Outdated Cybersecurity Practices: Why the Legal Market Must Evolve

7 Min Read By: Michel Sahyoun

In Brief

  • Law firms and legal departments are prime targets for cyberattacks, and the consequences of any breach can be both far-reaching and severe. Despite this reality, many operate under security practices being outpaced by the current threat landscape.
  • Common obsolete practices include overreliance on point-based cybersecurity solutions; trusting endpoint detection and response along, and reliance on traditional password policies.
  • Updated solutions that can be implemented without compromising service delivery or user productivity include replacing point-based solutions with integrated security architectures; moving beyond endpoint detection and response; and adopting modern, NIST-aligned password policies.
  • Legal technologists who lead the modernization of their cybersecurity practices can elevate their organizations’ resilience, safeguard their clients, and contribute to a legal sector that takes cybersecurity as seriously as it takes privilege, confidentiality, and compliance.

Law firms and corporate legal departments are prime targets for cyberattacks—and that’s no surprise. The legal industry manages a trove of sensitive data: client records, intellectual property, regulatory filings, case strategies, and more. Add to that the growing reliance on digital platforms, hybrid work models, and third-party vendors, and the sector’s risk profile becomes even more complex. The consequences of a breach, including financial, regulatory and reputational impacts, can be severe and far-reaching.

Yet despite this elevated risk exposure, many legal organizations continue to operate under outdated cybersecurity assumptions. Legacy security controls and well-worn practices linger, often due to institutional inertia or misplaced confidence. Unfortunately, the cyber threat landscape has outpaced these approaches, and the legal industry can no longer afford to treat security as a static checklist.

Cyber threats today are more agile, distributed, and adaptive than ever. Ransomware attacks, phishing campaigns, and data breaches dominate headlines. Insider threats and credential abuse continue to plague organizations. Sophisticated adversaries leverage automation, artificial intelligence, and the cloud to exploit gaps and scale operations with alarming speed.

In the legal market, recent incidents have been a wake-up call. For example, in 2023, an agreement was reached between the law firm Heidell, Pittoni, Murphy & Bach LLP and the New York Attorney General for the firm to pay $200,000 in penalties resulting from a data breach that compromised individuals’ personal and healthcare data. The firm, which represents hospitals and maintains private patient information, was cited for security failures that violated state law as well as the Health Insurance Portability and Accountability Act (“HIPAA”), and as part of the agreement it was required to adopt improved data security measures.

Larger firms are certainly not immune from cyber incidents. In 2024, Orrick, Herrington & Sutcliffe agreed to an $8 million settlement stemming from a data breach detected the previous year; and just recently, a class action lawsuit was filed against Kelley Drye & Warren over a breach that allegedly occurred earlier this year.

The high-profile breaches of law firms that may be handling M&A transactions or representing high-net-worth clients underscore how attractive to cyber criminals, and how vulnerable, these entities are. Compounding this are rising regulatory expectations—including updates from the Securities and Exchange Commission and the Federal Trade Commission, which increasingly scrutinize law firms’ security practices when assessing liability and compliance.

Despite this shifting landscape, many firms continue to rely on outdated defenses that leave critical gaps unprotected. The most common obsolete practices in the legal sector include:

  1. Overreliance on traditional, point-based cybersecurity solutions. Many firms still depend on individual tools, such as antivirus software, firewalls, or VPNs, that were not designed to handle today’s multivector threats. These siloed solutions often lack the integration and perception needed to detect coordinated or stealthy attacks across environments.
  2. Trusting endpoint detection and response (“EDR”) alone. While EDR platforms have significantly advanced endpoint security, they are no longer sufficient on their own. Attackers increasingly target areas EDR simply does not monitor, such as cloud platforms, APIs, and network infrastructure. OAuth token abuse in Microsoft 365 or lateral movement via Internet of Things devices can easily bypass EDR’s protections.
  3. Reliance on traditional password policies. Many legal organizations still enforce outdated password rules that emphasize complexity (e.g., symbols, numbers, and case sensitivity) and frequent resets. These policies frustrate users, often leading to insecure practices like writing passwords down on paper and using the same password for multiple accounts. Worse, they offer little defense against modern attack methods like credential stuffing.

