The foremost threat facing solos and small law firms today is the risk of catastrophic data breaches.
The second most significant threat is their own negligence.
Evolving security challenges coupled with law firms’ expanding digital footprints mean that solos and small practices have never been so at-risk for data breaches or so unprepared to prevent them.
Attorneys seem to understand this, yet bafflingly fail to act:
- According to the ABA TechReport 2020, 29% of small firms have already suffered a data breach (up from 26% in 2019).
- Thompson Reuters’ “2020 State of US Small Law Firms” report states 60% of small law firms want to upgrade their IT security…but less than half currently employ basic security measures.
Perhaps the only challenge greater than staying abreast of tech security is understanding the attorney mindset — yet over the course of fifteen years consulting for solos and small practices across the country, I’ve developed a deep understanding of both.
I’ve concluded that lawyers’ failure to adequately protect themselves from cybersecurity threats is rooted in four main causes:
- Underestimate cyber threat
- Lack of time to focus on security
- Lack proper expertise
- Have a hard time asking for help
Let’s dissect each factor, and by de-mystifying them, empower you to act before it’s too late.
Attorneys Underestimate Cyber Threat (Won’t Happen to Me)
We’re all generally aware of cybersecurity issues and familiar with high-profile breaches but rarely connect such stories to ourselves or feel any real sense of risk.
By shrugging off precautions or believing themselves too small to target, firms trivialize the scope and stakes of lurking online dangers. The vast majority of data breaches are not brute-force headline hacks but insidious, incisive attacks aimed at unprotected practices like yours.
Let’s take a look at three of the most common security threats our clients encounter:
- Phishing Schemes: Spoofed emails and websites based on legitimate contacts extract credentials granting access to sensitive information, finances, or systems.
- Employees: Even well-intentioned employees can pose threats by succumbing to schemes, accessing systems on unsecured networks, or accidentally deleting files…but disgruntled workers can further abuse access to wreak havoc on unsecured setups.
- COVID Scams: Exploitation of the pandemic has been rampant, with malicious entities hovering around vaccine databases, PPP loan programs, and government stimulus payouts; if you, your firm, or your clients have explored any of these avenues, you may have opened back doors to your network.
While these threats may be familiar, defenses against them are not.
Perhaps you feel safe because you practice minimal cyber hygiene: your favorite password is in a drawer instead of taped to your monitor…you use “incognito” tabs for sensitive browsing…you might even have enabled Two-Factor Authentication on a few accounts.
Admittedly these measures alone are better than nothing, but barely.
Thwarting those threats described above (an abbreviated list omitting malware, adware, ransomware, email corruption, bank fraud, credential stuffing, and more) requires further measures like team training, password management, DNS verification, dark web monitoring, device scanning, VPN connections, and encryption of servers and emails.
In short: basic protection is not enough.
Just because your car has bumpers and turn signals doesn’t mean you forget seatbelts and decide to let go of the wheel…a lesson learned too late by a hard-working solo attorney:
[CASE IN POINT: Shannon was a solo family lawyer in Connecticut, beloved by clients for an approach so tenacious they called her "el Toro"; and like a real bull, she charged aggressively forward while forgetting to guard her flank. Believing her practice too small to be targeted, she hardly bothered with online security practices…until her case management system was breached and she was forced to notify the authorities, her clients, and all related parties that their data had been compromised. Had Shannon understood the risks, she would have taken precautions (password manager, credential monitoring, system alerts) and avoided the nightmare that threatened her reputation, her firm, and years of hard work. El Toro has now slowly and painfully rebuilt trust and business, but you shouldn't wait to learn the hard way like she did – get a grasp of your threat environment now!]
Attorneys Lack Time to Focus on Security
Practicing law can be all-consuming. Operating a small business can dominate one’s life. Running a small firm is the best-and-worst of both worlds, with precious little margin for balance.
“Time is money” may seem a trite adage, but when you live by the billable hour it’s quite literal. Every hour spent studying tech or worrying about infrastructure is one that’s unbilled and could have gone to aiding clients or growing your firm.
That’s why 2/3 of small firms believe too much time is spent on administrative duties and not enough practicing law. Roughly the same percentage hope to improve in-house technology with an eye towards efficiency and elevated security, but year-on-year surveys suggest they rarely follow-through on such plans.
Since time is finite but assistance is not, the obvious answer is to enlist outside help; but some self-reliant lawyers are too stubborn, too proud, or too stingy (penny-wise and pound foolish?) to do so…a decision oft regretted in the end.
This behavior becomes a perpetual cycle of procrastination: attorneys are aware of the pressing need to upgrade, but too pressed for time to do it, so they put off any action at all. “I don’t have the time,” they say, “I’m swamped with work”…until one day they have all the time in the world, because their life’s work has been stolen away.
It may be true that small firms don’t have extra time to devote to cybersecurity, but even truer that they’re running out of time to address it…a lesson one lawyer almost learned too late.
