Does a law firm's LEAP environment need to be specifically secured, or is Microsoft 365 hardening enough?

Both environments need attention and they are connected. LEAP integrates with Microsoft 365, which means a compromised M365 account can provide access to LEAP matter files depending on how the integration is configured. Hardening M365, including enforcing MFA and Conditional Access and disabling legacy authentication, reduces the risk of a credential-based attack reaching both environments. LEAP itself has MFA and access control settings worth reviewing as part of any engagement. We work through both as part of a Microsoft 365 security engagement for law firms.

What does mandatory NDB notification look like in practice for a law firm?

When a breach occurs, you need to assess whether it is likely to cause serious harm to affected individuals. For client legal files, that assessment almost always goes one way. If the threshold is met, you notify the OAIC using the NDB report form and notify affected individuals directly. The notification should include what happened, what information was involved and what steps individuals can take to protect themselves. Law firms should have a breach response plan identifying who makes that assessment, who signs off on notifications and what the firm will tell clients. The plan should be tested before it is needed.

What is the typical Secure Score for a law firm that has not had a dedicated security engagement?

The firms we work with typically have Microsoft Secure Scores between 25 and 40 before we start. Legacy authentication still active, MFA not enforced across the tenant, no Conditional Access policies, admin accounts used for everyday work, and DMARC either absent or in monitoring-only mode are the most common findings. Those are not sophisticated failures. They are default configuration gaps that most M365 tenants share if they have not been specifically addressed.

Are smaller law firms below the $3 million turnover threshold exempt from the Privacy Act?

Not necessarily. The $3 million threshold has exceptions that regularly capture smaller legal practices. Firms providing services under a Commonwealth contract, including Legal Aid agreements, government panel appointments and court-appointed work, are covered regardless of turnover. Firms that handle tax file numbers for clients are also covered. And even firms that are technically outside the Privacy Act still have professional confidentiality obligations under the Legal Profession Uniform Law. The prudent position is to treat client information as covered regardless of turnover.

How does IronSights handle confidential client information during a security engagement?

Our engagements are scoped to avoid unnecessary access to client files. We work at the configuration layer, reviewing tenant settings, access controls and policy configuration, rather than reviewing file content. Where we need to assess data classification or access permissions, we work with sample data or metadata rather than file contents. We operate under confidentiality agreements with every client and are ISO 27001 certified. If a firm has specific concerns about engagement scope, we discuss that in detail before any commitment is made.

Industries · Legal · Law Firms

Cyber security for Australian law firms.

Law firms hold years of privileged client communications, financial records and personal information across LEAP, Microsoft 365 and shared document environments. When a staff account is compromised, that material is reachable in a single session.

IronSights works with commercial and general practice law firms across Australia. ISO 27001 certified, Microsoft certified security engineers, Sydney-based.

Book a cyber security review→Speak with an expert

Threat context

Why law firms are targeted.

A general practice law firm holds a concentrated record of client affairs: estate planning documents, commercial contracts, employment records, property transaction files, dispute correspondence and trust account instructions. That information has direct value in fraud and identity theft, and indirect value when an attacker wants to apply pressure rather than simply steal. Attackers who gain access to a law firm's Microsoft 365 tenant or LEAP environment do not need to know in advance which files will be useful.

Business email compromise is the most common attack type in Australian incident response caseloads and commercial law practices are a consistent target. The mechanism is usually credential theft: a phishing email, a password spray against the Microsoft 365 tenant, or credentials obtained from a prior breach sold on criminal markets. Once inside a staff inbox, an attacker can monitor client communications, intercept payment instructions and insert themselves into ongoing transactions without detection.

Ransomware affecting law firms has increased in frequency. Unlike a retail or logistics business, a law firm facing ransomware encryption loses access to active client matters simultaneously. Every open file, every correspondence thread, every document in the practice management system. The pressure is disproportionate. Groups targeting legal practices also know that the confidentiality of client information creates additional risk: publishing exfiltrated legal files publicly carries consequences for a firm that publishing most other business data does not.

