Large law firms increasingly vulnerable to cyber attack, American Bar Association tech report finds

Large law firms are increasingly vulnerable to a cybersecurity attack, with the number of reported attacks up to double the figure from last year, according to the American Bar Association (ABA) legal technology survey report 2015, published last week.

The extensive report, which received answers from an average of 907 lawyers to each of the six sections of the report, found that out of firms of 100-499 and 500 or more lawyers, 23% reported experiencing a security breach compared with 10% and 17% respectively in 2014.

Overall 15% of firms have reported a security breach, up 1% on last year.

Despite this, many of the statistics pertaining to the level of preparedness and awareness among law firms are woeful, even where those figures have improved. Within the largest group of firms, 55% said they have an incident response plan to address a security breach, followed by 39% of firms of 100-499 lawyers; 34% of firms of 10-49 lawyers; 22% of sole practitioners and 20% of firms of 2-9 lawyers.

Across the board over half of law firms still have no policy governing email, internet and social media, the survey reveals. While ‘a majority’ of respondents said they have a document and records management policy, that figure was nonetheless 55%. Among firms of 100-499 lawyers that figure rises to 85% and among firms of 500+ it is 89%.

However, when it comes to having an employee privacy policy, only 62% of respondents from law firms of 100-499 lawyers said they have one, with that figure rising marginally to 67% among the 500+ lawyer bracket.

The most popular security tools are spam filters (87%); firewall software (79%); anti-spyware (78%) and pop-up blockers (76%).

Security tools used by less than half of respondents include file access restriction (41%); email encryption (31%); web filtering (26%); and intrusion prevention (22%).

The ABA survey found that personal mobile devices such as tablets, laptops and smartphones are now able to access firms’ networks in the vast majority (81%) of cases, 52% of which require pre-approval or have restrictions and 29% have unfettered access.

Large firms of 100 or more lawyers are more likely than others to have a full security assessment by an independent party but nonetheless the number who said they do have an assessment is just 28%. Of those large firms, 34% said they are likely to be asked by a client or potential client for a security audit or verification of their firm’s security practices.