Home » Small Law » Law Firms: Soft Targets; Hard Truths

Law Firms: Soft Targets; Hard Truths

Law Firms Soft Targets Hard Truths

Note: This post was penned by Christopher Anderson and originally published in Attorney at Work in June 2014.

Are law firms really a “soft underbelly” for hackers? Yes, according numerous legal security experts recent news reports. Several corporations are demanding law firms to take increased security measures to protect their businesses.

So why are law firms on the hacker radar these days? Quite simply, because law firms, especially those smaller and mid-sized firms, tend to lack the same level of security as their corporate clients do. This essentially provides hackers with a proverbial “back door” into confidential and privileged data of more secure businesses through the law firm.

The Soft Target: Law Firms

Surprisingly, the biggest threat to law firms today comes from within the walls of the organization. Many law firms have some type of security measures and plan in place – however these measures need to be continuously tested to ensure protection against the latest threats. Utilizing a “check off-the-list” security methodology can make law firms a “soft target” for hackers. Adding insult to injury, many seemingly harmless day-to-day activities of law firm employees also puts them at risk.

Think about the last time you visited your firm’s reception desk. You likely noticed a sticky note taped to the desk with a myriad of passwords and confidential information on it. How do you know people visiting the firm aren’t trolling for this type of information?  Also think about every time the firm upgrades to new devices, what happens to that old hardware, including not just computers and laptops, but tablets, phones and even, copiers and thumb drives?  These are all questions law firms should be able to answer with confidence, and it goes well beyond passwords and discarded devices.

Study tells a Story about Law Firm File Sharing
Infographic Friday:  File Sharing Information in Law Firms

How Can Firms Protect Themselves?

What can law firms do to protect themselves? The good news is there are several ways law firms can mitigate security risks. The first step requires acknowledging that the firm is not immune from a security breach. For those of you who think your firm is not being targeted, I would argue that you’re just not looking.

Even so, this thinking also has to be balanced between bona fide threats and paranoia. Here are 12 practical steps law firms can take to protect their confidential information.

Free White Paper (PDF):
When “secure enough” isn’t enough: 
A Law Firm Guide to Protecting the Confidentiality of Shared Client Files

12 Ways to Protect Your Firm

  • Use Firewalls. Any firm that uses computers must use firewalls, it is that simple.  These should be applied both to the network and individual computers.  Firewalls provide a critical first line of defense when it comes to checking all web-based traffic coming in and going out of the firm and blocks traffic that is not desired, or looks like it is not legitimate.
  • Use Strong Passwords. Don’t use passwords that are too short and avoid using personal information such as a child’s name or birthdays that are easily hacked. A good website to gauge the strength or your password is: howsecureismypassword.net. This website will not only analyze the strength of your password, but will tell you how long it will take a hacker to crack it.
  • Use Good Hygiene. Going back to the sticky note example make sure you are using good hygiene by ridding the office of easy access points.
  • Remove Residual Data. Know how to browse the web securely and remember every website you visit has cookies. This residual data should be encrypted and wiped regularly. 
  • Use Caution on Social Media. Once you put information in the public domain such as posting it to Facebook, Twitter and YouTube, it can’t be taken away. Think carefully before posting sensitive information on social media sites, and have good policies around what others in the firm do. 
  • Wipe Discarded Devices. The legal industry is evolving rapidly and so are our devices. Make sure as you upgrade to the newest tablet or smart phone that you are wiping discarded devices with military grade software.  Sometimes physical destruction is a good ides.   Or, better yet, hire professionals to do it. 
  • Implement a Breach Plan. Assume hackers will get ahead of you and do everything you can to prevent a breach.  Unless you already have a plan in place, work with a consultant or data breach management company to protect the firm’s assets. Know in advance how you will:
    • Protect and access data
    • How you will notify clients in the event of a breach
    • How you will get back up and running
  •  Use Virtual Private Networks. VPNs are a great ways to access information remotely and securely. If you frequently use VPNs for business travel, I recommend investing in a screen protector, which will prevent those around you from viewing your screen. Also make sure to use HTTPS sites rather than HTTP sites. HTTPS ensures the information you are browsing is locked and secure on your device.
  • Document Security. Reviewing and sharing documents, is fundamental to the legal profession. When shopping for cloud-based file sharing products look for solutions that provide the following:
    • Secure file sharing
    • Secure file sync
    • Digital rights management
    • Secure web access
    • Mobile productivity
    • Terms and Conditions that reflect your duty to your clients around confidentiality, privilege and safekeeping
  •  Know The Difference between the Public and Private Cloud. Not all cloud solutions are created equally. Public cloud offerings are those available to the public community, and are often free, or close to it. If you are considering using a public cloud offering, read the terms and conditions carefully and asking the following questions:
    • How will my data be protected? Public cloud solutions should be superior to yours and should be validated by third parties such as: eTrust, U.S. Data Centers and SysTrust, to name a few.
    • Who will own the data? Understand what they will do with the data and read conditions so you know what they will do if the government calls or if you cancel your subscription.
    • How readily available will the data be to you?The private cloud by contrast, provides a privately hosted place to store and access data, whereby only those approved to use it are welcome. Typically there is a cost associated with private cloud offerings, however many provide an important internal layer of security.
  • Encryption. Make sure you know where your data is stored and ensure the data is encrypted both while it is in transit and while it is at rest.
  • Notification of Practices. Prepare language that clearly explains to clients how their data is stored and how it will be protected.

“Give me six hours to chop down a tree and I’ll spend four hours sharpening the axe.”  -Abraham Lincoln

Be Prepared

While no law firm is immune from a security breach, the most important step a firm can take to protect their firm’s data is to be prepared. This means developing a security breach plan and sticking to it. The system should be audited regularly and clients and employees should be educated about the process and engaged in the dialogue. Security, after all, should be a way of life for law firms today.

Photo Credit: Flickr, via Creative Commons; CC 2.0

If you enjoyed this post, you might also like:
SlideShare Friday:  IT Best Practices for Small Law 

Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About Frank Strong

Frank Strong
Frank Strong is the communications director for the LexisNexis software division located on NC State’s Centennial Campus in Raleigh. In this capacity, he leads communications efforts in support of software products for law practice and law department management and also litigation tools – across large law, small law and corporate counsel segments. With more than 15 years of experience in the high-tech sector, Strong previously served as director of public relations for Vocus, which developed marketing, PR and media monitoring software. He has held multiple roles both in-house with corporations, ranging from startups to global organizations, and has also endured the rigors of billable hours, having completed gigs at PR firms including the top 10 global firm Hill & Knowlton. A veteran of two year-long deployments, Strong has concurrently served in uniform in reserve components of the military for more than 20 years, initially as an enlisted Marine and later as an infantry officer in the Army National Guard. Strong holds a BA in Film and TV production from Worcester State University, an M.A. in Public Communication from American University, and an M.B.A. from Marymount University. He is a PADI-certified Master Scuba Diver and holds a USPA "B" skydiving license.


  1. […] true. We are the weakest link. Frank Strong offers some tips for being less soft and weak. [Business of Law […]