It has recently been discovered through research that approximately 15% of law firms identified that they possess security loopholes, while the number of firms that have suffered from some kind of security breach is more than twice that percentage.

Legal firms hold highly sensitive information, including details about crucial business transactions, intellectual property, and Personal Identifiable Information (PII), amongst other personal data. A collaborative cybersecurity research report titled “Security at Issue: State of Cybersecurity in Law Firms” has been published by The International Legal Technology Association (ILTA) and the Conversant Group.

The contents of the report illustrate the results of ILTA’s inaugural industry-wide evaluation of cybersecurity methods within worldwide law firms. This survey was executed in conjunction with the Conversant Group, providing an insight into the sector’s security habits. The survey was designed with the purpose of gaining knowledge about the cybersecurity regulations, tools, procedures, and suppositions of law firms to assess how their cyber defences can be strengthened.

As per the information provided by the American Bar Association, in 2021, about one third of the surveyed law firms indicated that they had experienced a breach, while 36% of them acknowledged previous incidents of malware infections. Even though law firms are becoming targets of threat actors, data from Conversant and ILTA shows approximately 15% of law firms identified that they have security loopholes, while the number of those that have suffered some kind of breach is over double that figure.

Additional primary points from the report

A large portion of the respondents, almost three-fourths, felt that their security was superior to that of their industry counterparts. However, the intricate results unveiled substantial security gaps across firms, irrespective of their size.

While 65% of the firms that responded claimed that they have put lateral movement defences into effect, the data did not show that multi-factor authentication (MFA) was utilised as extensively as required to consider as lateral movement defences.

Upon being questioned about the top three security threats, the most common response (39%) was user behaviour and the lack of training to prevent such detrimental behaviour, as opposed to any activities by threat actors. The data suggested that on average, firms were not introducing necessary controls to reduce user risk, thereby placing the burden of user risk management on IT.

Backups were not seen as a significant security control and were ignored at the risk of the firms. Only 11% considered backups as a top control measure, and merely 24% reported having multiple immutable copies of all data to prevent total loss.

Larger firms showed a higher maturity in their security programs compared to their smaller counterparts by implementing proactive testing, dedicating security staffing, and formalising change processes. However, the report highlighted that even these firms could enhance their security by employing a more layered approach towards security across people, process, and technology, instead of concentrating solely on compliance.