August 9, 2025
Law firms handle some of the most sensitive information in the business world, making them prime targets for cybercriminals. So we sat down with Glenn Sweeney, Senior vCISO at Marco to discuss the unique cybersecurity challenges facing legal practices and practical steps firms can take to protect their clients' confidential data.
While you read this, keep in mind that while business technology evolves every year, cybersecurity threats can change by the month and sometimes even by the day. Also, this interview has been edited for length!
One Chief Information Security Officer’s Insights for Legal Firms
Marco: Let's start with the big picture. Why are law firms such attractive targets for cybercriminals?
Glenn: Law firms are essentially treasure troves for cybercriminals. They store incredibly valuable, sensitive information — everything from corporate merger details to personal injury case files. Many firms also have access to client trust accounts with significant financial assets. What makes them particularly vulnerable is that they often lack the robust security infrastructure that banks or healthcare organizations have been forced to implement due to strict regulatory requirements.
Consider the 2020 attack on Grubman Shire Meiselas & Sacks, where hackers demanded $42 million in ransom. That's not an isolated incident. 29% of law firms experienced a security breach in 2023 alone. These attackers know that firms face a terrible choice: pay the ransom or risk having their clients' most sensitive information exposed publicly.
Marco: What ethical and legal obligations do lawyers have regarding cybersecurity?
Glenn: The obligations are quite clear, actually. ABA Rule 1.6 on Confidentiality of Information requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
Beyond that, the ABA (American Bar Association) adopted a cybersecurity resolution in 2016, encouraging all organizations to develop appropriate cybersecurity programs tailored to their specific needs. But it's not just about ABA rules – depending on the type of information a firm handles, they might also need to comply with HIPAA for health information or state-specific requirements like New York's SHIELD Act, which mandates "reasonable" security safeguards.
The bottom line is that cybersecurity isn't optional anymore. It's a professional and ethical duty.
Marco: Firm size seems to correlate with breach risk. Can you explain that?
Glenn: Absolutely. According to data gathered by the ABA, 17% of firms with 9 or fewer employees suffered breaches, compared to 35% of firms with 10-49 employees, and 46% of firms with 50-99 employees.
This makes complete sense when you think about it. Larger firms typically store more sensitive data, have more users accessing systems, and often have more complex IT environments that create additional attack vectors. They're also more likely to be targeted because the potential payoff for attackers is greater.
However, smaller firms definitely shouldn't feel safe. They're often targeted specifically because they may have weaker security controls while still handling valuable information.
Marco: Where should law firms start with their cybersecurity efforts?
Glenn: I always recommend starting with a comprehensive cybersecurity assessment. You can't protect what you don't know you have. This means conducting an inventory of all your data, software systems, and assigning ownership and risk categorization. The higher the sensitivity of the information, the stronger your security protections need to be.
This should include vulnerability scans, penetration tests, and ongoing system monitoring. I can't stress this enough — your basic antivirus software simply isn't enough to detect sophisticated attacks that sometimes go unnoticed for months or years.
Many firms benefit from hiring a third party to conduct an independent audit. They can help identify security gaps, create incident response plans, and recommend appropriate security measures.
Marco: What about the human element? How significant is employee training?
Glenn: Human error is actually the main culprit in most data breaches. We see it all the time — attorneys accidentally losing devices, falling for phishing emails, or using weak passwords. That's why mandatory cybersecurity awareness training is crucial.
I recommend annual comprehensive training for all users, plus quarterly simulated phishing exercises. And here's the key — there should be real consequences for those who fail to comply with security policies. Without accountability, training becomes just another box to check.
Your employees need to understand that they're the first line of defense. They need to recognize suspicious emails, understand proper data handling procedures, and know who to contact if they suspect a security incident.
Marco: Access control and zero trust are becoming more common topics in cybersecurity. How should firms approach this?
Glenn: The principle of least privilege should be your guiding rule. Employees should only have access to the minimum level of information and systems necessary to perform their specific role. This limits the potential damage if an account is compromised. And your users should also have to pass additional security checkpoints to access more sensitive systems and data.
For passwords, we're talking at least 12-14 characters with a combination of letters, numbers, and symbols. But even more important is implementing multi-factor authentication wherever feasible. This adds a critical second layer of protection.
Firms should also regularly review user privileges and monitor account activity. When employees leave or change roles, access should be immediately updated or revoked.
Marco: Data backup and encryption — how critical are these elements?
