Welcome to the “Cybersecurity Loop” – Edition #11
Every few weeks, I share a quick pulse on what’s happening in the world of cybersecurity – framed for law firm leaders and risk stakeholders across Australia. Think of it as your boardroom-ready headline brief: short, sharp, and trusted.
Here’s what’s hot this week — and what you should be thinking about.
🧨 HOT this week
Last week I was up in the beautiful Hunter Valley for a bit of work and pleasure. On the Saturday morning I ran a 75 minute Cyber Simulation exercise for a national law firm. There was good some conversations and although there was a little bit of fear at the start everyone came out it with a strong idea of what can be achieved when well prepared!
What’s been happening in the world of cyber recently. Well if you missed it last Friday (30th May) the new Cyber Security law came into being. Which means that any business turning over more than $3 million AUD will have to report any ransomware payments they make. It will be interesting to see what effect this has on all sides going forward.
🔐 Cyber Bytes - 4 Stories worth noting
1. Ransomware attack on QLD law firm - Sadly Ruddy Tomlins & Baxter were hit by the SafePay Ransomware group last week. The incident is currently under investigation.
2. Last week, the Federal Bureau of Investigation (FBI) - issued a warning to U.S. law firms about a financially motivated threat actor known as the Silent Ransom Group (SRG). Since early 2023, SRG has been actively targeting law firms using social engineering techniques like IT-themed callback phishing. There approach is simple but highly effective:
🔹 Initial access is gained through phishing emails disguised as fake subscription charges or phone calls impersonating IT support.
🔹 Victims are tricked into installing remote access tools to share their desktop with the attackers.
🔹 Once inside, the attackers use hands-on keyboard access to search for and exfiltrate sensitive data.
🔹 There is no encryption. SRG operates on pure extortion, threatening to leak stolen data unless a ransom is paid.
🔹 They escalate pressure by following up with emails and direct calls to employees to force negotiations.
3. Australians lost $119m to scams in the first four months of 2025 - Australians reported 72,230 scams to Scamwatch in the first three months of 2025, an encouraging decrease of 24 per cent compared to the same period last year. However, while that news appears to be good – many Australians still do not report scams – the monetary losses to scammers have increased by an alarming 28 per cent to $118,993,148.
4. A recent survey found that 62% of Australian law firms experienced at least one significant security incident in the past year, with 28% reporting multiple incidents, according to confidential research from the Law Council of Australia. This alarming statistic highlights the critical need for enhanced security measures across the legal sector, particularly as attackers increasingly view law firms as high-value targets with valuable client data and often inadequate protections.
Tool
BigID: This powerful data discovery and classification tool helps law firms identify where sensitive client information resides across their networks. By automatically scanning, mapping and classifying sensitive data across your firm's environment, BigID enables you to understand exactly where client confidential information, financial details, and personally identifiable information exists.
This visibility is crucial for Australian law firms needing to comply with both Privacy Act requirements and the new Cyber Security legislation. Several of our clients have reported identifying previously unknown data repositories containing sensitive information within their first month of implementation.
Tip
We recently conducted a social engineering campaign as part of a penetration testing assessment for a law firm in Hong Kong. Using a convincing look-a-like domain to lure users to click through to a compliance policy update, we were able to ensnare more half of the targeted users in giving up usernames and passwords. If this had been a real cyber attack by the time they reported the incident to their IT department it would have been too late.
Implement regular phishing simulation tests specifically designed around legal scenarios to train staff on recognising sophisticated attacks targeting case information or client communications.
These simulations should be conducted at least monthly, with results tracked by department to identify vulnerable areas. The most effective programs gradually increase in sophistication and include immediate training for those who fail tests. One mid-sized firm we work with reduced their click rates from 75% to under 5% within six months using this targeted approach.
Resource
⏱️ Free 72-Hour Cyber Crisis Response Kit – Are You Ready?
What happens in the first 72 hours after a cyberattack can make the difference between a manageable incident and a practice-ending disaster.
Cyooda’s free Cyber Crisis Response Kit reveals why most law firms fail spectacularly when ransomware hits—and how their color-code framework has helped firms navigate the chaos when every second counts. Built from 25+ years of real-world cybercrime investigations, this isn't another generic checklist. It's a battle-tested roadmap that tackles the three critical pillars: People, Process, and Technology.
The sobering reality? Firms without a formal incident response plan see response times triple, data exposure increase by 70%, and recovery costs balloon by 2-3x. But here's the twist—preparation isn't just about having a plan, it's about having the right plan that actually works under pressure.
Ready to stress-test your firm's cyber resilience before it's too late?
Quote
"The greatest cybersecurity risk to law firms isn't technology failure—it's the belief that your firm isn't a target. The reality is that you're not just protecting your data; you're protecting your clients' most sensitive information and, ultimately, your reputation and their trust." - CISO of a top-tier Australian law firm (2025 Legal Innovation Forum)
Have something to add or a question for an upcoming edition? Drop me a message — I’d love to hear what’s top of mind for you right now.
Until next time, stay secure. — John Reeman
Cyber Strategy | Cyber Defence | Cyber Incident Response — for Law Firms