Cybersecurity Awareness for Lawyers

Law firms are at an even greater cybersecurity risk as they move more into the digital age of working from home. Here are some methods of attack and ways to reduce and prevent such attacks to your firm.

Cybersecurity Tips for Lawyers and Law Firms

Jordan Donich

June 7, 2022 11:00 AM

Over the last 10 years law firms have transitioned from a predominantly paper-based practice to in some cases becoming fully digital. This has been accelerated in response to remote work associated with COVID-19. Previously, lawyers primarily had to worry about physical security of their file management and offices. This was easier, because even if there was a physical breach to the firm, thieves would need a U-Haul to move data which was voluminous and in paper form. The transition to digital file management has been associated with ever increasing risks of data breach, reputational damage and litigation risk(s) associated with a cyberattack.

What used to be unlikely has now become possible almost instantly form anywhere in the world. The battlefield is now global with cybercriminals becoming harder to detect, apprehend and prosecute, especially when they reside in foreign jurisdictions. Rewards are also higher than ever for successful attacks. Cybercriminals know law firms are a gold mine for sensitive solicitor-client privileged communication, financial and personal identification information. All law firm’s need to integrate cybersecurity risk mitigation into their business model to the same (if not greater) extent than they would physical security of their premises.

Methods of Attack of Against Law Firms

Law firms are vulnerable to cyberthreats because of the personal information they are known to possess. When a lawyer is hired, they are required to identify the client, gather occupation and personal financial details, especially if the lawyer is working with financial institutions. Beyond this personal information, law firms possess significant confidential information in criminal disclosure, such as sexual abuse material or violent crime scene evidence. Unintended disclosure of this material not only impacts the reputation of the firm but could revictimize victims of crime.

Cybercriminals likely expect some level of cyber risk management from financial institutions or larger law firms. However, smaller businesses often fail to make appropriate investments in cybersecurity. This could be for budget reasons, complacency or simply the false belief that only larger organizations with higher rewards are targeted. There are a number of threat actors who may target the legal sector, the most likely are cybercriminals and insiders.

Cybercriminals will target law firms because of the sensitive information they are known to possess. These individuals will likely seek to acquire confidential information about the firm’s clients for financial gain or reputational damage. If a law firm’s network is compromised, these criminals could use that data for identity theft or simply to expose the personal dealings of the firm’s clients. Law firms often implement role-based access to the network for security reasons, this is why they are vulnerable to spear-phishing attacks.

For example, a secretary or junior lawyer of the law firm could receive a personal email from who they believe is the owner of the business, prompting them to save a compromised file on the network. This person may not question this request because the instructions are being sent from an authority figure in the organization. In addition to phishing attacks law firms are also vulnerable to brute-force attacks. These methods of attack may be particularly successful where employees have passwords or do not have two-fact authentication enabled. In either case, cybercriminals would likely install a variety of malware which may include spyware or ransomware.

Insiders such as other lawyers or staff are a threat to law firms. Although law firms implement role-based access to critical data, this becomes less effective with other lawyers in the firm, especially on larger files with multiple lawyers working. This is why threats from internal lawyers are highest, they have access to substantial organizational data because their professional obligations require them to do so. They also may have access to previous firm files for learning or precedents, increasing vulnerability to these actors.

Methods of attack from insiders are the same as those used by cybercriminals. The primary difference is that insiders may be less likely to detect. Insiders could install malware on company property prior to being terminated or simply steal organizational data. In many cases cybercriminals simply want access to data and require infiltration techniques like spear-phishing or brute force attacks. Insiders simply have to log into the network or gain further access privileges to steal this information and could leave undetected. Law firms are especially vulnerable to insiders because they are required to provide liberal access to information for legal training and to ensure professional competencies. If the organization does not fully support the lawyer in its professional obligations, it could face a claim from the client for ineffective representation, which ultimately increases its exposure to potential damage from insiders. Moreover, the attack does not have to be sophisticated because lawyers already have a large degree of access to the network.

Strategies to Reduce Cyber Risk

There are four key strategies law firms can use to mitigate risk: (1) increase cybersecurity culture in the firm; (2) strengthen technology to protect networks; (3) develop an incidence response plan; and (4) integrate better cybersecurity behavior for remote work.

Cybersecurity Culture
Strengthening cybersecurity culture in the firm will help continue to reduce its cybersecurity risks to an acceptable level. The first step to strengthening the overall cybersecurity culture in the organization is to have leadership by example from the top of the organization. By setting the example of good practices within the firm by partners or business owners, the firm will be better able to protect itself over time. This will strengthen the overall expectation in the firm for cybersecurity awareness and corresponding behavior by staff.

