Search
Close this search box.

Spotlight on QLD: Cyber Security and the transition to e-conveyancing

Working female lawyer on a phone

Lee Bailie InfoTrack’s General Manager of Products and Innovation recently interviewed David Bowles from the Queensland Law Society (QLS). They spoke about the state of play in Queensland, how COVID-19 may be affecting Queensland lawyers and where lawyers can turn if they are finding COVID-19 is creating challenges for their firm in everyday business.

Currently with all that is going on with COVID-19 in Queensland, what impacts are you seeing on the legal profession?

Well, these times are certainly fairly dramatic and it’s not just small firms who are impacted. It’s throughout the entire ecosystem – there’s been a huge financial impact as you can imagine and a great many firms are now doing work for clients that they know are possibly insolvent and they’re really very concerned that these clients relationships that they’ve built up over many years might be disappearing underneath them so there’s that.

The financial aspect as you know a good many small firms that are under stress anyway and this has been a truly very significant blow to them as well on the whole in terms of just getting the work out the door. I’ve been very impressed with the way that Queensland practitioners have been able to do that on the whole; have just rolled up their sleeves got stuck in and really just making the best with what they’ve got available and getting stuck in and doing it. So, I’m really generally speaking with the people we’ve encountered who have done a very good job and you know on the whole, there are those who are approaching QLS for advice on a practical level for example “how do you witness this? How do you connect with that or how do you get the courts filing” and that sort of thing.

Is there any particular success stories or elements that you’ve seen in our lawyers that have been battling the situation with COVID-19 or anything you’ve noticed or picked up?

Certainly, their ability to transition into the new reality. In the past, you know firms that have been not particularly quick to pick up on technical innovation very quickly worked out:

  • how to do the videoconferencing,
  • how to push the data systems to the cloud very quickly,
  • how to get things connected and working.

So there are firms for whom this is a real challenge but they’ve risen to that challenge and on the whole the larger firms already had that in place but it’s the little firms who have had to adapt quickly and have tended to be most resilient because of their small infrastructure. They were the ones quickest to pivot.

It’s midsize firms I think that took probably the biggest hit because they’ve got a lot of legacy systems, which rely on local area networks and that sort of thing so they’ve had, I think, the toughest job. But most of them are well and truly able to work remotely now and I think they’ve got that all sorted out in terms of particular sectors. For criminal law firms – they’ve have had a real challenge because obviously dealing with people who are incarcerated there’s physical risks to them. The real challenge is that these firms are desperate to get people out of jail who didn’t need to be there because of the risk to the clients.

Also criminal law tends to be very face-to-face and group meetings so they’ve had a really significant challenge to contend with. They’re just not across what they’ve needed to do to make sure that the only people in Queensland jails are the ones who really need to be there in the best interest of public safety.

The cyber security concerns that we now see and you know they’ve always been prevalent in many areas of law but also in in business as a whole.

Are you seeing more concerns around that as people are working from home? Do you feel that there is greater diligence now placed on all firms?

Well yes. The people are losing sleep but not as much as they should. You know this has been a very challenging environment; criminals thrive on chaos. They really enjoy disruption and that we’ve had a great deal of. Law enforcement and the insurers all reporting an uptick in attacks on all sorts of firms – particularly professional services firms that are in part impacted by remote working. But also people who are distracted and upset and worried about other things are far more likely to click on the wrong link. There’s this perfect storm that has led to an increased threat environment and unfortunately we’ve seen the criminals very quick to step in and take advantage of that. I read a figure last week that said Google currently is blocking nearly 18 million phishing email times per day and now I know that’s globally, but part of that would obviously be coming to Australia be coming to Queensland.

Lee: The criminal activity out there is not only starting to gather pace. Criminals jump in when there’s disruption and chaos. We’ve seen that at the moment and people do let their guard down through sleep deprivation, through literally doing two or three jobs and managing multiple tasks at a time. I think you’re aware that at InfoTrack we have our complimentary cyber security awareness training we’ve been running for a period of time. We’ve seen a number of our mutual clients take up that complimentary training and earn their CPD unit. We also have our environment Securexchange which is built around sharing both confidential documents but also financial details such as bank accounts in a secure environment and as you would expect we’ve had quite a lot of interest from both our lawyers and conveyancers around the country. Interestingly, also real estate agents now as well.

You recently shared some intelligence with us about a Trojan horse attempt on a firm called Gozi Injects.

Do you want to elaborate a little bit just to share with some of our listeners what will actually happen there? Without obviously naming names.

Loss of sleep is the phrase that I used and it’s certainly one that’s been keeping me up at night and I think anyone that brands the trust account needs to take very close attention to this particular problem. So, the story is pretty straightforward: a regional firm in Queensland couldn’t log into their trust account and fortunately they were on the ball and didn’t just sort of write it off. They said no there’s something not right here. When they couldn’t get on to the website, they got straight on to the bank. The bank told them that there were transactions going on. One had been affected during their lockout period and they very quickly ascertained that $40,000 had been withdrawn from their trust accounts without authorisation. Luckily, that money was still in the UK. A lot of these things happen on Fridays because the attackers hope that you will not notice it over the weekend, and it was a very bad weekend for the practitioner who was responsible for that money.

