Episode Summary:Many law firms make a heavy investment in cybersecurity tech, and yet attackers can simply walk straight through their front door. This episode exposes how ethical (and criminal) hackers think and act, revealing why human trust and everyday routines are often a real vulnerability attackers’ exploit. This episode pulls back the curtain on penetration testing, and the white hat hackers who help firms fix weaknesses before criminals can exploit them.Guest:• James Thompson, Director, principal cybersecurity consultant and penetration tester, Malware Security• More than 20 years’ experience testing government, defence and critical infrastructure networks• Specialist in offensive security, social engineering and red team engagements• www.linkedin.com/in/cyberjt• www.malsec.com.au Host:• Jayne Gurton, Law Institute of Victoria• [email protected] | https://www.linkedin.com/company/law-institute-of-victoriaEpisode Overview:Securing a law firm from cyber attacks must take into account not just technology, but the physical environment as well. In this episode, penetration testing expert James Thompson explains what really happens when an organisation hires a pen tester and how cyber breaches can come through the front door as well as a link in an email. The discussion unpacks penetration testing, red team engagements and social engineering attacks, with practical examples from professional services environments. Listeners will learn how ethical hackers exploit human behaviour, why organisations often fall within minutes of an initial breach and what law firms can do right now to reduce their attack surface. Topics & Timestamps:• 02:04 What is penetration testing• 04:40 Common vulnerabilities in office environments• 08:49 Real-world social engineering scenarios• 11:14 What happens after initial network access• 13:48 Practical steps firms can take immediately• 15:20 Choosing a penetration testing provider• 17:20 Emerging cyberthreats and AI-enabled attacksKey Takeaways:• Penetration testing combines technical skill with human manipulation to mirror real cyber attacks• Front desks, unlocked doors and helpful staff are common breach points• Many organisations are compromised within 15 to 30 minutes of initial access• Multi-factor authentication and reducing attack surface significantly raise the barrier• Not all vendors offering pen tests deliver genuine human-led testing• Regular testing and staff awareness are essential parts of cyber risk managementResources & Links:• Law Institute of Victoria cyber security resources – Practical guidance for legal practices | https://www.liv.asn.au/web/resource_knowledge_centre/cybersecurity-hub/web/content/resource_knowledge_centre/cybersecurity-hub.aspx • Law Institute Journal – Cyber risk and legal practice coverage | https://www.liv.asn.au/web/law_institute_journal_and_news/web/lij/year/2025/02february/law_firms_and_cyber_risk.aspx | https://www.liv.asn.au/web/search_results_page.aspx?search=cyber• Australian Cyber Security Centre – Guidance for professional services | https://www.cyber.gov.au• Malware Security – Penetration testing and red team services | https://malsec.com.au• Australian Signals Directorate Essential Eight – Baseline cyber security controls | https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eightAbout This PodcastCross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.DisclaimerThis podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.Production Information• Produced by: The Law Institute of Victoria• Producer and audio editor: Garreth Hanley• Music: Garreth Hanley• Copy and show notes: Louise SuretteConnect With UsEmail: [email protected]: https://liv.asn.auLinkedIn: https://www.linkedin.com/company/law-institute-of-victoriaApple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgVMentioned in this episode:2026 Legal Forum advertLegal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum