Cybersecurity can\u2019t solve every problem, but it can help you protect your clients and your reputation. With sensitive client data at stake and ethical obligations to uphold, it\u2019s essential to follow these best practices to defend against email scams, malware, and credential thieves.<\/p>\n Lawyers are entrusted with confidential information, making them prime targets for cyberattacks. ABA Model Rule 1.6 requires attorneys to safeguard client data, making cybersecurity not just a technical issue, but an ethical one. I\u2019m guessing I don\u2019t need to go much further with this, as you\u2019ve hopefully been hearing this since law school.<\/p>\n The story goes that famous bank robber Willie Sutton was asked why he robbed banks, and he replied, \u201cBecause that\u2019s where the money is.\u201d (Sutton denied ever saying that, but it\u2019s still a useful parable). As the custodians of their clients\u2019 sensitive and valuable data, law firms are priority targets for modern-day robbers.<\/p>\n Some of the most prominent ways that bad guys target firms are:<\/p>\n Phishing attacks often use urgent language, suspicious links and unexpected attachments. Here\u2019s how to stay safe.<\/p>\n An email that comes not from \u201cMicrosoft.com\u201d but from \u201cMicrosoft365-support.ru\u201d is suspect. Likewise, a message that claims to be from your client or business partner but was sent from an unrecognized Gmail account should raise an eyebrow. Is that REALLY them?<\/p>\n When you hover your mouse cursor over a hyperlink, most systems will show you what that link actually goes to, and in many cases, it\u2019s not what the link appears to be. If the URL shown looks even slightly suspicious, don\u2019t click it. And never click links or open files you weren\u2019t expecting. Even if they appear to come from somebody you trust.<\/p>\n If you receive a file or link you weren\u2019t expecting or that seems suspicious, reach out to the person who sent it via a different medium, such as a phone call, text or a new email (not a reply to the suspicious message!) to confirm that the file or link is legitimate.<\/p>\n They\u2019re the keys to your data house and can be quickly misused, with devastating consequences, in the wrong hands. If a stranger, especially one claiming to be from an organization you trust, asks you for your password, that should raise red flags. IT or banking support shouldn\u2019t need you to give them your password, especially not over the phone, text or email.<\/p>\n Ransomware and other malware usually present as a file that you\u2019re encouraged to open. This may be in an email or text message or as a download from a website. In some cases, malware pretends to be a useful app or game.<\/p>\n Just as with our phishing defense above, don\u2019t click on files or links you weren\u2019t expecting, even if they appear to come from somebody you trust. If you receive a file or link you weren\u2019t expecting or that seems suspicious, reach out to the person who sent it via a different medium, such as a phone call, text or a new email (not a reply to the suspicious message!) to confirm that the file or link is legitimate.<\/p>\n Be reluctant to install apps or games, especially from unvetted sources. Just because an app may appear in the app store of your device doesn\u2019t mean it\u2019s been carefully vetted. Read the reviews, pay attention to which company makes the app, and only install\/keep apps that you\u2019re actually going to use.<\/p>\n It\u2019s remarkable how often I see people whose devices have months of pending updates they\u2019ve never bothered to install. Those updates often contain important security fixes that are key to keeping your data protected. Install the updates. The couple of minutes it takes are a lot less painful than having to explain why you got compromised through a vulnerability that the manufacturer had patched months earlier.<\/p>\n Tip:<\/mark><\/strong>Just restarting your device regularly can help keep your updates current.<\/p>\n Keep all your key data backed up, ideally in a secure cloud or offline location and be sure to test your backups. Backups are only useful if they\u2019re complete, current and you know how to restore the data if something bad happens.<\/p>\n Strong, unique passwords and multifactor authentication are your best defenses. Credential attacks go a lot further than simply guessing a bad password. (Hopefully you\u2019re not using \u201cPizza\u201d or \u201cPassword1\u201d as your password anywhere.)<\/p>\n Email addresses are common usernames today, and if you use the same password for your bank account as you do at \u201cgiggleworkstoys.com,\u201d then you may be in trouble. Your bank may have great cybersecurity, but does GiggleWorks Toys? If bad guys break GiggleWorks\u2019 site and find your username and password there, they\u2019ll try that username and password at thousands of other sites across the web, just hoping to get lucky. That\u2019s called a credential stuffing attack.<\/p>\n Warning:<\/strong><\/mark> If you think somebody else might know your password, you need to change that password immediately.<\/p>\n Create passwords that are at least 12 characters long, using a mix of uppercase and lowercase letters, numbers and symbols. Avoid using easily guessed information, such as birthdays or common words, and never reuse passwords across multiple accounts.