Building the 21st-Century Law Firm

Practical cybersecurity for law firms: How to batten down the hatches

  • Print

man with beard smiling

Michael C. Maschke


Malware loves to prey on uninformed users. These victims are the primary cause for the continuing propagation of malware infections, with users clicking on things they shouldn’t be.

Why, you might ask? Curiosity, fear, urgency, recognition—such as being named for an award—are generally the top four motivations for clicking.

Over 91 percent of all hacking attacks begin with a phishing email, which is why it’s imperative that you train all of your employees.

Sadly, one of the most overlooked aspects of an organization’s security readiness is end-user training. It is just as important that your employees know what not to click on as it is to have security software installed to help prevent malware outbreaks. Firms should provide social engineering and safe computing awareness training to everyone at the firm at least once a year. And make it mandatory.

With education and practice comes a more informed and safe user. Look into services that provide phishing assessments, such as Duo Insight, as a way to test and educate your employees against phishing emails. Integrating this testing into annual training is a great way to get your employees to learn, to have a fun competition and to identify those employees that may need some extra attention and practice. By the way, a single training session has been shown to reduce the risk of a successful phishing attack by 20 percent. Not a bad return on your money.


You can also augment your training with technical solutions. There are email scanning services such as Mimecast, which convert attachments into a safer format such as PDF. There’s also an option to scan URLs in messages and warn of any suspicious links.

Consider some free and not-so-free solutions that your firm can implement to increase your security posture against ransomware and other malware threats. Much of what we describe is probably included in the software your firm has already purchased. It is just a matter of turning the security settings and requirements on.

Our list of security recommendations could fill a book, but we have tried to include the essentials.

Doing nothing makes no sense: You are just begging to be “owned” by the next piece of ransomware or malware. By implementing some of the solutions described above, you are doing your due diligence to batten down the hatches, protecting your firm from becoming the victim of the threats that will continue to wreak havoc for the foreseeable future.

Cybersecurity is a moving target. As threats morph, so will the defenses. Keeping yourself educated on information security issues is a very high priority for all lawyers.

The authors are, respectively, the president, vice president and CEO of Sensei Enterprises, a legal technology, cybersecurity and digital forensics firm based in Fairfax, Virginia.

This article appeared in the October 2017 issue of the ABA Journal with the headline “Risk Management—Practical Cybersecurity for Law Firms: How to Batten Down the Hatches”


Give us feedback, share a story tip or update, or report an error.