Ensuring Your Practice is Ready for 2025

A look at best practices for data security for law firms.

Everything is done online nowadays – whether that’s Christmas shopping, banking, research, storing data, storing passwords, writing fees, drafting pleadings, and even making new acquaintances. Our lives and often our businesses – are all online and in the Cloud.

That can – and should – leave us with a twinge of unease. Especially when cybercrime is so rife. According to the University of Maryland, more than 2,200 cyberattacks occur each day. When broken down, that means someone becomes a victim of a data breach, phishing attack, or other cybercrime every 39 seconds.

Worst of all, cybercriminals are organised, they have the latest tech and often sport fancy University degrees. By teaming up with other like-minded individuals (aka hackers), cybercriminals develop a sophisticated operation that’s sole purpose is that of extortion. Either money or valuable data. Sometimes both.

Cybercriminals use ransomware to attack companies by compromising networks before installing file-encrypting malware across as many systems as possible. Victims are locked out of files and servers, where after cybercriminals demand a ransom payment (often to be made in cryptocurrency) in exchange for the decryption key. In many cases, the victim pays just to get their systems under their control and their businesses operational once again.

Law firms are not exempt. In fact, it’s because clients entrust lawyers with so much of their private and sensitive – often valuable – data, that law firms make prime targets for cybercrime.

While lawyers are increasingly harnessing artificial intelligence (AI) to help them work more efficiently, cybercriminals are also using AI to augment the scale, power, and creation of cybercrime threats like AI-assisted hacking, password cracking, and ransomware attacks.

And the takeaway here? You need to do something to protect your online systems! But the truth is – you probably know all this already. It’s really nothing new. In fact, you probably already have cybersecurity measures in place. And good on you.

But how can you mitigate your firm’s risk of data breaches and keep your clients’ data as secure as possible?

11 ways to mitigate risk and keep your clients’ data secure

1.  Create and implement a data security policy – it’s funny how most security issues actually begin with simple user errors and not necessarily tech failures. So –

•  Draft a clear, easy-to-understand plan for data security and share it firm-wide;

•  Educate employees and enforce procedures such as using two-factor authentication for logins, only using apps vetted by the firm, or a Bring Your Own Device (BYOD) policy for employees using their own devices.

2.  Continuously train staff on how to mitigate data risk – Don’t assume that everyone knows how to spot and avoid a phishing email. TRAIN your employees to spot the mail so that they can avoid accidental user errors and promote law firm data security best practices. Best practice is to train initially upon hire and then again once a year.

3.  Use strong passwords – Birthdays, PASSWORD or—please, no—“123456”? Easy. Guessable. Hackable. Do you use the same password for every login? If so, you’re setting yourself up as an easy target for hackers.

• Create better passwords: for increased password security, go for something complex and long. You could use a password management tool to help ensure passwords remain secure and simplify password management.

4.  Encrypt! – It sounds techy but it’s relatively simple and highly effective. Encryption translates your data – whether stored in an email, a local hard drive, an internet browser, or a cloud application – into a secret code, which then requires a key or password to access it.

5.  Secure your communications – hackers drool over your communications, it’s how they get to you. As part of your firm’s data security plan, review any vulnerabilities across your communication channels and look to mitigate them. For example, you can encrypt your firm’s emails.

6.  Consider access control – keep your circle small. Think of it this way – some communication/information is on a need-to-know basis and everyone doesn’t need to know everything. Be intentional when considering granting permission to view specific matters.

7.  Conduct regular reviews – it’s easy to overlook weaknesses in your law firm’s data security if you don’t take the time to review it. Conduct regular audits (you could build this schedule into your firm’s data security policy) to identify and address law firm cybersecurity and data risks—things like ensuring former employees no longer have access to legal files or ensuring controls such as anti-virus software and firewalls are operating effectively.

8.  Vet vendors carefully – while data security ultimately falls under the ethical responsibility of lawyers, legal technology can definitely help make this easier (or harder). To ensure your provider will do you more good than harm with your data, carefully vet potential vendors. Take a read of our articles on this very topic here – there’s a 11 point checklist!

9.  Plan for the worst – as much as you hope to avoid (and actively mitigate the risk of) data breaches, you need to know what you’ll do if it does happen – before it happens –

•  Create a plan for what to do in the event of a data breach: detail what needs to be done immediately in terms of communication, changing passwords, and reporting (to impacted individuals or regulatory authorities) if there’s unauthorised access to your data.

•  Test the plan: data breaches shouldn’t be left up to hypotheticals. Check that everything is in place so that if trouble hits the fan, you know it will all go off without a hitch.

•  You should also prepare for what to do in the event of a disaster to ensure your law firm can continue to operate effectively.