<\/p>\n A common problem with good passwords is that they can be hard to remember and frustrating to type. As a result, people tend to choose short, simple passwords that are easy to guess or crack. And they use them over and over. A password manager is a piece of software that can remember your long, unique, complex passwords for you.<\/p>\n Modern password managers can also generate random (or nearly random) secure passwords for you, saving you the trouble of having to dream one up yourself.<\/p>\n Multifactor authentication is probably the single most important thing you can do to secure your accounts. The way MFA works is that when you sign into your account, the system will ask for a second thing \u2014 called a \u201cfactor\u201d \u2014 to help prove that you are who you say you are. There are three kinds of factors:<\/p>\n MFA requires not just two steps, but two different factors to be involved. Asking for a password and a memorized PIN, for example, wouldn\u2019t be MFA because that\u2019s not two factors, that\u2019s two of the same factor (something you know).<\/p>\n A bad guy might guess, or trick you into revealing, your password, but they can\u2019t guess your fingerprint. That makes it a lot harder for them to break into your account.<\/p>\n A common objection to using MFA is that it\u2019s a hassle, but a properly configured system won\u2019t actually ask for your second factor very often. In fact, most of them can learn how you commonly sign in \u2014 from your laptop, in your home, during work hours, for example \u2014 and won\u2019t ask for the second factor when the sign-in is typical. But bad guys who steal your password probably aren\u2019t signing into your device in your home \u2014 they\u2019re signing in from their lair in Scamistan. Your system should recognize that\u2019s not typical and demand the second factor \u2026 which they won\u2019t have.<\/p>\n Passkeys are a modern way to sign in to your accounts without having to remember or type a password. Instead, when you set up a passkey, your device \u2014 like your phone or computer \u2014 creates a unique digital \u201ckey\u201d for each account. This key is stored safely on your device and works together with the website or app to confirm your identity when you log in.<\/p>\n What makes passkeys different from traditional passwords is that you never actually see or enter the key yourself, and it\u2019s never sent over the internet. Hackers can\u2019t steal your passkey by tricking you with fake websites (a common problem called phishing) or by watching what you type. To use a passkey, you simply approve the sign-in with something simple, like your fingerprint, face recognition or a PIN you set up on your device.<\/p>\n Unlike regular biometrics alone, which just unlock your device, passkeys use your biometric or PIN to approve the use of your unique digital key for logging in to a website or app. This means your fingerprint or face scan isn\u2019t sent anywhere; it just lets your device use the passkey safely.<\/p>\n In short, passkeys combine the convenience of biometrics with stronger security than passwords, making it much easier and safer for you to access your accounts.<\/p>\n Cybersecurity can\u2019t solve every problem, but it can help you protect your clients and your reputation. Take action today to strengthen your defenses and stay alert.<\/p>\n Image \u00a9 iStockPhoto.com. <\/p>\n Sign up for Attorney at Work\u2019s daily practice tips newsletter here<\/a> and subscribe to our podcast<\/a>, Attorney at Work Today.<\/strong><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":" Tech Tips: Ben Schorr explains best practices lawyers can use in 2026 to defend against email scams, malware, credential-stuffing attacks and other cybersecurity threats. The post Starting 2026 Safely: Cybersecurity Best Practices for Law Firms appeared first on Articles, Tips and Tech for Law Firms and Lawyers. Protect your practice with these essential 2026 cybersecurity […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[17],"tags":[],"class_list":["post-141931","post","type-post","status-publish","format-standard","hentry","category-legal_matters"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/141931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=141931"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/141931\/revisions"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=141931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=141931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=141931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"computer](\"https:\/\/i0.wp.com\/www.attorneyatwork.com\/wp-content\/uploads\/2026\/01\/Tech-Tips-Law-FIrm-Cybersecurity-Best-Practices.jpg?resize=769%2C495&ssl=1\" "\\"\\"")
Table of contents<\/h2>\n
\n
\n
\n
\n
Why Cybersecurity Matters in Legal Practice<\/h2>\n
The Threat Landscape<\/h3>\n
\n
Phishing and Email Security<\/h2>\n
Verify sender addresses.<\/h3>\n
Be reluctant to click.<\/h3>\n
Don\u2019t share your credentials, especially with strangers.<\/h3>\n
Beware of Malware<\/h2>\n
Never click unexpected files.<\/h3>\n
Keep it clean.<\/h3>\n
Stay up-to-date.<\/h3>\n
Are your backups current? Are you sure?<\/h3>\n
Keep Your Credentials Secure<\/h2>\n
Use long, unique, complex passphrases.<\/h3>\n
Store passwords in a password manager.<\/h3>\n
Enable MFA for all accounts.<\/h3>\n
\n
Use passkeys when possible.<\/h3>\n
Stay Alert Out There<\/h2>\n
\nMore Tech Tips From Affinity<\/h2>\n
\n
\n![\"\"](\"https:\/\/i0.wp.com\/www.attorneyatwork.com\/wp-content\/uploads\/2023\/06\/AttorneyatWork-Logo-%C2%AE-2021-1.jpg?resize=372%2C106&ssl=1\" "\\"\\""){kind=logo}
<\/a><\/figure>\n