Law Firm Cybersecurity: Updates from the Breach, A New Primer

by | Mar 19, 2025 | legal matters

Securing your law firm is like eating an elephant — it’s a massive challenge that cannot be tackled in one bite or alone. This primer covers the reality of law firm cybersecurity breaches — costs, incident response, data recovery, backups and essential security steps. Cybersecurity Incidents Are a Reality for Law Firms It’s not a […]
The post Law Firm Cybersecurity: Updates from the Breach, A New Primer appeared first on Articles, Tips and Tech for Law Firms and Lawyers.

Securing your law firm is like eating an elephant — it’s a massive challenge that cannot be tackled in one bite or alone. This primer covers the reality of law firm cybersecurity breaches — costs, incident response, data recovery, backups and essential security steps.

Updates from the breach law firm cybersecurity primer
Law Firm Cybersecurity: Updates from the Breach, A New Primer 3

Table of contents

Cybersecurity Incidents Are a Reality for Law Firms

It’s no longer a question of if your firm will be breached but when, how quickly you detect it, and how costly the recovery will be. The good news? Most firms are already making strides toward hardening their environments. But with threats evolving, we can all benefit from fresh insight and guidance to ensure we focus our efforts where they matter most.

In “Updates from the Breach,” I’ll share insights from real-world breaches—what worked, what didn’t — and how your firm can avoid becoming the next cautionary tale. But first, a refresher course on the state of law firm cybersecurity and what law firm owners need to know.

The True Cost of a Breach

Over the years, I’ve seen firsthand how breaches disrupt business operations and the trust clients place in their legal providers. A cyber event isn’t just an IT issue—it’s an existential threat. The immediate impact includes:

  • Lost revenue as the firm struggles to function
  • Unexpected costs for data recovery, forensics, and legal services
  • Long-term consequences such as client attrition and reputational damage.

And it doesn’t stop there. Whether it’s CCPA, SHIELD, HIPAA, or even GDPR from across the pond, compliance obligations and penalties can compound the damage, depending on your practice areas and the location of your clientele.

While breaches aren’t the “black eye” they once were, their financial impact has never been greater—and it extends far beyond the demands of cybercriminals. Many assume that paying off attackers is the primary risk, but the ransom often accounts for only 10% of the total financial toll of a cyber event. The real costs include:

  • Incident response and forensics investigations
  • System restoration and data recovery
  • Legal services and regulatory fines
  • Breach notifications and compliance obligations
  • Client loss and reputational damage

In fact, business interruption alone may account for up to 60% of a cyber insurer’s total payout per incident. And all of this comes before you begin strengthening your IT posture to prevent the next attack.

Cyber Insurance Won’t Save You

Unlike a damaged roof that insurance will rebuild to the current code, cyber insurance does not improve your security. Think of it like a museum burglary—insurance may cover the stolen artwork and repair the broken locks, but it won’t upgrade security measures to prevent the next heist. Worse yet, after a breach, insurers often reassess your firm’s risk, which can result in dropped coverage, higher premiums or mandatory security upgrades before renewing your policy.

Translation: If your firm gets breached, it’s likely due to weak security controls that you’ll be forced to fix anyway. Instead of waiting for disaster, let’s take proactive steps to protect your firm, including understanding some terms.

The Difference Between Incident Response and Data Recovery

After a breach is identified, two critical efforts take place: incident response and forensic investigations, also known as Digital Forensics and Incident Response (DFIR), and system restoration and data recovery. These processes serve different yet equally vital purposes.

Incident Response and Forensic Investigations: Understanding the What, How and Who

DFIR is about containing the damage and identifying the attack vector—how the attackers got in, what they accessed, and whether they are still in your environment. It’s the crucial first step in stopping the bleeding before recovery can begin. DFIR digs in by analyzing logs, endpoint activity, and network traffic to determine:

  • How the attack happened and what vulnerabilities were exploited
  • What systems, files, and data were accessed or stolen
  • If the breach is ongoing or fully contained
  • Whether active malware or backdoors were left behind for future attacks

Think of it as a crime scene investigation for your IT environment. Before you start rebuilding, you need to understand what happened, who did it — ensuring they aren’t still actively in your environment — and how to prevent it from happening again. Skipping this step can result in reinfection or ongoing attacker presence. Additionally, your breach counsel uses the information gleaned by the DFIR team to help determine the legal and regulatory exposure your firm may face, including notification obligations.

