Cyber hacks make big headline news. For example, the Democratic National Committee may have been hacked by “patriotic” Russians who ostensibly sought to affect the outcomes of the last U.S. election. Watching the news, it’s understandable why you might believe your greatest security threat is from an offshore organization seeking to hack into your firm.  Or you might feel that your firm is secure because you have firewalls and other strong external perimeter defense protections.

But in my experience, an external attack is far less likely to cause a breach than internal people.  As the CIO of LOGICFORCE, I have come to believe that your most prevalent cyber security threats are internal, not external. Here is my best advice to you about how to identify and manage these threats so you can avoid the very negative consequences that follow cyber breaches.


To prevent threats, you must be aware of them.  Recently, LOGICFORCE profiled 200 law firms for our Law Firm Cyber Security Score Card.  Based on those analyses and on my experience with many law firms, here are 5 major internal cyber security threats you should be aware of today:

  1. Email phishing scams exposing firm data
  2. External drives and devices that come up missing
  3. Attorneys or other staff using public Wi-Fi networks
  4. Insiders taking firm’s data to use for blackmail or to start their own practice
  5. Breaches committed to seek revenge or achieve a political aim

Note that the first three of these cyber threat risks are accidental and usually unintentional in nature, while the last two are intentional or malicious.  Let’s examine how these 5 threats play out in the day-to-day business of real law firms so you can be aware of them and take action.


Hackers prefer the path of least resistance, so the harder you make it for them to get in, the more likely they are to go somewhere else.


According to the 2017 Verizon Data Breach Investigations Report, which analyzed over 40,000 cyber breaches, 85-90% of all cyber breaches occur because of email phishing scams.  Based on increasingly sophisticated wording and look and feel, a firm employee is tricked into giving up his or her login credentials.

Usually this happens when an employee clicks a legitimate-looking link.  They then go to a webpage that also looks legitimate.  Once they enter their login credentials on that page, their details are stolen.

This rapidly grants the phisher full access to a firm’s email system, virtual private network (VPN), or other systems, or otherwise installs malware to give outside users a back door into the system.  With such access, your data and your clients’ data can be taken, leaked, sold, ransomed or used for other nefarious purposes.

What’s most important to understand about this threat is that hackers are looking for the path of least resistance. A brute force phishing scam that sends well-crafted emails to large numbers of users costs little to launch and can be very profitable or disruptive.  Since email phishing scams regularly work, we can expect hackers to continue to use them.

Fortunately, there are two ways to readily reduce this threat.  One is to install high quality, regularly updated, spam-blocking software. The second is to train all firm employees as to what to look for, and what not to fall for.


External drives, thumb drives, and other devices containing firm data often come up missing.  Not only does this happen more frequently than most people realize, it is problematic in multiple ways:

  • The missing drive or device may contain irreplaceable data.
  • Typically, no one knows all the information that was on the drive or device. That is, an attorney or other firm employee might “think” that only certain files were in the drive or device, but often it is impossible to verify what was actually there.
  • 49 of 50 U.S. states require a data breach notification be sent if Personally Identifiable Information (PII) is involved. (If it is uncertain what was on the missing drive or device, this can be particularly problematic.)
  •  The data on the drive or device can be used for ransom, blackmail, or unfair economic advantage—or to gain access to your entire network.

Fortunately, the risks associated with missing drives or devices can be greatly reduced by using today’s data management and monitoring tools.  These tools make it very simple for you to know exactly what is on every one of the firm’s drives and devices.

When something comes up missing, you quickly know what next steps to take (for example, sending a PII notification).  There are also more sophisticated data loss prevention tools that you should consider deploying.  Here’s how they work:

  • You write data to a drive that is then encrypted.
  • To access the data, you must be connected to a cloud server to authenticate your access.
  • If you are not authenticated, you cannot access the data.
  • If a non-authenticated person tries to access the data a certain number of times, the device automatically wipes the data.
  • Or, a user can remotely set a wipe action so that if and when the device comes online, it will be triggered to wipe all of its data.

These types of tools are affordable and can go a long way toward reducing your cyber risks from missing devices.


Attorneys who travel frequently can expose firm data and systems simply by logging on—or just leaving Wi-FI turned on—when they are in any of these places:

  • An airport
  • An airplane
  • A hotel
  • A coffee shop

If an attorney gains access to the Internet through unsecured Wi-Fi, then logs in to an email account or the firm network, a hacker can eavesdrop and capture all necessary information to breach your systems.

The good news is that this is a fairly easy threat to mitigate.  First, attorneys and other employees can be properly trained to turn off Wi-Fi in public if they are not using it.  Second, they can be trained to never connect through a wireless system that they aren’t sure is safe and that doesn’t have built-in encryption. Third, the firm can provide a secure VPN or personal hotspot which can be used to gain access to the Internet.


Lawyers tend to move around a good deal, with individual attorneys and entire practice groups leaving one firm for another or to start their own business.  Often, according to their agreements with the firm and established norms, they are allowed to take active case data with them. But it is not considered legitimate for them to take firm-wide data that goes beyond their active cases.

It’s not hard for an attorney or practice group leaving for greener pastures to copy data to a hard drive, a thumb drive, some other form of external media, or the cloud.  Not only can data taken this way be used for illegitimate economic advantage, but it can also be used for blackmail purposes: “If you don’t pay a ransom, the data will be released to the world.”

It is a surprisingly common and prevalent threat for attorneys to leave and take data with them, either for economic or ransom purposes.  Fortunately, the regular monitoring of data files and data access can help mitigate this risk.

For example, if you know an attorney, or any employee, is about to leave the firm, or is disgruntled, you can begin to monitor their digital activity and limit access.  If you see that someone is accessing data files that have nothing to do with their active case load, or is comprehensively scanning and copying data from your network, you can take immediate action and look deeper into the potential problem.


Certain cyber breaches are perpetrated by a firm’s attorneys or employees seeking revenge or to achieve a political aim.  They don’t necessarily want to make money.  They want to get even.

One prime example is the Panama Papers, where someone associated with the international Mossack Fonseca law firm made public large amounts of data.  The theory is that an IT employee became disgruntled and decided to expose private documents to get revenge.

Then there is Edward Snowden, who was hired by NSA contractor Booz Allen Hamilton.  Snowden tried password after password to access systems he did not have clearance to —for months on end, yet was not discovered.  He wanted to expose information he found objectionable based on his political views.

Both of these scenarios can be addressed with the right technologies and processes.  If you are aware of employees (or contractors) with certain political views, and your firm is engaged in activity that is counter to those views, it is wise to keep an eye on their digital activity.  If you have an employee who is disgruntled or who has made threats, it is advisable to monitor their digital activity.

This may sound somewhat “Big Brother” in nature.  But to protect your client data, your reputation, and ultimately your firm’s financial solvency, this might be necessary.   There are sophisticated data and access monitoring tools that can help you track digital behavior and create alerts should a user trip certain thresholds – like copying documents unnecessary to their cases or trying to access systems and resources they are not authorized to see.


Law firms often spend a great deal of money to defend against external threats, and far too little against internal threats.  It’s always best to put your focus and your money where your greatest threats lie.

Employee training, monitoring and document tracking, among other solutions, can go a long way towards mitigating any internal threats against your firm.  If you’re not sure where your firm is at-risk, I recommend that you download our Law Firm Cyber Security Scorecardreport.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *