Best Cybersecurity Practices for Attorneys: 4 Ways to Protect Yourself and Your Clients


As an attorney, part of your job is getting to know your clients, including highly personal information you must respect, protect, and keep confidential.

Unfortunately, hackers covet this sensitive data and want to steal it to defraud your customers or even hold your firm to ransom. Research statistics and survey data paint a bleak picture of how firms are prepared. According to their 2023 tech report, the American Bar Association says that 29% of firms suffered a security breach, with 19% admitting they didn’t know whether a breach could have occurred. 

These figures show that breaches are a rising problem, and attorneys may not even be aware they’ve been compromised in the first place.

In this article, you will see how costly a data breach can be for law firms and why you must take cybersecurity seriously. You’ll learn simple, effective tips and tricks that can help bolster your defenses and protect your client’s data from harm.


The true cost of a client data breach

Data breaches that target law firms can not only cost huge financial sums in ransoms and penalties but can also cost their reputation. You only need to look at high-profile hacks from last year to see this in action.

In April of 2023, for instance, law firm HWL Ebsworth was hacked by a Russian-linked ransomware group, an incident that made headlines worldwide. The hackers published over 1.1 TB of data to the dark web after the firm refused to pay their demands.

Leaked data included sensitive client information, such as names, bank details, encrypted messages, addresses, and signatures. Several Australian government departments and major banks like Westpac, NAB, and the Commonwealth Bank were confirmed as clients of the firm and, thus, potential victims.

The cyberattack continues to haunt the firm, as hackers stole over 4 TB of data during the cyberattack, leaving some of the information yet to be released. Moreover, a significant delay in informing those affected added to the reputational damage.

So, what can you learn from HWL Ebsworth’s ordeal? And more importantly, how can you prevent a similar incident from happening to you and your firm?


Safety tips to protect client data

Below are four simple ways to safeguard sensitive client data. Each one can help mitigate the damage of a breach and even avoid one altogether:

  • Use file encryption

Encryption is a method of ‘scrambling’ data so that unauthorized people cannot steal or read sensitive data. In the unfortunate event of a hacker stealing client data, encryption prevents them from reading and understanding the information.

Different types of encryption law firms must be aware of:

    • Cloud encryption: We store a lot of our data in the cloud. Law firms are reminded to use reputable cloud services that encrypt files in transit and at rest.
  • File encryption: You can place encryption on individual files, allowing you to send and receive sensitive information without compromising security. Only users with the encryption key can unlock the data.
  • Device encryption: You can enable passwords or PINs on various work devices, including PCs, laptops, smartphones, and USB or flash drives. This can prevent unauthorized access if the device becomes lost or stolen.
  • Email encryption: Most email services, like Microsoft Outlook and Gmail, offer email encryption during transit, which protects emails from being read by unintended or unauthorized users.

  • Protect your online activity with a virtual private network

Hackers often use the internet to plan and launch attacks against law firms. As attorneys, finding reliable ways of safeguarding your online activity is important.

One effective way of doing this is using a virtual private network (VPN), which encrypts connections, ensuring that the data you send or receive is safe, secure, and private.

Another essential benefit of using a VPN is that it protects your IP address from being uncovered and used in subsequent cyberattacks. You might wonder, ‘What is my IP address?’ and why is it important to conceal it?

An IP address is a unique string of numbers that ordinarily identifies your device online. But it contains sensitive information about you and your online habits, including your location and internet service provider. 

By disguising your IP address, a VPN ensures you can work from anywhere, including at home, on holidays, or on a public Wi-Fi network, without alerting hackers to your location. It can also prevent websites from tracking your activity and helps keep your browser activity secret so that you can research cases without the fear of compromising sensitive material relevant to your cases.

  • Use stronger passwords and activate multi-factor authentication

Passwords are the backbone of cybersecurity. A weak password can be easily compromised and allow unauthorized access to all your client data and work accounts.

As such, creating a strong password is key, including aiming for at least 12 characters and mixing upper and lowercase letters, numbers, and symbols for complexity. Avoid using personal information, like dates or nicknames, which can be easily obtained and compromised.

Law firms should also consider activating multi-factor authentication (MFA) across their entire business. This security feature asks users to verify their identity upon login, often through a single-use code, via an authenticator app, or using biometric characteristics like a fingerprint. You’ll be alerted to the unauthorized login attempt, giving you ample time to review your security, change passwords, and anticipate a potential cyberattack.

  • Perform regular backups of data—and keep these protected

Cyberattacks like ransomware can be devastating because criminals encrypt and deny you access to work files, preventing you from working or, in some cases, even diagnosing the extent of lost data.

One way of protecting your law firm from the threat of criminals is by performing regular backups of sensitive data. Without a backup, firms might not know who is affected by an attack or the extent of the breach. 

By performing regular data backups, you will always have access to the data gathered, allowing you to recover files, minimize downtime, and promptly contact affected customers.

That said, firms must also protect backed-up data from harm. After all, hackers could be just as interested in stealing that information instead. Place proper encryption on files for total peace of mind.

Remember that it’s crucial to follow all of the provided tips. Only then will you be able to mitigate your system’s vulnerabilities and ensure complete protection.