LEAP and PracticeEvolve credentials are consistently targeted. Phishing campaigns directed at Australian legal practices appear as DocuSign requests, court portal notifications and Law Society emails. A compromised LEAP credential exposes every matter that person can see, which in most practices means the full client file list, trust account balances and the document history for each matter.

Common risks

What we find when we work with law firms.

Compromised matter management credentials

LEAP, PracticeEvolve and ActionStep credentials obtained through phishing or credential-stuffing give an attacker access to every client matter visible to that account. Trust account balances, document histories, client contact details and correspondence are all reachable from a single login. MFA is available on most platforms. It is frequently not configured.

Ransomware and matter file encryption

Ransomware affecting a law firm's file server or document management environment suspends every active client matter at once. Recovery from backup takes time, often days, during which court deadlines, settlement dates and client obligations continue. Groups targeting legal practices increasingly combine encryption with data exfiltration, threatening to publish client files if the ransom is not paid.

Email account compromise and payment redirection

An attacker with access to a lawyer's Microsoft 365 inbox can monitor client communications about upcoming transactions and intercept payment instructions at the right moment. They can also send correspondence that appears to come from the lawyer's own address. DMARC, DKIM and SPF configuration, MFA on all email accounts, and separation of admin accounts from standard user accounts address this risk most directly.

Broad internal access to privileged documents

Client files sit in SharePoint folders with access granted to broad groups of internal users. In many practices, all staff can read all files. When any account is compromised, the attacker can reach everything without lateral movement. Role-based access controls and sensitivity labelling through Microsoft Purview change this, but they require deliberate implementation.

Inadequate Privacy Act compliance controls

Law firms covered by the Privacy Act must be able to demonstrate how personal information is collected, stored, used and disclosed. When a breach occurs and the OAIC receives a complaint or initiates an assessment, the firm must be able to account for what it had in place. A firm with no documented data classification, no access controls and no tested breach response process is in a difficult position regardless of the outcome of the breach itself.

How we help

Services for law firms and legal practices.

From a sole practitioner to a multi-partner firm, the controls that address real attacker behaviour and Privacy Act obligations are consistent. We help you implement them and demonstrate they work.

Fortify — managed security

Around-the-clock monitoring across endpoints, identities, email and cloud. Rapid containment when something goes wrong. Monthly uplift and a board-ready posture report. For firms without a dedicated security function, Fortify provides the monitoring and response capability that an ad hoc IT arrangement rarely delivers.

Microsoft 365 security

Most Australian law firms run LEAP on top of . We harden the M365 environment: , enforcement, Defender for Business, DMARC and SPF, and for classifying client documents, trust account records and privileged correspondence. restrict printing, external sharing and unapproved forwarding without requiring staff to make manual decisions on each file.

Penetration testing

External network, internal network and simulation tests. Each engagement produces a risk-rated report your managing partner can read and your IT support can act on. Thirty-day free retest included.

Audit and assurance

An gives you a documented baseline you can reference in your PI insurer renewal, Law Society correspondence and AML/CTF readiness planning. The report is written for a non-technical reader and is designed to be used, not filed.

Compliance

Regulatory obligations for law firms.

Most law firms are covered by more than one framework. The Privacy Act sets a floor on data handling obligations. The Legal Profession Uniform Law adds professional accountability on top of it.

Privacy Act

APP entity obligations and the NDB scheme

Law firms with annual turnover above $3 million are covered by the Privacy Act and the thirteen Australian Privacy Principles. Smaller firms providing services under a Commonwealth contract, including Legal Aid agreements and government panel appointments, are also covered regardless of turnover. A breach involving client files will almost always meet the serious harm threshold for NDB notification. The Privacy and Other Legislation Amendment Act 2024 has increased penalties and introduced new obligations around automated decision-making that take effect from December 2026.

Legal Profession

Competence and confidentiality under the Uniform Law

The Legal Profession Uniform Law in NSW and Victoria imposes ongoing obligations around practitioner competence and the protection of client confidentiality. A cyber failure that exposes privileged communications or enables unauthorised trust account access is not only a Privacy Act matter. It may be referred to the Legal Profession Conduct Commissioner. Law Societies in NSW and Victoria have published guidance citing the Essential Eight as the relevant technical baseline. That guidance is the reference point a practitioner would be measured against if disciplinary action followed a breach.