Lawyers should integrate cybersecurity awareness the same way they would continuing professional development. Lawyers are good at maintaining their legal skills, cybersecurity should be treated the same way. Support staff and all persons with an entry point into the firm should be involved, so that cybersecurity within the business is not simply viewed as just an IT issue.

Integrating certain technologies will help the organization achieve its goals. Items such as integrating a proper firewall will help protect the organization from DDoS attacks. Proper email scanning and antivirus software will help support the firm’s intrusion detection systems. Running vulnerability scanners and encouraging proper patching by lawyers will also help the organization achieve its cybersecurity goals through the use of technology.

Ensuring the use of two-factor authentication for all ports of entry into the network will help protect the organization from weak employee password habits. Tools such as encrypted password managers can further be used to strengthen passwords and protect the organization from brute-force attacks. Strengthening protection within the cloud is another area firms can improve to reduce risks.

Incidence Response Plan
Having a proper incidence response plan will help the firm better respond to a cyberthreat and improve its overall cybersecurity risk management. Beyond the firm simply drafting an internal plan, it should also seek external input from specialized third parties. Having occasional audits of the firm’s response plan will ensure it is up to date with evolving threats and resilient to attacks. The firm should also test the effectiveness of its plan. It can be tested with individual employees or across the organization to confirm the firm’s ability to properly detect, contain and eradicate cyberthreats.

Remote Work
As lawyers work remote, the firm’s vulnerability to cyberthreats increases because of its reduced ability to monitor and enforce good practice behavior. By ensuring better data protection such as disc encryption on both company and personal devices, the organization can reduce its risks in the event of device theft or loss, which increases with remote work.

Implementing policies with respect to using public internet to access the company network will improve cybersecurity for remote work. Installing a VPN on both personal and company devices accessed by lawyers will improve encryption for data in transit and support the organizations goals of mitigating cybersecurity risk.

Metrics to Assess Cyber Security
A metric is used to assess an organizations cybersecurity effectiveness against threats or the overall efficacy of its stated goals. A firm could assess the effectiveness of its overall cybersecurity culture by talking to staff about cybersecurity issues and questioning them on how they would respond. This can be done during official training sessions or just casually. This simple method could be used to test on an individual level, the overall awareness of the employee about cybersecurity importance in the organization.

Analyzing firewall and antivirus data provides an organization with information on the effectiveness of its technology. Comparing this data with website traffic would yield information on whether unusual or malicious traffic is being successfully blocked by the network. Running vulnerability scanners could also be used to assess the effectiveness of an organization’s technology overall.

Spot checking employee computers which are being used for remote work can be done to determine compliance with security patching and maintenance. Reviewing how employees connect to the internet when working remotely can be used to ensure compliance with protecting data in transit. Confirming the use of password managers and device encryption on personal mobile devices will also help gauge the efficacy of the firm’s remote work policies.

Protective Technologies

Some of the protective technologies which can be deployed to protect critical systems, networks and data include antivirus software, firewalls, network access control, virtual private networks, identification, authentication software and device encryption.

Antivirus Software
Antivirus software can help protect early intrusion efforts into the network since it is installed directly on the host device. Properly functioning antivirus software requires devices to be updated regularly and patched for new vulnerabilities. Use of this software will help display characteristics of known viruses and contain them in accordance with the software. It can further help with scanning emails or attachments for malware and protect the network at the device level.

A firewall will assist with creating a perimeter around the firm’s internal network, protecting it from untrusted connections. Implementing Simple Mail Transfer Protocol (SMTP) will help filter emails the organization receives over the internet. Depending on its configuration, it can reject certain emails when they do not meet permissions standards.

Firewalls can also be implemented to protect a firm’s website from DDoS attacks. Settings can be configured to limit certain suspicious IP addresses, including limiting the number of visitors to the site at a given time.

Virtual Private Networks (VPN)
With lawyers more frequently working from home, vulnerabilities remain with their use of unprotected or open internet. Although the organization may have other protective technologies, they will not protect data in transit. Using a VPN when lawyers work remote will create an encrypted tunnel for data in transit to the network and reduce the risk of snooping.

Ensuring a VPN is installed on both organizational property and the personal devices of the remote workers will best ensure compliance. A policy for working remotely on personal smartphones should require a VPN connection.

Network Access Control
Logical access control(s) will limit unauthorized access to the organizations cyber assets, networks and data. This technology will help protect the organization from both external and internal threats seeking to infiltrate or disable intrusion detection systems. Implementing Mandatory Access Control (MAC) will further strengthen role-based access within the network. This additional safeguard would protect the organization from insiders venturing into unauthorized portions of the network.

Identification Technologies
Implementing identification software will protect the organization from unauthorized access to the network. Requiring employees to have designated usernames is a first step but should also include two-factor authentication in the event passwords are weak. At the device level the organization could also require MAC addresses as a basis for access, which would ensure only specified devices have network privileges.

