You’re Probably Not Taking Cybersecurity Seriously Enough
It's scary out there. The post You’re Probably Not Taking Cybersecurity Seriously Enough appeared first on Above the Law.
Law firms are juicy targets. Secrets, money, privileged communications, and tech clueless lawyers minding the gate. Passwords like “password123” aren’t cutting it. It’s a cybercriminal buffet. Artificial intelligence continues to elicit all the hype in legal tech, but cybersecurity should be the story of 2025. The United States has decided to actively antagonize global cyber threats and slash spending on protection. And while hacking into the Department of Defense is as easy as sliding into Pete Hegseth’s DMs, bad actors aren’t stopping there and law firms are prime targets.
The ILTA Evolve conference offers a more focused program than most shows. Rather than try to cover all the tech challenges facing law firms under one roof, the second annual Evolve event narrows its focus to AI and cybersecurity. The latter took center stage — literally and figuratively — in a frightening keynote address from Red Queen Dynamics CEO and Senior Fellow of Global Cyber Policy at the Council on Foreign Relations Tarah Wheeler. Threats are coming and lawyers mostly don’t get it.
It’s not just about planning ahead either… lawyers fail to grasp the back end too. Small businesses get hit all the time and 60 percent of them don’t survive the aftermath. Wheeler told the story of a breached professional who wanted to recover the data and go after the perpetrators… with a $5,000 budget. She told him that it would just about cover the cost of a nice letter to inform clients of the breach. The cost of doing anything more substantial on the back end is wildly more massive. Off the cuff she said an incident response firm would probably charge over $650,000 to embark on a project like this guy wanted. Just a stark disconnect when it comes to cost.
How do security professionals break through to convince the lawyers to put a lot more money behind this than they have? Wheeler’s unorthodox but shockingly effective approach involved picking padlocks on stage. Not just any padlocks… the Master 140 Series, the most popular lock on the market. Watching the market leader for physical security get casually cracked over and over while she continued her speech helped make the abstract more tangible. Cybersecurity can be tough to wrap a head around, but physical locks are more real and the message is that whatever you think you’ve done to secure data is not much better than the Master locks getting ripped open on stage. And if that demonstration doesn’t drive it home, have a chat with a cyberinsurance carrier and see what that quote looks like.
Stop manually managing TLS certs like it’s 1998. Multi-factor authentication isn’t optional. If you’re still using Internet Explorer? Stop reading this article and go unplug your entire firm. And consider working backward and drafting the “we’ve been hacked” press release now as an exercise. “The incident response press release that you hand you to the partners in your firms… here’s what we did, here’s the controls we have in place, here’s how they were breached, here’s how quickly be responded, and here is the way that we will be better in the future. And make sure that what you say on that paper is true,” she said. Because what you don’t want to be saying is “we don’t know how it happened, we don’t have any tools in the place, we’re not sure what was lost.” Take the time to seriously grapple with security as more than a checkbox exercise.
In other news, I now know how to pick a Master 140 series lock.
Joe Patrice is a senior editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter or Bluesky if you’re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search.
The post You’re Probably Not Taking Cybersecurity Seriously Enough appeared first on Above the Law.