Trust Accounts

Law Society audit obligations

Law Society trust account audits are a standing feature of legal practice. Records must be maintained, reconciliations completed and funds protected. A cyber incident affecting trust account records or enabling an unauthorised payment creates immediate regulatory exposure. A practice that cannot account for what happened, what was accessed, when, and what controls were in place, faces audit consequences alongside the breach itself.

Common questions

Asked by firms like yours.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

Does a law firm's LEAP environment need to be specifically secured, or is Microsoft 365 hardening enough?
Both environments need attention and they are connected. LEAP integrates with Microsoft 365, which means a compromised M365 account can provide access to LEAP matter files depending on how the integration is configured. Hardening M365, including enforcing MFA and Conditional Access and disabling legacy authentication, reduces the risk of a credential-based attack reaching both environments. LEAP itself has MFA and access control settings worth reviewing as part of any engagement. We work through both as part of a Microsoft 365 security engagement for law firms.
What does mandatory NDB notification look like in practice for a law firm?
When a breach occurs, you need to assess whether it is likely to cause serious harm to affected individuals. For client legal files, that assessment almost always goes one way. If the threshold is met, you notify the OAIC using the NDB report form and notify affected individuals directly. The notification should include what happened, what information was involved and what steps individuals can take to protect themselves. Law firms should have a breach response plan identifying who makes that assessment, who signs off on notifications and what the firm will tell clients. The plan should be tested before it is needed.
What is the typical Secure Score for a law firm that has not had a dedicated security engagement?
The firms we work with typically have Microsoft Secure Scores between 25 and 40 before we start. Legacy authentication still active, MFA not enforced across the tenant, no Conditional Access policies, admin accounts used for everyday work, and DMARC either absent or in monitoring-only mode are the most common findings. Those are not sophisticated failures. They are default configuration gaps that most M365 tenants share if they have not been specifically addressed.
Are smaller law firms below the $3 million turnover threshold exempt from the Privacy Act?
Not necessarily. The $3 million threshold has exceptions that regularly capture smaller legal practices. Firms providing services under a Commonwealth contract, including Legal Aid agreements, government panel appointments and court-appointed work, are covered regardless of turnover. Firms that handle tax file numbers for clients are also covered. And even firms that are technically outside the Privacy Act still have professional confidentiality obligations under the Legal Profession Uniform Law. The prudent position is to treat client information as covered regardless of turnover.
How does IronSights handle confidential client information during a security engagement?
Our engagements are scoped to avoid unnecessary access to client files. We work at the configuration layer, reviewing tenant settings, access controls and policy configuration, rather than reviewing file content. Where we need to assess data classification or access permissions, we work with sample data or metadata rather than file contents. We operate under confidentiality agreements with every client and are ISO 27001 certified. If a firm has specific concerns about engagement scope, we discuss that in detail before any commitment is made.

Related insights.

Compliance

Cyber security obligations for Australian legal practices

What the Privacy Act, Legal Profession Uniform Law and AML/CTF Tranche 2 reforms require from Australian law firms.

Protecting trust accounts from cyber attack

How trust account access via compromised matter management credentials creates regulatory exposure and what the controls look like.

Ransomware in Australian law firms

Legal practices are consistent targets. Why attackers go after legal data and what the NDB obligations look like when it happens.

The Essential Eight for Australian legal practices

Law Societies in NSW and Victoria have cited the Essential Eight as the relevant baseline. What each control means for a law firm.

Also in legal

IronSights works across the legal sector.

Conveyancers →Settlement fraud prevention, DMARC configuration, AML/CTF Tranche 2 readiness.Family Lawyers →Sensitive data protection, role-based access controls, NDB notification planning.Criminal Defence →Privilege protection, informant file security, phishing simulation and MFA enforcement.

Start with a review

A structured security review tells you exactly where your firm stands.

We assess your Microsoft 365 environment, identity controls, how client data is stored and handled, and whether your incident response process would hold up under real conditions. The output is a practical, prioritised roadmap you can act on.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766