It doesn’t really matter how it happens when a trustee loses funds. They often are liable for that personally and it’s a very unpleasant experience so from that firm’s perspective that was a truly horrible weekend for them and this is a first as far as I know. It’s the first in Australia, it’s definitely the first in Queensland.

The usual way that money is stolen is by tricking somebody in the firm into diverting it to the wrong account but this is far more insidious. Effectively the malware got onto the system, the firm sat down and they just did a standard transfer so they are looking up at the normal screen which shows the transfer to a bank account number of a certain amount. They triple check the bank account number, they do all the things that you’re supposed to do but what the software does is change the bank account number in the browser so you can’t see that. It’s an invisible process that happens between your computer and the bank and they can also change the amount so if you’re refunding a couple of thousand dollars to a client they can turn that into ten times that amount.

The reason it was such a low amount is because they didn’t want to trigger the bank’s internal warning system. But quite clearly it was a test process so at least these guys have been left in charge of that trust account over the weekend. I have absolutely no doubt whatsoever the firm, on Monday morning, would have found out that the millions of dollars which were in there would have been flat-out gone. So that’s the type of attack and the type of evolution that the profession now needs to deal with. It’s unfortunately been building for a while, but this is now a reality and you know this was a small firm – everybody is in the firing line.

Are there any other quick tips you have for the law firms of any size just being across this sort of cyber security environment during these challenging times?

Yes, the key takeaway message that I like to try and get across at every opportunity is that this is a matter of governance as opposed to a technical problem. We use the word cyber security but it’s really information security and fraud resistance and that involves taking all the moving parts with them. Consider;

  • how people do their job,
  • what the firm policies are,
  • how well those policies are explained and followed
  • and also knowing the basic network that people operating on.

It takes a broad protection introducing all of those elements to get to the level of security that even a small firm needs so probably the single biggest mistake you can make is just say “look this is an IT problem I don’t really understand. I’m just going to wing it or delegate to your IT department or your IT service provider.

They can do part of it – they know the one third of the security tripod which is the technology aspects and so in this particular case you need to make sure that your firm network is scrupulously updated so operating systems are dated as  humanly possible. The browsers in particular are running the latest versions of their software because there’s this permanent cold wall between the software companies and the hackers. Usually the software companies will have a solution out there for you but it doesn’t do any good if you haven’t downloaded it and dated all the software. Make sure that’s happening. In this particular example I gave, the malware came into the firm attached to an invoice which their bookkeeper had received so the training that you referred to is extremely useful because you know that just reminding people to be cautious about the kinds of attachments that they’re opening.

In this particular case the malware was in a zip file which said invoice. There’s not a lot of reason for an invoice to be in a zip file so that was possibly a warning for them for next time.

Unfortunately, they can also hide that kind of malware inside an actual word document itself and run a macro virus, so again there is a technical solution to that but it’s one that’s sort of difficult. So once again, training for the people as you’ve mentioned, the technology aspect and also firm processes. In this case the reason why the firm had a happy outcome was because they rigorously checked their trust account every day and their trust accounts administrator knows that if there’s something wrong they follow up on it straight away. So it was that combination of people, process and technology that always make sure that there is a shield between you and the attacker. Now I think that’s the best that we can really say and there are processes that we can assist people with so anyone that would like to look at their own firm security get a hold of us at Queensland Law Society. We have free programs available that can just help you to assess where your current security profile is and then what you can do about it. What’s surprising is that it often doesn’t involve huge amounts of money. Actually, it’s commonly something that a small firm and practitioner can do. They won’t be able to do all of it themselves but they will be able to certainly direct it themselves and they are the person that is best placed to move all the moving parts together to make sure that the firm is well protected.

Lee: Thank you David and I think that’s some great advice – people, process and technology really aligns so you know something I’ve often speak to our clients about is that sort of culture governance and technology. If you’ve got a cybersecurity culture and people are actually aware of that then it can lead to the processes being improved and you know it’s a simple analogy but I often look at it it’s like protecting your own home. Most people have a front door with a lock on it but if you really want to deter criminals put a security screen in place if you want or a burglary system, have a dog in your yard. You’re building on top of that security and I guess cyber security is very similar.

We know QLS have launched a Support Package to help law firms through this period. InfoTrack have also done one talking about those remote services that can be used such as SignIT our electronic signing functionality, InfoTrackID so someone can actually verify a client remotely subject to the ARNECC rule changes that have come in.

What does the QLS package include?

Basically, it’s split into two halves so the first is financial relief: that’s a nine-million dollar package that’s spread out across the Queensland profession including:

  • 50% reduction in the membership fee
  • 25% reduction in the practicing certificate costs and
  • other big-ticket item is 20% reduction in insurance

So, all of that adds up to a significant and appreciable assistance for law firms that are doing it tough.

