Protect Your Law Firm From Cybercrime: The Basics and Beyond

Danny Mizrahi Founder & CEO, Contributor, Contango IT
June 10, 2021


  • Last year, 29% of law firms experienced a major security breach of some kind.
  • Are you looking for smart ways to increase your law firm's cybersecurity?
  • Consider these 4 security measures that can help protect your data.

In 2020, 29% of law firms experienced a security breach, such as a lost laptop or hacker break-in, according to the American Bar Association. Another 21% of law firms didn’t even know whether their security had been breached. That means half of the law firms in the country might have had sensitive data – including client information they are obligated to protect – compromised.

275px Protect Your Law Firm From Cybercrime.jpg

Many people would call that a cybersecurity issue. However, businesses should consider this a lack of basic IT, and common procedures should be implemented on every computer in every office or home. Law firms can significantly improve their data security by taking a few steps toward protecting the “low hanging fruit” of security, often by just turning on technology they already have in their office.

4 Simple but Effective Security Measures

If you run a law firm and are looking to beef up your cybersecurity, consider these four simple but effective steps to safeguard your data:

  • Firms should implement security awareness training. The weak link in security is often people, rather than technology. A typical “phishing” scheme depends on employees feeling the pressure to act quickly or unmindfully, giving up usernames, passwords or other sensitive information in the process. Security awareness training programs use interactive modules, games, videos and newsletters to train employees on the tactics that hackers use so they won’t be tricked.
  • Make sure existing protections are turned on. Many law firms have great security features in their Microsoft Office 365 account that they often don’t enable. For example, Office 365 offers multi-factor authentication, which requires employees to identify themselves in two ways, such as by using a password and receiving a text. It’s a basic security safeguard, but the ABA found only 39% of law firms use it. According to Microsoft multi-factor authentication will block 99.9% of account compromise attacks. By enabling mailbox auditing, email authentication and other functionality in their existing Office 365 accounts, law firms can go a long way toward thwarting cyber thieves.
  • Automate monitoring and patching of systems. Hackers are constantly looking for vulnerabilities in popular software. Software vendors, as a result, are constantly sending updates – also known as "patches" – to protect those vulnerabilities. By setting up your systems so the patches are applied automatically, you can deprive thieves of the most current and popular access points into your network. Remember: your firewall is only as good as your last patch.
  • Encrypt all work devices. Many people think the information on their laptop is safe if they have a password on the device. In reality, retrieving that information off a lost or stolen laptop can be as simple as removing the hard drive and plugging it into another device. Sensitive data on all devices should be encrypted. With this technique, the absence of the password turns the information on the laptop into an unreadable jumble.

Go Beyond the Basics

Having basic IT security measures in place will significantly reduce your risk of data loss. Once you have crossed the Ts and dotted the Is, you can put together a cybersecurity roadmap, which balances the risks and rewards of implementing more advanced security measures.

For example, penetration testing is a system for attacking your own network to find and correct vulnerabilities before criminals do. This can be done with certified ethical hackers, who receive CLE training just like lawyers and other professionals. In their case, they study the latest hacking techniques.

Unlike basic IT, true cybersecurity is based on compliance. Today, law firms and other companies are subject to a growing list of requirements and regulations, from the General Data Protection Regulations for the European Union to the new California Consumer Privacy Act, which attempts to mirror the GDPR.

Sometimes law firms only implement cybersecurity measures when required to by regulations or clients. However, the savviest law firms go a step beyond what’s required.

Stand Out From Competitors

Consider ISO/IEC 27001, which is an international standard on how to manage information security. This standard anticipates the requirements of most of the international and state regulations, so a law firm that implements ISO/IEC 27001 is ahead of the pack.

Because implementing a standard like ISO/IEC 27001 comes with a cost, many firms only do so when required by a client or vendor. However, some law firms are using this security standard as a competitive advantage. A small law firm that implements the ISO/IEC 27001 standard could go to a financial institution that it currently works with and use the certification to gain more closing and M&A business, since data security is so top of mind. It’s a good bet that the other law firms the bank works with might not have the certification, allowing the ones that do to stand out.

As cyber risk increases, law firms must up their efforts in response. Fortunately, there are many simple security steps that can offer strong protection, and help you keep ahead of the bad guys. And in doing so, you can not only protect your information, but make your cybersecurity into a competitive advantage.

This information is governed by our Terms and Conditions of Use.