Despite clear evidence of obsolescence, these legacy practices often endure for understandable reasons, starting with the basics of familiarity and habit. IT teams and users alike are comfortable with tools they have used for years and averse to change. Many have budget constraints, especially in small or midsize firms, which can delay upgrades or platform migrations. Some face compliance myopia and equate passing an audit with being secure, ignoring emerging risks not yet codified in regulations. Yet others have a fear of disruption, with leaders worried that major changes could interrupt client service or raise internal resistance.

While these are valid concerns, firms should weigh them against the cost of inaction: data loss, regulatory penalties, lost clients, and reputational damage.

The good news? Effective, modern alternatives exist and can be implemented in legal environments and beyond without compromising service delivery or user productivity, both of particular concern for firm partners.

Updated cybersecurity solutions for law firms and legal departments to consider include the following:

1. Replace Point-Based Solutions with Integrated Security Architectures.

Adopt a layered, defense-in-depth model that includes:

  • Extended detection and response (“XDR”) for unified perception across endpoints, networks and the cloud.
  • Cloud security posture management (“CSPM”) tools to monitor misconfigurations and exposures in software as a service (“SaaS”) and infrastructure as a service (“IaaS”) platforms.
  • Network detection and response (“NDR”) to detect lateral movement and anomalous behavior at the infrastructure level.
  • Security information and event management (“SIEM”) systems to correlate data from across your ecosystem and surface real-time alerts.

Outsourcing some functions to managed detection and response (“MDR”) services or 24/7 security operations centers (“SOCs”) can help firms gain enterprise-grade protection without building everything in-house.

2. Move Beyond EDR.

Continue using EDR, but recognize its limits. Pair it with solutions that monitor identity usage, cloud logs, and API behavior. Prioritize observing trust relationships between systems and accounts, and monitor service accounts and federated logins closely.

3. Adopt Modern, NIST-Aligned Password Practices.

Shift from complexity to length and usability—a change aligned with password guidance from the U.S. National Institute of Standards and Technology (“NIST”). Key changes include:

  • Require long passphrases (15 or more characters) rather than cryptic strings.
  • Eliminate periodic password resets unless there is evidence of compromise.
  • Screen new passwords against known breach datasets.
  • Mandate multifactor authentication wherever possible.
  • Provide and encourage use of password managers for storing credentials securely.

These practices reduce human error and improve both security and user experience.

4. Make the Case for Change.

Legal technologists must frame cybersecurity upgrades in terms of business and regulatory risk. Use concrete scenarios, such as a ransomware breach shutting down client files for days, to highlight what is at stake. For example, in early 2023, Cadwalader, Wickersham & Taft acknowledged a cyberattack that required the wiping of hard drives and taking several key systems, including the firm’s document management system, offline—in some cases for weeks. The same year, Troutman Pepper experienced a cyberattack that shut down the firm’s email and other networks, causing disruption to basic operations and client service.

Emphasize how modern security enables continuity, protects the firm’s reputation, and aligns with clients’ expectations of due diligence.

5. Facilitate Adoption with Strategic Change Management.

Security doesn’t have to be disruptive if it’s introduced with empathy and education.

  • Roll out new tools with clear training and support.
  • Engage firm leadership early to gain buy-in.
  • Pilot changes in small teams before scaling up.
  • Communicate benefits in nontechnical terms that resonate with lawyers and staff.

The legal industry cannot afford to treat cybersecurity as an afterthought or assume yesterday’s tools will withstand tomorrow’s threats. The cost of inertia, whether measured in breached data, regulatory fines, or lost client trust, is simply too high. Modernizing cybersecurity practices starts with acknowledging what no longer works: overreliance on point solutions, blind faith in EDR, and outdated password policies. From there, legal organizations must embrace a layered, integrated security model aligned with today’s risk realities.

By leading this evolution, legal technologists can elevate their organizations’ resilience, safeguard their clients, and contribute to a legal sector that takes cybersecurity as seriously as it takes privilege, confidentiality, and compliance. For those seeking practical frameworks and guidance, resources such as NIST’s Cybersecurity Framework and the Center for Internet Security (“CIS”) Controls, as well as groups such as the Legal Services Information Sharing and Analysis Organization (“LS-ISAO”), offer valuable support.

The threats are real, but modern solutions are available. Now is the time to evolve.

By: Michel Sahyoun

Connect with a global network of over 30,000 business law professionals

18264

Login or Registration Required

You need to be logged in to complete that action.

Register/Login