The other side is increased services and increased support so advisory services for the government funding options which are available both to practitioners wearing their small business owner hat and also for those who advise small businesses and who will be dealing with desperate clients. It includes information on:

  • what support is available from the government for that employment law advice
  • what you can and what you can’t do in managing your own staff and
  • trying to keep people still in a job versus cutting the cut in the tether altogether

You can receive as much assistance as you require from experienced practice managers so you just ring up with a practice support problem for example implementing this or that and they can talk you through it. They’re all people who have been doing it themselves for many years and who have experience in both large and small firms.

In Queensland, where we haven’t got the mandating of electronic settlement at this stage, some are very keen and ready to jump on board with the virtual and the remote solutions. Others not so much, but trial new technologies because you might say “maybe it’s not that difficult to make this transition.”

With Queensland not being mandated on e-settlements, how are you seeing that impact on the market at the moment and maybe specifically around some of those that haven’t registered with an ELNO such as PEXA and Sympli at this stage and aren’t ready to do that. Have you had much inquiry about that or interest?

Well, we’ve certainly been making sure that people have all the information that they need and so I’ve spoken to a lot of people about electronic conveyancing over the years and the attitude of the standard Queensland practitioner is quite accepting. They certainly see it as the way of the future and any reluctancy probably seen in Queensland is more around “I don’t have a problem with it but I just don’t see that it’s for me now” and so for a great many firms they felt that the changing environment has shifted, the business case now makes sense for them to take that leap. We’ve tried to do the best we can to make sure that everyone who is interested in doing that has a shallow on-ramp so that you can just access the resources necessary to do it. I think there’s been a very significant increase in the number of people registering for electronic conveyancing and for the number of people that are actually practically, using it. The feedback that we’re getting is “hey that wasn’t quite as hard as I thought it was going to be and I actually quite like it.” It frees up time not only the remote aspects of it, but it just frees up time for them to be doing what they want to do which is talking to clients and making sure the clients are happy so I think there was this reluctance in part because people thought “well you know I am not really that technologically inclined and my clients aren’t either” but I think that’s a bit of a misconception because what this technology can do is just give you time back and instead of spending 45 minutes trying to log in a settlement, I can spend five minutes doing that, five minutes sending out the pro forma letter and then 10 minutes just calling the client making sure that they’re really happy with the process that you’ve gone through. So, I think there’s some real advantages there. As you know it’s up to Queensland practitioners to decide what is best for their own clients and their own practices, so we encourage a diverse and competitive e-conveyancing market and we think that when the business case has been explained to people then Queensland practitioners will be fully on board.

Lee: One of the solutions available at the moment is SettleIT which is a product that’s available to those law firms and your members who haven’t yet made that transition to e-settlements or haven’t registered with an ELNO as yet and they’re able to use SettleIT similar to how they would use a settlement Clark previously. They can outsource that work – it can be done once a contract has gone unconditional and really the SettleIT team take care of the booking of the settlement through the electronic settlement platform of the ELNO and working towards that transition phase, it’ll assist the clients through not only these challenging times, but as you just alluded to, you may be finding more time in the actual conveyancing process itself.

Small firms that aren’t ready to make the full transition to e-conveyancing themselves need to consider that kind of transitional method because you’re going to find a lot of your clients who are very enormous pressure who are going to need to settle and they’re going to need you to be multilingual and be able to just settle in whatever environment the buyers are ready to go in. I think you’re going to need to be able to offer them as many options as possible and this is not the time when law firms will be in a position to leave work on the table put it that way.

Lee: I wrote something too beginning of the year and shared a few clients and it was almost about just trialling something once every couple of months in your firm. It may allow you to put this roadmap together of where you see your firm going from a digital sort of solution. Interestingly by the end of March early April this year people were forced into trialling a multitude of different products and services, but these firms have been pretty resilient and it’s been interesting to watch people actually adapt to it quite well both from a professional point of view, but also from a consumer point of view. We have now come to expect digital and said “okay I can actually sign this electronically” or “I can actually complete this on my phone” and certainly as we go forward I think sets up some good ideas for lawyers to think about.

Is there anything you’d like leave our clients or your members with before we finish?

Yes, I think the message we really like to get across is law societies and professional associations are really here for the hard times and this is when we earn our bread and butter and if you’re having problems with whatever it is give us a call. If we don’t know the answer, we will often be able to connect people that do. We found that practitioners are really stepping up to the plate in terms of helping each other so often you know what we can do is say “hey there is this firm over here and they’ve had that experience they know what they’re doing why don’t you give them a call?” We have found nine times out of ten the people on receiving end of that call are very generous with their time and you know if they can’t help then they at least give them whatever assistance they can. So if there’s a takeaway message here today it’s this: If you’re having a problem give us a call. If we can’t solve it we’ll try and connect you with someone who can.

You can view the complete interview here. InfoTrack’s suite of cloud-based products have been built for lawyers to use anywhere, anytime meaning you can access them on demand when working remotely. To enhance your level of productivity without the office, get started with InfoTrack today.