As cybercriminals increasingly target New Zealand law firms, industry experts are sounding the alarm about the urgent need for enhanced digital security measures. The professional services sector is particularly vulnerable, holding significant sums of money in trust accounts and managing highly sensitive client data. This data can be sold or used for extortion, while the firms’ trust-based reputations can be severely damaged by a single breach.
Cybercrime Industry
Michael Wallmansberger, a cybersecurity expert who previously led security at ASB and Air New Zealand, emphasizes that cybercrime has evolved into a sophisticated industry. “Cybercrime is an industry now, it’s not just one solo actor,” he explains. “Ten years ago, a business might have faced the odd cyber threat. Today, the chance of being exposed to a cyber threat to compromise your organisation is increasingly high.”
Invoice redirection fraud remains one of the most prevalent and costly scams, where attackers manipulate payment instructions by compromising email accounts. Despite heightened awareness among finance teams, attackers continue to exploit trust. Wallmansberger warns, “Many still get hit by invoice scams where a cyber attacker has compromised an email conversation by getting into the inbox of one of the parties and used the information they found to establish trust with one party in the transaction, causing them to make a payment to the wrong place.”
Risk Tolerance
Geordie Stewart, Chief Information Security Officer at consultancy NSP, identifies a concerning mindset among New Zealand companies. He notes that firms in New Zealand tolerate higher levels of cyber risk compared to their international counterparts. “In Europe, boardroom decisions were driven by data and risk analysis. Here, action is often triggered only by an incident, or the fear of being the last to act,” Stewart explains.
This reactive approach has left New Zealand lagging behind international best practices by five to ten years. Stewart criticizes the tendency for businesses to carry high levels of risk until something goes wrong, leading to costly overcorrections. Basic protections like multi-factor authentication are often only adopted because technology vendors enforce them.
Growing Cyber Threats
Cyber-attacks have become more frequent than many businesses realize. “Last year saw a significant rise in attacks on New Zealand businesses and 2025 has already seen that trend accelerate further,” Stewart notes. Instead of simply locking files for ransom, cybercriminals now often steal sensitive data and threaten to release it, posing a grave threat to law firms.
For law firms, the reputational damage from such breaches can be irreversible. Stewart advises that cyber insurance offers limited protection and emphasizes the importance of preventative controls. “You can insure your systems and restore operations, but you can’t insure against the loss of client trust,” he says.
Smarter Scammers
Wallmansberger highlights the increasing sophistication of social engineering tactics, where attackers exploit predictable human behavior to bypass security. With AI and deepfakes making these scams harder to detect, frontline staff such as payroll and contact-center workers are at greater risk.
“Social engineering is when a cyber attacker is really good at understanding the way people normally behave and uses that knowledge to get someone to do something that undermines security,” Wallmansberger explains. The red flags in these scams typically include urgency or authority, where attackers may impersonate senior executives to pressure staff.
Basic Cybersecurity Measures
Wallmansberger stresses the importance of basic cybersecurity measures, which include:
– Multi-factor authentication, especially for email;
– Regular software updates and secure devices;
– Unique passwords, never reused; and
– Staff training to pause when urgency or authority is used to pressure them.
Stewart adds that firms should make “preventative controls” standard practice, such as:
– Multi-Factor Authentication (MFA) for all remote and privileged access;
– Managed Detection and Response (MDR) for 24/7 threat monitoring;
– Phishing resilience training for staff awareness;
– Supply chain due diligence to ensure third-party providers do not become back doors into firm systems.
Cybersecurity as Business Risk
Both experts agree that cyber risk is not just an IT issue but a comprehensive business risk. For businesses where trust and credibility are crucial, a breach can undermine reputation. “In today’s threat landscape, it’s not just your systems at risk, it’s your firm’s reputation and once lost, it cannot be insured back,” Stewart warns.
Note: This article is inspired by content from https://lawnews.nz/technology/cyber-smart-week-why-kiwi-law-firms-cant-afford-to-lag-on-digital-risk/. It has been rephrased for originality. Images are credited to the original source.