Law Firm Cybersecurity: Updates from the Breach, A New Primer

By Eli Nussbaum

Securing your law firm is like eating an elephant โ€” itโ€™s a massive challenge that cannot be tackled in one bite or alone. This primer covers the reality of law firm cybersecurity breaches โ€” costs, incident response, data recovery, backups and essential security steps.

Table of contents

Cybersecurity Incidents Are a Reality for Law Firms

Itโ€™s not a question of if your firm will be breached but when, how quickly you detect it, and how costly the recovery will be. The good news? Most firms are already making strides toward hardening their environments. But with threats evolving, we can all benefit from fresh insight and guidance to ensure we focus our efforts where they matter most.

In โ€œUpdates from the Breach,โ€ Iโ€™ll share insights from real-world breaches โ€” what worked, what didnโ€™t โ€” and how your firm can avoid becoming the next cautionary tale. But first, a refresher course on the state of law firm cybersecurity and what law firm owners need to know.

The True Cost of a Breach

Over the years, Iโ€™ve seen firsthand how breaches disrupt business operations and the trust clients place in their legal providers. A cyber event isnโ€™t just an IT issue โ€” itโ€™s an existential threat. The immediate impact includes:

  • Lost revenue as the firm struggles to function.
  • Unexpected costs for data recovery, forensics, and legal services.
  • Long-term consequences such as client attrition and reputational damage.

And it doesnโ€™t stop there.ย Whether itโ€™s CCPA, the SHIELD Act, HIPAA or even GDPR from across the pond, compliance obligations and penalties can compound the damage, depending on your practice areas and the location of your clientele.

While breaches arenโ€™t the โ€œblack eyeโ€ they once were, their financial impact has never been greater โ€” and it extends far beyond the demands of cybercriminals. Many assume that paying off attackers is the primary risk, but the ransom often accounts for only 10% of the total financial toll of a cyber event. The real costs include:

  • Incident response and forensics investigations
  • System restoration and data recovery
  • Legal services and regulatory fines
  • Breach notifications and compliance obligations
  • Client loss and reputational damage

In fact, business interruption alone may account for up to 60% of a cyber insurerโ€™s total payout per incident. And all of this comes before you begin strengthening your IT posture to prevent the next attack.

Cyber Insurance Wonโ€™t Save You

Unlike insurance that will rebuild a damaged roof to the current code, cyber insurance does not improve your security. Think of it like a museum burglary: Insurance may cover the stolen artwork and repair the broken locks, but it wonโ€™t upgrade security measures to prevent the next heist. Worse yet, after a breach, insurers often reassess your firmโ€™s risk, which can result in dropped coverage, higher premiums or mandatory security upgrades before renewing your policy.

Translation: If your firm gets breached, itโ€™s likely due to weak security controls that youโ€™ll be forced to fix anyway. Instead of waiting for disaster, letโ€™s take proactive steps to protect your firm, including understanding some terms.

The Difference Between Incident Response and Data Recovery

After a breach is identified, two critical efforts take place: incident response and forensic investigations, also known as digital forensics and incident response (DFIR), and system restoration and data recovery. These processes serve different yet equally vital purposes.

Incident Response and Forensic Investigations: Understanding the What, How and Who

DFIR is about containing the damage and identifying the attack vector โ€” how the attackers got in, what they accessed, and whether they are still in your environment. Itโ€™s the crucial first step in stopping the bleeding before recovery can begin.ย DFIR digs in by analyzing logs, endpoint activity and network traffic to determine:

  • How the attack happened and what vulnerabilities were exploited.
  • What systems, files and data were accessed or stolen.
  • If the breach is ongoing or fully contained.
  • Whether active malware or backdoors were left behind for future attacks.

Think of it as a crime scene investigation for your IT environment. Before you start rebuilding, you need to understand what happened, who did it โ€” ensuring they arenโ€™t still actively in your environment โ€” and how to prevent it from happening again. Skipping this step can result in reinfection or ongoing attacker presence. Additionally, your breach counsel uses the information gleaned by the DFIR team to help determine the legal and regulatory exposure your firm may face, including notification obligations.

System Restoration and Data Recovery: Bringing Operations Back to Life

Once the immediate threat is contained, the real work of recovery begins. This is where your IT team, frequently alongside external experts, focuses on:

  • Restoring compromised systems to an operational state.
  • Rebuilding servers, applications and infrastructure.
  • Recovering lost or encrypted data from backups or decrypting.
  • Reestablishing normal business operations as quickly as possible.

This phase is the rebuild after the fire โ€” ensuring critical data is intact, services are operational, and immediate security gaps are closed. But recovery hinges on one crucial factor: the quality of your backups. If backups are properly secured from attackers, restoration is possible. If they were compromised, your options often become far more painful โ€” either paying the ransom and hoping for uncorrupted decryption or accepting permanent data loss.

DFIR tells you what happened, how it happened, and how to prevent it from happening again. System restoration and data recovery determine how quickly and effectively you can get back to business.

Both must be executed with precision and coordination to minimize damage and ensure long-term resilience.

Since I love analogies, I think of DFIR as putting out the fire, ripping out the wet carpet and drywall, and ensuring no hidden mold or structural damage remains. System restoration and data recovery come next, laying new carpet, repairing drywall, and giving everything a fresh coat of paint. However, neither will install a fire suppression system to prevent the next disaster. That requires a proactive security investment.