Having a system in place for the de-provisioning of rights to access the system will help ensure controlled access to the network by the appropriate personnel at the time. This would also be useful when an employee leaves the organization or is terminated. It could also protect the organization with new employees to slowly scale up their access as trust is built.

Authentication Technologies
Employees may reuse passwords for multiple accounts and fail to use a password manager for improved password security. Strengthening authentication will help protect the organization from external threats or unauthorized access by insiders. In addition to email authentication, the organization could use fingerprint, smart cards or signatures to access critical systems within the network. For very sensitive portions of the network, the firm could require biometrics authentication. Some of the options could be retina pattern or fingerprint recognition.

Device Encryption
Implementing proper disc encryption on company computers will help protect the organization’s data in the event of device theft or loss. The organization should also discuss this requirement for the use of personal mobile devices to access the network by employees. A vulnerability could exist where lawyers use their personal smartphones to access cloud data, which could be accessed without proper encryption.

Audit Trails
Audit trails can be implemented to trace actions taken within the system or with specific users. The organization can use logs to promote accountability and investigate users who venture into restricted portions of the network. The proper functioning of these technologies would help the organization identify a breach by a cybercriminal or an insider venturing into restricted portions of the network. Implementing identity and access management (IAM) principles such as recording user actions on users with greater privilege will help protect critical assets and sensitive network access.

Legal Considerations

Both the firm and individual lawyers are often sued by clients, so legal considerations should be viewed as a shared responsibility between the firm and its lawyers. The first legal consideration both parties should consider is how to implement cybersecurity legislation and reporting guidelines into law firm procedures or protocols. Cybersecurity compliance legislation is complex and overlaps between jurisdictions where lawyers may practice. An organization needs to have a plan in place to confirm applicable legislation and legal requirements upon a breach. Ensuring accurate interpretation of the law and compliance with it is the first step in developing a risk mitigation strategy.

Knowing the applicable legislation is no good unless it is properly integrated into the organization. Having a proper structed training system for all parties in the organization will help mitigate risk and promote compliance. If awareness and training is insufficient, it is less likely potential threats will be reported and acted on. This could lead to situations where the organization fails to comply with reporting obligations or containing the threat.

Exploring insurance requirements for businesses is another legal consideration which should be considered. Lawyers are required to have error and omission insurance to protect clients and the public. A cybersecurity breach could theoretically have the same damage to the client as a lawyer acting without capacity. Reviewing update in the insurance landscape, such as minimum cybersecurity coverage requirements to protect the public should form part of a comprehensive risk mitigation strategy. Organizations should also review their technology and practices to ensure they will remain covered by an insurance company, in the event of a data breach.

Firms should also consider their relationship with third-parties and whether their compliance obligations will be compromised in the event of cybersecurity breach by a third-party. Affiliate organizations may not be compliant with relevant legislation which could expose a firm to legal liability by association. Having an understanding of who the organization is doing business with and what precautions those business are taking will help develop a comprehensive risk mitigation strategy.

Developing a proper response plan is another important legal consideration. This will help ensure the firm knows in advance of a data breach its legal requirements. This will help avoid poor decision making and strengthen compliance. The response plan could also list the appropriate experts the organization would require to mitigate its litigation and reputational risks.

Having independent audits by trained security professionals will help ensure firms are compliant with legal requirements. Audits may reveal weaknesses in a firm’s response plan or early detection systems. In addition, they will help modernize firms’ cybersecurity defences over time in response to evolving threats. If an organization is able to show it was not reckless to potential threats and always took proactive efforts to protect the public, a court may find that mitigating.

Jordan Donich is a lawyer at Donich Law Toronto, Ontario. He represents clients in English and French in civil litigation, professional regulation and complex criminal defense. His background in cybersecurity is the basis for the firm's dedicated practice in internet crime.

Related Articles

How to Digitally Market Your Law Firm

by dNovo Group

In the digital age, everyone is online. So it's important to make sure your results pop up first. This digital marketing agency gives SEO tips specifically for lawyers.

How SEO is Different for Lawyers in Toronto

Trending Top Five: Critical Corporate Components for 2022

by Justin Smulison

It’s no longer “business as usual” for most of Corporate America. With a growing list of challenges facing the legal and financial health of many companies, we talked to several major General Counsel about the biggest areas in which businesses should remain vigilant.

Corporate Advice From General Counsel

Breaking Down Criminal Conviction in Canada

by Best Lawyers

Statistics Canada’s annual breakdown of adult criminal court data provides an eye-opening review of how the country’s court system resolves its hundreds of thousands of cases annually.

