Recent research reveals that around 15% of law firms felt they had security gaps, while more than double that number have endured some form of breach. 

Law firms store some of the most sensitive information available regarding material business transactions, intellectual property, Personally Identifiable Information (PII) and other personal data. The International Legal Technology Association (ILTA) and Conversant Group recently released a joint cybersecurity research report titled “Security at Issue: State of Cybersecurity in Law Firms.” 

The report presents findings of ILTA’s first industry-wide benchmarking survey on cybersecurity practices in global law firms, conducted in collaboration with Conversant Group, providing a glimpse into the vertical sector’s security practices. The survey was targeted at understanding law firms’ cybersecurity controls, tools, practices and assumptions to determine how their cyber defenses could be improved.

According to the American Bar Association, nearly a third of law firms surveyed reported a breach within 2021, and 36% reported past malware infections. While law firms are in the crosshairs of threat actors, Conversant and ILTA’s data shows around 15% of law firms felt they had security gaps, more than double that number have endured some form of breach. 

Other key report highlights

• Nearly three-quarters of respondents believed they were more or much more secure than their industry peers; yet the detailed results demonstrated significant security gaps across firms of all sizes.
• 65% of responding firms state they have lateral movement defenses in place; yet the data did not demonstrate that multi-factor authentication (MFA) was employed as comprehensively as required to constitute lateral movement defenses.
• When asked about the top three threats to security, the top response (39%) was user behavior and lack of training to prevent this harmful behavior, rather than any threat actor activities. The data reflected that firms, on average, were not implementing controls that are needed to mitigate user risk, which would put greater control of user risk in IT’s hands.
• Backups are not viewed as a top security control—at firms’ peril. Only 11% viewed backups as a top control, and only 24% reported having multiple immutable copies of all data to protect against total loss.
• Large to very large firms demonstrate more mature security programs than their smaller peers through established proactive testing, dedicated security staffing, formalized change processes, etc. Yet, the report concluded they could still improve their security through a more layered approach to security across people, process and technology, rather than a focus on compliance.