Glenn: They're absolutely essential. For backups, you need a reliable strategy that allows for easy data recovery to maintain business continuity. The key is storing backups offline – this makes them impervious to ransomware attacks that encrypt your primary systems.
All backups should be encrypted with user-defined encryption keys, whether stored on-site, off-site, or in the cloud. And test your backup recovery process regularly. A backup that can't be restored is worthless.
For general data protection, any personally identifiable information, protected health information, or other sensitive data should be encrypted both in transit and at rest. ABA Formal Opinion 477R requires that sensitive email communications must be sent via encrypted channels.
Marco: Network security is another major consideration. What should firms focus on?
Glenn: Think of your network perimeter as a fortress wall. It should only permit activities that are required to conduct business. This means implementing secure configurations and ongoing security patch management for all operating systems, applications, and network devices.
Continuous monitoring is crucial. You need to watch for cybersecurity risk alerts and suspicious activity. When properly configured, these perimeter defenses create a strong first line of defense against attacks.
Don't forget about endpoint protection either. Every device that connects to your network — laptops, smartphones, tablets — represents a potential entry point for attackers.
Marco: Third-party vendors often present security challenges. How should firms manage these relationships?
Glenn: Third-party vendors are actually one of the biggest security threats to any organization. The problem is that they often have access to your systems and data, but you have limited control over their security practices.
You need to vet every vendor thoroughly. Request their cybersecurity policies and procedures to ensure they have appropriate programs in place. Conduct periodic security assessments. I actually recommend annual on-site evaluations for critical vendors.
Also, when negotiating vendor agreements, pay close attention to indemnification clauses, cyber liability insurance requirements, and notification timeframes for security incidents. You want to ensure that vendors will take responsibility for breaches caused by their negligence and that they'll notify you quickly if something goes wrong.
Marco: What about incident response planning?
Glenn: Well, the data isn’t great. Only 36% of firms have incident response plans, which is alarming. When a breach occurs, every minute counts. You need a cross-organizational incident response team that includes management, legal, HR, procurement, finance, and IT.
The plan should clearly outline how to quickly contain, assess, and respond to security incidents. But having a plan on paper isn't enough. You need to test it regularly through tabletop exercises — ideally involving your entire incident response team, forensic experts, and breach response counsel.
Think of it like a fire drill. You hope you'll never need it, but when the alarm goes off, everyone should know exactly what to do.
Marco: What's your perspective on cybersecurity insurance?
Glenn: Cyber liability insurance has become essential, not optional. While it won't prevent a breach or protect stolen data, it can help cover the significant financial impacts — data restoration costs, loss of income during downtime, crisis management, forensic investigations, and legal fees.
I recommend standalone cyber liability policies rather than trying to rely on general business insurance that might have limited cyber coverage. Work with an insurance broker who specializes in cyber liability to ensure you're getting sufficient coverage and appropriate limits for your business needs.
Also, some policies also cover third-party liability claims, which can be crucial if clients suffer damages due to a breach at your firm.
Marco: For law firms that are considering working with an IT provider, what should they look for?
Glenn: Cybersecurity must be a primary consideration when choosing any technology provider, especially practice management systems that will house your most sensitive client data. Look for providers who have security baked into their DNA, not added as an afterthought.
Here are a few must-haves: 24/7 security monitoring, encryption both in transit and at rest, compliance with relevant standards like GDPR, HIPAA, and PCI, and regular third-party security audits. Your provider should be completely transparent about their security practices and willing to share certifications like a SOC 2.
Don't just take their word for it. Ask for detailed information about their security infrastructure, incident response procedures, and how they handle data breaches.
Marco: Looking ahead, what trends are you watching out for?
Glenn: We're seeing more sophisticated phishing attacks, increased targeting of cloud-based systems, and ransomware that's becoming more targeted and damaging.
AI is a double-edged sword. It's helping us detect threats faster, but attackers are also using it to create more convincing phishing emails and automate attacks.
The key for law firms is to stay vigilant and adaptable. Cybersecurity isn't a one-time project.
Marco: Last question! Any final advice for law firms just starting to take cybersecurity seriously?
Glenn: Don't wait for a breach to happen before taking action. The cost of prevention is always lower than the cost of recovery. Start with that risk assessment I mentioned, implement basic security hygiene like strong passwords and multi-factor authentication, and make cybersecurity training a priority.
Remember, you're not just protecting your own business. You're protecting your clients' most sensitive information and maintaining the trust that's fundamental to the attorney-client relationship.