Canada's Criminal Court Patterns Are Changing

ECIJA on Revolutions in Spanish Information Technology Law

by Best Lawyers

Alejandro Touriño looks at the policy changes impacting information technology law in Spain in this "Law Firm of the Year" interview with Phillip Greer.

ECIJA Information Technology Law Interview

A Startup Accelerator Program Sets Cuatrecasas Apart

by Best Lawyers

Miguel de Almada and Frederico Bettencourt Ferreira from the Portuguese firm discuss their 2019 "Law Firm of the Year" award for Litigation and Arbitration.

Cuatrecasas "Law Firm of the Year"

Insurance Coverage to Protect the Health Care Industry from the Increasing Risks Associated with the Internet of Things

by Meghan Magruder and Amy Dehnel

While this connectivity can provide great benefits to patients and physicians, the security issues inherent in these devices are critical.

Insurance for Health Care Industry

Virtual Worlds: A Legal Wild West

by Tam Harbert

As these technologies develop and their use becomes more widespread, attorneys expect to encounter novel legal challenges.

Virtual Worlds

Ontario Court of Appeal Addresses Interplay of SERP Entitlements and Grow-in Benefits

by Caroline Helbronner and Sean Maxwell

The case serves as a reminder of the importance of carefully drafting the benefit provisions in supplemental plan texts where members of the underlying registered plan are subject to pension legislation that provides for grow-in benefits on termination of employment.

Ontario Court of Appeal

Trending Articles

The Real Camille: An Interview with Johnny Depp’s Lawyer Camille Vasquez

by Rebecca Blackwell

Camille Vasquez, a young lawyer at Brown Rudnick, sat down with Best Lawyers CEO Phillip Greer to talk about her distinguished career, recently being named partner and what comes next for her.

Camille Vasquez in office

Johnny Depp and Amber Heard: The Best Lawyers Honorees Behind the Litigation

by Gregory Sirico

Best Lawyers takes a look at the recognized legal talent representing Johnny Depp and Amber Heard in their ongoing defamation trial.

Lawyers for Johnny Depp and Amber Heard

Announcing The Best Lawyers in The United Kingdom™ 2023

by Best Lawyers

The results include an elite field of top lawyers and firms from the United Kingdom.

The Best Lawyers in The United Kingdom 2023

Announcing The Best Lawyers in France™ 2023

by Best Lawyers

The results include an elite field of top lawyers and firms from France.

Blue, white and red strips

Announcing The Best Lawyers in Germany™ 2023

by Best Lawyers

The results include an elite field of top lawyers and firms from Germany.

Black, red and yellow stripes

Education by Trial: Cultivating Legal Expertise in the Courtroom

by Margo Pierce

The intricacies of complex lawsuits require extensive knowledge of the legal precedent. But they also demand a high level of skill in every discipline needed to succeed at trial, such as analyzing technical reports and deposing expert witnesses.

Cultivating Legal Expertise in the Courtroom

Announcing the 2022 Best Lawyers® in the United States

by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

Announcing The Best Lawyers in Belgium™ 2023

by Best Lawyers

The results include an elite field of top lawyers and firms from Belgium.

Black, yellow and red stripes

Announcing the 2022 Best Lawyers™ in France

by Best Lawyers

The results include an elite field of top lawyers and firms, including our inaugural Best Lawyers: Ones to Watch recipients.

Announcing the 2022 Best Lawyers™ in France

We Are Women, We Are Fearless

by Deborah S. Chang and Justin Smulison

Athea Trial Lawyers is a female owned and operated law firm specializing in civil litigation, catastrophic energy, wrongful death and product liability.

Athea Trial Law Female Leadership and Success

Choosing a Title Company: What a Seller Should Expect

by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

Destiny Fulfilled

by Sara Collin

Was Angela Reddock-Wright destined to become a lawyer? It sure seems that way. Yet her path was circuitous. This accomplished employment attorney, turned mediator, arbitrator and ADR specialist nonpareil discusses her career, the role of attorneys in society, the new world of post-pandemic work and why new Supreme Court Justice Ketanji Brown Jackson represents the future.

Interview with Lawyer Angela Reddock-Wright

Announcing the 2022 Best Lawyers™ in Germany

by Best Lawyers

The results include an elite field of top lawyers and firms, including our inaugural Best Lawyers: Ones to Watch recipients.

Announcing the 2022 Best Lawyers™ in Germany

U.K. Introduces Revisions to Right-to-Work Scheme and Immigration Rules

by Gregory Sirico

Right-to-Work Scheme and Immigration Rules in

Famous Songs Unprotected by Copyright Could Mean Royalties for Some

by Michael B. Fein

A guide to navigating copyright claims on famous songs.

Can I Sing "Happy Birthday" in Public?

What the Courts Say About Recording in the Classroom

by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?