System Restoration and Data Recovery: Bringing Operations Back to Life

Once the immediate threat is contained, the real work of recovery begins. This is where your IT team, frequently alongside external experts, focuses on:

  • Restoring compromised systems to an operational state
  • Rebuilding servers, applications, and infrastructure
  • Recovering lost or encrypted data from backups or decrypting
  • Reestablishing normal business operations as quickly as possible

This phase is the rebuild after the fire — ensuring critical data is intact, services are operational, and immediate security gaps are closed. But recovery hinges on one crucial factor: the quality of your backups. If backups are properly secured from attackers, restoration is possible. If they were compromised, your options often become far more painful — either paying the ransom and hoping for uncorrupted decryption or accepting permanent data loss.

DFIR tells you what happened, how it happened, and how to prevent it from happening again. System restoration and data recovery determine how quickly and effectively you can get back to business. Both must be executed with precision and coordination to minimize damage and ensure long-term resilience.

Since I love analogies, I think of DFIR as putting out the fire, ripping out the wet carpet and drywall, and ensuring no hidden mold or structural damage remains. System restoration and data recovery come next, laying new carpet, repairing drywall, and giving everything a fresh coat of paint. However, neither will install a fire suppression system to prevent the next disaster. That requires a proactive security investment.

Where Do You Start Securing Your Firm? First and Second Lines of Defense

Securing your firm is like eating an elephant—a massive challenge that can’t be tackled in one bite or alone. It requires strategy, coordination and persistence. And like any daunting task, having an experienced guide who has navigated the path before can make all the difference.

Before we dive deeper, take a moment to assess where you stand today and look at your backups and credential security. Backups are often the difference between a controlled recovery and a complete disaster, while credential security—including multifactor authentication (MFA) — can prevent an attacker from gaining access to your network in the first place. If you haven’t evaluated them recently, now is the time.

1. Backups: Your Last Line of Defense

If you can restore your data, you can recover from an attack. It may be painful and time-consuming, but it’s possible. Good backups are the foundation of cyber resilience.

But here’s the dirty secret: Attackers know this. One of their first objectives after gaining access to your network is the destruction of backups. In upcoming articles, we’ll break down the essential strategies for backup security, including:

  • The 3-2-1-1-0 and other backup rules (if you’re not familiar, you or your IT provider need to be)
  • Why immutable backups are your insurance policy against ransomware
  • What the term “immutable backups” means (and why are there varying definitions)
  • The biggest mistake firms make when assuming they can “just rebuild”

For now, remember: If you keep it, back it up. If you don’t need it, delete it. If that statement makes you uncomfortable, back it up.

2. Credential Security: Your First Line of Defense

Multifactor authentication (MFA) is non-negotiable. Every system, every account, every time.

Additionally, your IT team needs to separate user credentials from administrative credentials. It’s not enough to slap MFA on user logins and call it a day. Why? If a user can both read email and delete a server with the same login, so can an attacker.

Just last month, a client reached out because one of their users had inadvertently clicked a link in an email and entered their firm credentials into a look-alike site. The user had been phished, essentially handing over the keys to the building. Thankfully, a security guard in the form of MFA stopped the threat actors before they could gain access.

This example highlights a common misconception: Many firms assume that strong passwords alone are enough. In reality, passwords are frequently stolen, guessed or leaked. Without MFA, attackers can walk right in.

In future updates, we’ll explore:

  • What makes for a strong password
  • Why password managers (done right) are an essential security tool
  • The hidden risk of shared accounts and how to mitigate it
  • How attackers bypass MFA and what you can do about it

What’s Next in ‘Updates from the Breach?’

Recovering from a breach and preventing the next one requires a structured approach. In “Updates from the Breach,” we will walk through:

  • Immediate actions to take after an attack
  • The real-world impact of regulatory penalties and insurance claims
  • Practical strategies to strengthen security without killing productivity
law firm cybersecurity breach vertical

If you suspect your firm is experiencing a breach right now, act immediately:

  • Disconnect your internet connection—this prevents attackers from maintaining access.
  • Do not power down your systems—if ransomware is actively encrypting files, shutting down can cause irreversible data loss (again, good backups matter!).
  • Contact an experienced cybersecurity professional or your cyber insurance provider—they can help guide you through your next steps.

If you’re not dealing with an urgent situation, stay tuned. There’s more to come. The next installment will dive deeper into the critical first moments after a breach and how to position your firm for a stronger defense. Check back soon for the rest of the story.

Don’t Wait for a Cyberattack to Dictate Your Next Move.

PSM Partners’ Incident Response Services provide the expert guidance your firm needs to contain breaches, recover quickly, and strengthen security for the future. Whether you are dealing with an active incident or looking to build a proactive defense, we’re here to help. Contact us today to assess your firm’s cybersecurity readiness and ensure you’re prepared before—not after—a breach occurs.

Images provided by the Unsplash License Agreement.