[CASE IN POINT: Jason was a young lawyer tech-savvy enough to realize he needed better IT security, but too busy building his small firm to address it. He'd reached out to us, but repeatedly put off subscribing – rescheduling thrice in just a few months. That's when he nearly fell prey to an attack launched by the compromised email system of opposing counsel; he was one click away from suffering the same fate, and witnessed the devastation suffered by the other small firm. Without further delay, he engaged our services and has rested easy ever since…but nearly had waited too long.]
Attorneys Lack Proper Expertise
Lawyers are some of the smartest people in the world…and if you don’t believe me, just ask one!
I kid, but it’s true – most attorneys have great depth and breadth of knowledge. Those in general practice must be familiar with multiple fields, while niche specialists develop detailed knowledge across a spectrum of client businesses (one friend in IP practice defended meat wrapping patents one week and sued on LCD infringements the next!).
Maybe that’s why many lawyers believe they can tackle any challenge, including oversight of their firm’s technology. They’re mistaken.
Technology, like the law, is a specialized field best left to knowledgeable experts. Just as no defendant should represent themselves in court, no attorney should be the architect of their own tech solutions: they’d each end up with a fool for a client.
Indeed, the very core of the legal profession is supplying learned wisdom and practical experience to protect clients and help laymen navigate the nuances of a complex intimidating system. The same could be said of tech consultants. Attorneys should have the humility to accept the same type of services they provide – as Dirty Harry said, “A man’s got to know his limitations.”
[CASE IN POINT: For this illustration, I'm going to steal a scene from the classic film Almost Famous -- it's more poetic and less depressing than a real example, and I just really love that movie! The rock band is about to hit it big, but resists hiring a professional road manager; believing it's all about the magic of music and they've gotten along fine without one. The manager (a cameo by Jimmy Fallon) salutes their artistry but exposes their naiveté with a series of questions outlining unanticipated issues and higher-level logistics. "I didn't invent the rainy day," he concludes, "I just own the best umbrella." It's a clever way of showing that the group doesn't even know what they don't know about looming problems, and frankly they don't need to – they should focus on playing tunes and let professionals take care of the rest. Just as you should concentrate on practicing law and growing your firm, while letting legal technology consulting services provide the security umbrella.]
Attorneys Have a Hard Time Asking for Help
You’ve recognized the gravity of the threat and acknowledged lacking the time or expertise to tackle it: congratulations — admitting you have a problem and asking for help is the first step towards solving it!
So, how do you proceed?
More precisely, WHO do you turn to?
I’m a big believer in the cooperative strategy espoused by Dan Sullivan and Dr. Benjamin Hardy in their entrepreneurial book, “Who Not How”. They emphasize the advantages of outsourcing challenging tasks to better-qualified “WHOs” — securing superior results and reclaiming your time to be that “who” for your clients.
For instance, I’m supremely confident in my IT knowledge but rely on a team of external “whos” to help in fields outside my comfort: lawyers to draft contracts, an accountant to prepare taxes, a contractor to expand our offices, and a mechanic to service my car. There’s no shame in that – it’s logic!
This may be an obvious philosophy, but it’s one often ignored as we try to do everything ourselves.
The truth is, as a practicing attorney you couldn’t possibly protect your firm with best-in-class security protocols without losing time, wasting money, and taking risks through trial-and-error. Instead, save the time, lose the angst, and eliminate exposure by enlisting a comprehensive tech consulting service who will tailor a plan for your firm.
Years of researching, testing, and refining real-world best practices made me intimately aware of the exposure many solos and small firms have. The truth is many of them can handle their technology on their own. The hardware and software nowadays have become far easier to manage over the past 5 years. However, this creates a new problem: while using and adopting technologies has become easier, cybersecurity threats have become more advanced.
Just because you can manage your technology does NOT make you qualified to protect yourself from security threats. And most solo and small firms managing their tech on their own do not have a security expert or IT consultant. They may use an hourly consultant as needed but these consultants often lack the depth and knowledge of comprehensive security solutions for law firms.
[CASE IN POINT: David ran a mid-sized firm that was handling its own IT security when an email intrusion turned into a financial exploit resulting in the siphoning of firm funds. Forensic investigators pinpointed the culprit and the firm was forced to go dark for months of retooling that inflicted horrific hits to finances and reputation which the practice barely survived. When they came back online, they found their "who" in terms of cybersecurity. With their new security expert, they developed a plan and safeguarded their systems with layered protocols that astounded David – he was taken aback by how many measures he'd been unaware of: omissions that not only left the firm vulnerable to attack, but potentially liable for gross negligence with their clients. Thankfully, he now reports sound sleep and a practice on the mend.]
When small law firms tend to their own tech security, they’re playing with fire and fiduciary duty.
Most solo attorneys and small firms are broadly aware of cybersecurity threats, but underestimate the severity, downplay the likelihood, and lack the time or know-how to implement effective defenses…so they end up avoiding proactive measures.
By simply enlisting the expertise of full-service security consultants, solos and small firms can protect their business, their clients, their reputations, and their well-being while freeing time better-suited to other tasks.
All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.