•  Create a disaster recovery/business continuity plan: include considerations for items such as defining critical systems and equipment, identifying appropriate tools/procedures (i.e. backups, remote sites, cloud providers, etc.), and developing communication plans.

•  Test the plan: Find out what works (and what doesn’t)!

10.  Bump up your law firm’s mobile security – with more and more legal work done remotely, especially with AJS Mobile, there’s an increasing need for mobile law firm data security. Secure mobile apps take a lot of the heavy lifting out of the process – like AJS Mobile – but your smartphone and laptop, in general, might also need a security makeover. Secure your phone, laptop, and other mobile devices with steps like:

a)  Enable encryption – while having a lock-screen password on your laptops and mobile devices is a first (essential) security measure, it won’t protect your data if someone gets a hold of your password. Enable encryption on your mobile devices to scramble sensitive data for unauthorised users and to enhance security –

•  Set up two-factor authentication – no matter how strong your password is, it can still be hacked. Adding two-factor authentication, which requires your password (the first factor) and a temporary code sent to another device (the second factor), makes it that much more difficult for someone to access your device. In practice, two-factor authentication usually requires the person logging in to verify their identity through the use of their mobile.

•  Backup firm data to secure servers – whether you lose your device or you’re the target of a ransomware attack, it’s smart to regularly back up your firm data to a secure, encrypted location so you’ll still be able to access most of your data. In fact, it’s really important to have a well-designed backup systems architecture. There are three main categories that are important and that you need to consider.

•  Cyber security: this includes items such as firewalls, anti-virus, system design and configuration along with regular reviews of design and testing of the system.

•  Geo-physical security: this refers to the practice to keep off-site backups as well as storage in different geographical areas. (In-case of disaster, fire, floods, riots, theft, etc.)

•  System redundancy: A well-designed system should be able to handle multiple failures (hard disk crash, power surges, loadshedding, data connectivity, etc). AJS address all three of the above with its hosted solution and backups in 3 different geo-locations within the South African borders (in compliance with POPI requirements).

b)  Keep professional and private accounts separate – don’t risk mixing confidential professional communications with personal ones. By using dedicated apps for your professional work, you can keep these two worlds apart.

c)  Have a plan for lost or stolen mobile devices – if you lose (or someone steals) your smartphone, what’s the first thing you’ll do? From having a way to locate a missing device (like Find My Support for Apple devices or Google’s Find Your Phone), to knowing how to suspend service or disable your device remotely, it’s important to make an action plan before you need it. Make sure you have full disc encryption on your laptop as well so you can know your data won’t be compromised if your laptop is stolen or lost.

11.  Train your clients – clients don’t know that what they do isn’t exactly kosher, isn’t secure. Yet, law firms bear the risk of clients exposing details, like banking information, to cybercriminals. To prevent this risk from blowing up into trust account errors and payment disputes, lawyers need to train their clients, from the get-go – on what methods of communication are most secure and how to use them. This also means that a law firm should show their client how their client portal – if they have one – functions and walk them through logging in and creating a password before the end of the initial consultation. Set yourself and your clients up for secure communications from the beginning.

It should be clear by now that an organisation’s single most important asset is its data – that includes law firms where it’s also their duty to protect their client’s personal information – and its preservation must be top priority. You can never be “too safe”. Because if your data is lost, it could mean closing your doors or the begrudged payment of a hefty ransom which only serves to perpetuate another vicious cycle.

And yet, despite all the warning signs and statistics, there are still firms that are reluctant to spend money not only on their data security but on a proper legal accounting and practice management system that can do it all. And the question is –

When (not “if”) it’s your turn to be attacked, how prepared will you be?

There’s no mistaking that the world has become more reliant on what the digital world has to offer. And in this world, law firms must ensure that they keep up with rapid advances in technology capabilities, being certain that they continuously improve on their cybersecurity measures.

So, what’s a law firm to do? Undertake the 11 ways to mitigate risk and keep your client’s data secure as discussed above and start moving towards a more hands-on, forward thinking, proactive approach. Because not being ready for the latest and most flexible way of protecting your systems means risking attack from cybercriminals who have decided that you are the weakest link in the law firm herd.

Be prepared – it’s the best way forward. 2025, ready or not, here we come!

In the meantime, if you are ready to incorporate a new tool into your existing accounting and practice management suite, or if you need to start from scratch, feel free to get in touch with AJS – we have the right combination of systems, resources and business partnerships to assist you with incorporating supportive legal technology into your practice. Effortlessly.

AJS is always here to help you, wherever and whenever possible!

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)

– Written by Alicia Koch on behalf of AJS