Please ensure Javascript is enabled for purposes of website accessibility

Sensitive personal and business data make law firms attractive to hackers

Matthew Esworthy, partner at Bowie & Jensen, LLC

Matthew Esworthy, partner at Bowie & Jensen, LLC

Whether they are large or small, law firms tend to be targets for hackers for many reasons. They have personal identifiable information and possibly confidential medical records, business, trade secret or proprietary information and classified government documents.

“All of which is really valuable especially in the wrong hands,” said Matthew Esworthy, partner at Bowie and Jensen LLC.

Law firms can also be used as a method of entry for hackers to gain access into other desired targets such as worldwide businesses or government offices because their security is a lower standard.

“Like many other small or midsize businesses, employees of the (law) firm including the lawyers, are not really trained or focused on cybersecurity of the firm or the various types of threats out there,” Esworthy said. “Rather they are focused on their practice. Law firms don’t often have the level of security that other companies operating in the digital economy have adopted, because I don’t think law firms think of themselves as a target. Their level of security can be less sophisticated than somebody that has been doing business in the digital economy and already has potentially experienced some issues and learned from it.”

Tony Sager, senior vice president and chief evangelist of The Center for Internet Security Inc., notes it is easy for law firms to be overwhelmed when it comes to cybersecurity issues.

“It is very specialized language,” he said. “It is fairly new to most people. The marketplace is noisy. It’s not surprising but what a lot of people don’t appreciate — it feels like there are millions of attacks every day all the time around the world and there are but they are not unique. What we are seeing is not millions of unique attacks. We are seeing millions of repeats of the same thing over and over again.”

Firms need to assess themselves and determine what information they have, what needs to be protected and what devices are being used. All staff also need to be on board with protecting the information. Esworthy notes firms need to simplify by having staff assigned to only one computer each instead of multiple devices and knowing what information is stored on them.

“Understanding what devices (computers, cell phones, etc.) are in play, and who is using them, is the first step that one must take in order to protect the information.   If you don’t know what you have, and if you don’t have control over who has access to it — how will you ever effectively protect it?” Esworthy said. “Depending on the size of the firm, it can be a huge undertaking. I think many don’t want to do it because it can be expensive, inconvenient and difficult to implement and enforce.  It also takes you away from your business — the practice of law.  But, if you don’t prepare for the inevitable, and something happens, the firm is going to have a very hard time pinning down what information has been compromised and how to fix it.”

Firms should also conduct training for employees and do exercises in a safe, controlled setting as a way to educate staff. They should also be using the most up-to-date software and patches featuring complex passwords.

Incident response planning is also vital to put in place before an attack occurs.

“If you don’t have a plan in place and you are trying to figure out what to do as the (attack) is happening, rest assured it is not going to go well,” Esworthy said. “You don’t want to be trying to figure out who to call for help when minutes matter.”

Firms may also want to consider cyber insurance. The process of obtaining coverage will allow firms to get a better grasp of their security and information and in the event of an attack may defray some of the costs.

Some of the larger firms have a chief information security officer on staff. Others employ managed security services providers that monitor off site.

“Many people are not inclined to invest the time and money into (cybersecurity) because they view it as an expense without any upside,” Esworthy said. “The truth is — it is absolutely necessary to engage in because the cost and expense if you don’t is so much greater.”

To purchase a reprint of this article, contact