Cybersecurity Tips for Law Firms in 2025
Table of Contents
“In a recent article published in the American Lawyer, 21 firms reported a cybersecurity breach, including financial losses in the first six months of 2024, compared to 23 during the entire year of 2023”.
This article highlights how challenging law firms are in protecting their attack surface from potential attacks.
What Are the Top Cybersecurity Best Practices Law Firms Should Leverage?
Like other service practices, including accounting, medical, and insurance, law firms need to develop and sustain a cybersecurity strategy focusing on protecting individual employees, partners, or third-party associates from identity theft and credential compromises.
Chief information security officers (CISOs) within the law firm are the executive sponsors for all cybersecurity programs, operations across layers of security, and security operations personnel. They also create and nurture a culture of security awareness.
Executing a Strategy for Data Protection for Law Firm Data
Law firms that handle highly sensitive information, such as mergers and acquisitions, divorce proceedings, criminal law, and civil lawsuits, face potential security breaches. Security gaps within the firm's digital infrastructure are common, even with regulatory requirements and continuous monitoring.
Hackers wanting to gain early access to this information have successfully altered records and changed the outcome of various legal proceedings. Specifically, mergers and acquisitions are very lucrative for hackers who want to gain inside knowledge.
Funding Cybersecurity: A Critical Must for all Law Firms
Preventing cybersecurity attacks against law firms starts with a commitment from the partners and the various finance committees to budget for security operation engineers, employee training focusing on security awareness, and enabling security policies governing the usage of various technical resources leveraged by the firms.
Here are some essential things all law firms should do to protect themselves from cybersecurity problems:
Multi-Factor Authentication (MFA)
MFA is essential to protect access to the various law case portal applications, attorney billing records, client invoicing systems, and firm accounting systems. Hackers will target attractive targets with stolen credentials. MFA blocks hackers' ability to access these sensitive client files with just a single username and password credentials.
Enabling Security Policies
Law firms reported that over 89% last year had clearly defined security policies governing email, internet browsers, access to law firm portals, Wi-Fi, remote access, and social media postings. These policies provided the law firms with the means to counsel anyone who failed to follow them. Like other organizations, law firms mandate that each employee review and accept each policy as a condition of their employment.
Cyber Insurance
Even with a constant increase in rates from ransomware attacks, unauthorized access to client portals, and theft of client intellectual property, law firms continue to apply for cyber insurance policies. Insurance carriers weigh their premiums based on how customers enable and sustain robust cybersecurity measures to reduce risk and block suspicious activity.
The carriers will request that the law firm engage third-party penetration and vulnerability assessment firms to validate the various cybersecurity control functions and prove the firm's incident response capabilities and robust cybersecurity practices.
Enabling of Email Security, Encryption, and Data Loss Prevention Critical to Law Firm Protection
Law firms leverage extensively email, voice, and text encryption to communicate with clients.
Preventing email phishing attacks requires AI and ML as defensive tools.
Protecting data through email requires the law firm to invest in advanced protection powered by artificial intelligence (AI) and machine learning (ML) capabilities.
AI-based email security platforms scan all inbound email messages looking for malicious content, including malware-laced attachments, malicious links luring the users to disclose their usernames and passwords, and malicious code within the browser designed to hijack the sessions.
Email encryption and data loss prevention (DLP) are embedded within the email security platform. Law firms commonly use email encryption for all outbound email communications. However, users must often remember to click the encryption button within Outlook or Gmail. Most email security solutions leveraging DLP will scan all outbound messages and enable encryption if users accidentally forget.
DLP is a critical component of the legal industry. It is required for several compliance and privacy mandates, including HIPAA, GDPR, CCPA, and others. Law firms concerned about data exfiltration or data theft by insider threats benefit from leveraging DLP. This capability scans all outbound messages looking for data theft.
Engaging with Third-party Pen Testing and Assessment Firms
"46% of law firms have cyber liability insurance, rising from 42% in 2021. Most insured are firms with 10-49 attorneys (56%), followed by 43% with over 100, 42% with 2-9, 40% with 50-99, and 38% of solo attorneys".
Cyber insurance carriers are not the only organizations requesting law firms to complete various quarterly assessments and pen testing. Internal law firm committees, including audit, finance, and compliance, ask the firm to execute its evaluation of security risks, history of sophisticated attacks, and current incident response plan.
Finance and compliance committees within the firm also require frequent assessments to validate their investment in security controls, vulnerabilities within digital assets, employment awareness training, cyber incidents against the firm's cloud environments, and other defense mechanisms that have helped reduce malicious activities, social engineering attacks, and phishing attempts.
The assessment also gives the audit committee the important artifacts for their internal and external reporting requirements.
What Unique Cybersecurity Challenges do Law firms Face?
Every security breach has considerable financial and legal implications for law firms. Clients also lose confidence in the firm, which directly impacts billing, profit sharing between partners, and future business.
Lack of IT and cybersecurity resources within the law firm, budget inconsistency, and lack of proper oversight lead to many security breaches. Law firms often deal with cybersecurity issues only when they happen, even though there are rules.
What are the Top Law Firm Data Breaches in 2024?
Case Study 1: Orrick, Herrington, & Sutcliffe (2023)
“Orrick, Herrington & Sutcliffe paid $8 million to settle class action claims related to a March 2023 data breach in which cybercriminals accessed the personal data of over 600,000 individuals, including names, addresses, dates of birth, and Social Security numbers”.
“The hackers also obtained data on media treatments, diagnoses, and insurance claims”. Subsequent lawsuits claimed Orrick delayed informing victims about the breach for months.
Case study 2: HWL Ebsworth (2024)
HWL Ebsworth, one of Australia's largest law firms, suffered a major cyberattack by the ransomware group ALPHV (BlackCat). The hackers accessed the firm's network via a phishing campaign targeting employees, leading to the exfiltration of sensitive data like client communications and financial records.
They then encrypted the firm's data and demanded a ransom. Despite backup systems, the firm faced significant operational issues and reputational harm, which impacted 65 government agencies.
The Importance of Identify Protection for all Law firm Employees
Providing identity protection for all law firm employees is an innovative and strategic decision. Hackers will target employees throughout a law firm through spear phishing emails and social engineer them to exploit their victims. Often, the target could be an associate, partner, or temporary worker. Security providers like Sentinex will notify you of any compromise of an employee's credentials if they subscribe to their service. With this service, the firm and the employee might realize the credential theft for several months.
Why Sentinex?
Sentinex’s various subscription-based offerings are ideal for law firms and small businesses. If employees' credentials are found on the dark web, Sentinex notifies them. This powerful monitoring strategy continues to grow within medical, legal, and accounting practices.
Are you interested in learning more? Click here to review the various subscription options Sentinex offers.