Where Do You Start Securing Your Firm? First and Second Lines of Defense

Securing your firm is like eating an elephant โ€” a massive challenge that canโ€™t be tackled in one bite or alone. It requires strategy, coordination and persistence. And like any daunting task, having an experienced guide who has navigated the path before can make all the difference.

Before we dive deeper, take a moment to assess where you stand today and look at your backups and credential security. Backups are often the difference between a controlled recovery and a complete disaster, while credential security โ€” including multifactor authentication (MFA) โ€” can prevent an attacker from gaining access to your network in the first place. If you havenโ€™t evaluated them recently, now is the time.

1. Backups: Your Last Line of Defense

If you can restore your data, you can recover from an attack. It may be painful and time-consuming, but itโ€™s possible. Good backups are the foundation of cyber resilience.

But hereโ€™s the dirty secret: Attackers know this. One of their first objectives after gaining access to your network is the destruction of backups. In upcoming articles, weโ€™ll break down the essential strategies for backup security, including:

  • The 3-2-1-1-0 and other backup rules. (If youโ€™re not familiar, you or your IT provider need to be.)
  • Why immutable backups are your insurance policy against ransomware.
  • What the term โ€œimmutable backupsโ€ means (and why there are varying definitions).
  • The biggest mistake firms make when assuming they can โ€œjust rebuild.โ€

For now, remember: If you keep it, back it up. If you donโ€™t need it, delete it. If that statement makes you uncomfortable, back it up.

2. Credential Security: Your First Line of Defense

Multifactor authentication is non-negotiable. Every system, every account, every time.

Additionally, your IT team needs to separate user credentials from administrative credentials. Itโ€™s not enough to slap MFA on user logins and call it a day. Why? If a user can both read email and delete a server with the same login, so can an attacker.

Just last month, a client reached out because one of their users had inadvertently clicked a link in an email and entered their firm credentials into a look-alike site. The user had been phished, essentially handing over the keys to the building. Thankfully, a security guard in the form of MFA stopped the threat actors before they could gain access.

This example highlights a common misconception: Many firms assume that strong passwords alone are enough. In reality, passwords are frequently stolen, guessed or leaked. Without MFA, attackers can walk right in.

In future updates, weโ€™ll explore:

  • What makes for a strong password.
  • Why password managers (done right) are an essential security tool.
  • The hidden risk of shared accounts and how to mitigate it.
  • How attackers bypass MFA and what you can do about it.

Whatโ€™s Next in โ€˜Updates from the Breach?โ€™

Recovering from a breach and preventing the next one requires a structured approach. In โ€œUpdates from the Breach,โ€ we will walk through:

  • Immediate actions to take after an attack.
  • The real-world impact of regulatory penalties and insurance claims.
  • Practical strategies to strengthen security without killing productivity.

If you suspect your firm is experiencing a breach right now, act immediately:

  • Disconnect your internet connection. This prevents attackers from maintaining access.
  • Do not power down your systems. If ransomware is actively encrypting files, shutting down can cause irreversible data loss. (Again, good backups matter!)
  • Contact an experienced cybersecurity professional or your cyber insurance provider. They can help guide you through your next steps.

If youโ€™re not dealing with an urgent situation, stay tuned. Thereโ€™s more to come. The next installment will dive deeper into the critical first moments after a breach and how to position your firm for a stronger defense. Check back soon for the rest of the story.

Donโ€™t Wait for a Cyberattack to Dictate Your Next Move.

PSM Partnersโ€™ Incident Response Services provide the expert guidance your firm needs to contain breaches, recover quickly, and strengthen security for the future. Whether you are dealing with an active incident or looking to build a proactive defense, weโ€™re here to help. Contact us today to assess your firmโ€™s cybersecurity readiness and ensure youโ€™re prepared before โ€” not after โ€” a breach occurs.

Images provided by the Unsplash License Agreement.

Categories: Legal Cybersecurity, Legal Technology, Updates from the Breach
March 19, 2025
share TWEET PIN IT share share
Eli Nussbaum

Eli Nussbaum leads Legal Strategy and Security Services at PSM Partners, a Chicago-based technology consulting firm specializing in comprehensive IT management and advanced cybersecurity solutions. With over 27 years of experience in IT and cybersecurity, Eli expertly guides law firms and professional organizations through the complexities of the digital landscapeโ€”from proactive incident response to establishing robust, secure, and compliant IT operations. His strategic guidance has significantly enhanced the security posture of numerous organizations, ensuring resilience against evolving cyber threats while maintaining their operational priorities.

More Posts By This Author

Sponsored links

MUST READ Articles for Law Firms Click to expand

One of a Kind: A Proven Path to a Profitable Law Practice
By Jay Harrington

Lawyer-turned-legal marketer, Jay Harrington explores how lawyers can harness creativity... Click for More

Legal Cybersecurity
Ready Set Scale 370 AAW ad
The positive planner
Resources
Attorney At Work Partners
envelope

Welcome to Attorney at Work!

ย  ย  ย  ย 

Sign up for our free newsletter.

x

All fields are required. By signing up, you are opting in to Attorney at Work's free practice tips newsletter and occasional emails with news and offers. By using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.
OSZAR »