money.

Perhaps Australia, as a country, has been overly optimistic and has under appreciated the need for better cybersecurity until now. Only in April 2016 did the Department of Prime Minister and Cabinet launch Australia’s National Cybersecurity Strategy, well after similar initiatives in many other Western countries. The strategy makes it clear that cybersecurity is everyone’s responsibility and that governments and law enforcement alone cannot promote and protect the country’s cyber interests. Another Australian government resource is the Australian Signals Directorate website, which has its Top 4, Top 8 and Top 35 cybersecurity strategies, along with some video and other resource materials.

In response to the new national strategy, the Law Council of Australia was quick off the mark to rise to the challenge and in December 2016 launched its Cyber Precedent Toolkit for the legal profession. The Law Council itself and various state law societies have emailed members extensively about this excellent resource. However, I fear the take-up is slow. Last month, I delivered several end-of-year CPD seminars on cyber risk and hardly anyone had heard of the Australian Cybersecurity Strategy, the Australian Signals Directorate Top 4 or the Cyber Precedent resource.  Even those who were aware of the Law Council resource have not yet done anything with it in their law practice.

To my mind this could be an example of over-optimism and shows how difficult it can be to communicate and change perceptions about risk. We need to understand more about why law practice leaders and practitioners do not see cybersecurity as a higher priority and fail to appreciate that, in this day and age of increased use and dependency on technology, the risks and consequences of data breaches, systems outages and cybercrime are very real and more severe than in the past.

Lawyers know the importance of getting the facts in client matters, and facts are critical also to help counter over-optimism, pessimism or scepticism in relation to cyber risk and cybersecurity. You owe it to yourself, your clients and, you might say, your country to inform yourself about cyber risk and make a proper security risk assessment of your practice. Do it now before you lose an important client or matter because you cannot demonstrate a sufficiently robust approach to confidentiality, data protection and system continuity.

What your firm should do

To develop a cybersecurity strategy, your firm will need a sound understanding of what is happening out there in the real world, among its clients and peers and inside its practice. Inform the people in your firm and form a view about the following questions.

• What are your firm’s most important assets at risk? (e.g. information, equipment, funds)
• What are the key risks to the confidentiality, availability and integrity of those assets (e.g. data breaches, IT system outages, falsified records)
• Who is most likely to target your practice (e.g. organised cybercriminals, ‘hacktivists’, terrorists, state-sponsored agents, rogue insiders)
• What will be the most likely causes? (e.g. types and incidence of cybercrime, system or process failures, human factors)
• What are the possible consequences and how bad could they be? (consider various scenarios that put your firm out of pocket or out of business)
• What are your firm’s key security safeguards or countermeasures? (e.g. technology, processes and people, insurance) Are they effective? Are they well matched and proportional to the risk? Do they meet client, staff and supplier needs and expectations? How do you know? (e.g. what research, monitoring, auditing and testing is your firm doing?)
• What is best practice in cybersecurity? What are your peers doing? How does your firm’s approach compare?
• What are your firm’s plans and priorities for strengthening its approach and reducing exposure?

As mentioned, the Law Council Cyber Precedent Toolkit is an excellent resource and starting point. You can access it here:  https://lawcouncil.au/lawcouncil/cyber-precedent-essentials/cyber-precedent-reality. In developing your cybersecurity strategy you will be aiming to find the sweet spot between security and openness, cost and benefit, and risk and reward.

Ideally, good information about the external and internal cybersecurity landscape will persuade the optimists and reassure the pessimists, with the caveat that another cognitive bias causes us to seek out and interpret data that supports our existing views (but I won’t digress further).

If you still can’t get traction with the delusional optimists, don’t worry because you will get their attention eventually. Unless they lead a particularly charmed life, it is almost inevitable they will suffer the first-hand experience of a cyber incident, be it a miss-sent email, a lost device, a malware attack or a social engineering scam. With luck, it will be a close call, not a catastrophe, but some firms seem doomed to only learn the hard way. Bide your time, but be ready to act quickly to implement change when the opportunity arises.

Until then, safe practice!

Ronwyn North is the managing director of Streeton Consulting and a qualified lawyer who specialises in consulting to the legal profession on practice management issues, including risk management. She can be contacted at rjnorth@streetonconsulting.com.au.