Law Firms Under Fire: Australia's Cyber Wake-Up Call

Australia’s cyber threat environment has not improved. It has hardened.

The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report 2024–25 recorded more than 84,700 cybercrime reports during the reporting period, equivalent to one report every six minutes. The ACSC also responded to more than 1,200 cybersecurity incidents, an 11% increase year-on-year, while notifications of potentially malicious cyber activity rose by 83%.

For Australian law firms, the threat is no longer theoretical. It is sector-specific, escalating, and increasingly regulated.

• 84,700+ cybercrime reports in FY2024–25, one every six minutes
• $80,850: average cost per cybercrime incident for businesses, up 50% year-on-year
• 51% of Australian organisations reported AI-powered threats in 2025
  

Why Law Firms Are Targeted
Legal practices hold client files, litigation strategies, trust account records, intellectual property, and transaction data. These assets are valuable to both cybercriminals and state-sponsored actors.

At the same time, law firms often operate complex technology environments that combine cloud services, document management systems, email platforms, mobile devices, and third-party legal technology providers. This creates multiple avenues for attack.

Identity-based attacks are increasingly replacing traditional malware as a preferred method of gaining access. Credential theft, session hijacking, and compromised service accounts have become common pathways into business systems. Multi-factor authentication remains one of the most effective controls against these attacks, yet compromised credentials continue to drive a significant proportion of cyber incidents.

Business email compromise also remains a major threat to legal practices. Firms involved in conveyancing, commercial transactions, estate administration, and trust account management are particularly exposed. Criminals who gain access to email accounts can monitor communications, alter payment instructions, and redirect funds with devastating financial consequences.

Artificial intelligence is further accelerating the threat landscape. AI-enabled tools allow threat actors to create more convincing phishing campaigns, automate reconnaissance activities, and scale attacks more rapidly than ever before.

Regulatory exposure has also increased materially. Since 30 May 2025, organisations with annual turnover exceeding $3 million must report ransomware and cyber extortion payments to the Australian Government within 72 hours under the Cyber Security Act 2024 (Cth). Serious privacy breaches may also attract penalties of up to AU$50 million or 30% of adjusted turnover.

As cyber risk grows, so too does regulatory scrutiny.

“In 2025, threat actors hit Australia hard. The mega-breaches that tested some of our largest brands revealed basic security failures and forced regulators to tighten compliance oversight further.” — Kinetic IT, Australian Cyber Security Outlook 2026

The Essential Eight Is a Baseline, Not A Ceiling
The ACSC’s Essential Eight framework represents Australia’s most widely recognised cybersecurity baseline. Developed from real-world incident response observations, the framework identifies eight controls to prevent, detect, or significantly limit the impact of the most common cyberattacks affecting Australian organisations.

For law firms, the Essential Eight is increasingly becoming the minimum standard expected by cyber insurers, enterprise clients, government agencies, and regulators.
The eight controls, and their relevance to legal practice, include:

Application Control: Prevents unauthorised software from executing, including malware delivered through phishing emails or malicious attachments.
Patch Applications: Reduces exposure to known vulnerabilities in browsers, PDF readers, Microsoft Office applications, and legal software platforms.
Configure Microsoft Office Macro Settings: Mitigates one of the most common document-based attack vectors.
User Application Hardening: Reduces the attack surface of browsers, productivity applications, and internet-facing software.
Restrict Administrative Privileges: Limits attackers’ ability to move laterally through systems after an initial compromise.
Patch Operating Systems: Addresses vulnerabilities in operating systems frequently targeted by sophisticated threat actors.
Multi-Factor Authentication: Provides a critical defence against credential theft, account takeover, and business email compromise.
Regular Backups: Supports recovery from ransomware, data destruction, and operational disruption.

The Gap Most Firms Do Not Acknowledge
Many firms recognise the importance of cybersecurity. Far fewer can demonstrate that foundational controls are consistently implemented, monitored, and tested.

The ACSC identifies Maturity Level 1 as an achievable starting point for many organisations. Yet for numerous firms, even this baseline remains a work in progress.

Market expectations are changing rapidly. Cyber insurers increasingly require evidence of security controls before issuing or renewing policies. Corporate clients are incorporating cybersecurity assessments into panel reviews and supplier onboarding processes. Government- and defence-related legal work may also require firms to demonstrate appropriate cybersecurity maturity.

In practice, Essential Eight implementation is becoming less of a compliance exercise and more of a commercial necessity.

Beyond The Essential Eight
The Essential Eight remains one of the most effective frameworks available for reducing cyber risk. However, compliance alone does not create resilience.

Many of today’s most significant threats extend beyond the framework’s scope.

AI-enabled phishing campaigns continue to evolve. Supply chain compromises increasingly target trusted software providers and service partners. Identity attacks exploit sprawling cloud environments, privileged accounts, and third-party integrations.

Law firms are particularly exposed to third-party risk because they depend heavily on legal technology vendors, managed service providers, cloud platforms, and document automation solutions. A vulnerability in a trusted supplier can become a vulnerability within the firm itself.

This is why the ASD now recommends organisations operate with an “assume compromise” mindset. The focus is shifting from preventing every attack to identifying critical assets, quickly detecting malicious activity, and recovering effectively when incidents occur.

Cyber Resilience Is Now a Business Imperative
The Essential Eight will not eliminate cyber risk. 

It will, however, significantly reduce the likelihood and impact of the attacks most commonly affecting Australian organisations.

For law firms, cybersecurity is no longer solely an IT responsibility. It is a business resilience issue, a client trust issue, a regulatory issue, and increasingly, a competitive differentiator.

The firms that invest in foundational controls today will be better positioned to protect client information, maintain operational continuity, satisfy client due diligence requirements, and respond to an increasingly hostile cyber threat environment.

The Essential Eight is not the finish line. It is the starting point.

Disclaimer: This article provides general information only and does not constitute legal, cybersecurity, or technical advice. Organisations should seek independent professional guidance appropriate to their specific circumstances and regulatory obligations.