chevron-down Created with Sketch Beta.

Tech Report

ABA TechReport 2023

2023 Cybersecurity TechReport

John Simek

Summary

  • The ABA TechReport 2023 pairs data from the 2023 Legal Technology Survey Report, which surveyed practicing attorneys, with analysis, observations, and predictions from experts in the legal technology field.
  • This Cybersecurity TechReport is a partial summarization of the detailed responses contained in the 60 plus page volume.
  • Cybersecurity should be top-of-mind for every attorney. Constant vigilance is needed to keep our data safe and secure. 
2023 Cybersecurity TechReport
iStock.com/SeventyFour

Jump to:

By the time you read this TechReport, ChatGPT will be more than a year old. This past year, artificial intelligence (AI) has taken the world by storm and dwarfed the news of cyber incidents. That doesn't mean cybersecurity has taken a step back behind AI, rather AI has become an important tool when dealing with cyberattacks. AI has been used to help with our cyber defenses, but it is increasingly being used for evil purposes such as crafting extremely effective phishing campaigns.

Make no mistake about it, despite the constant mention of AI, cyber is still top-of-mind for most businesses and law firms. Law firms need to understand the current cyber landscape. Remember that you can’t fix it if you don’t know it’s broken. There are many surveys, reports, articles, online resources, etc. to educate lawyers about current cybersecurity trends and threats.

One resource specific to the legal profession is the ABA’s 2023 Legal Technology Survey Report. The survey results are provided in five volumes.

  • Online Research
  • Technology Basics & Security
  • Law Office Technology
  • Marketing & Communication Technology
  • Life & Practice

Cybersecurity items are covered in the “Technology Basics & Security” volume of the survey. This Cybersecurity TechReport is a partial summarization of the detailed responses contained in the 60 plus page volume.

Technology Policies

While there are similarities in how law firms operate, each firm is unique in its processes and workflows, matter composition and certainly the volume and type of data entrusted to it by its clients. Therefore, it is imperative that your firm have documented policies to act as a set of “rules” for the firm operation. Some of the policies may include such things as remote access, internet usage, social media, email use, etc. In aggregate, these policies can be considered a building block for your firm’s overall security program. Your security program should address people, process and policies. You may need help in developing your policies, but their importance cannot be overstated.

The survey reported that 80% of respondents have one or more policies governing technology. Last year, the number was 89%, 83% in 2021 and 77% in 2020. It should be noted that there were almost double the amount of completed Technology Basics & Security questionnaires as compared to the 2022 Survey. Perhaps the 80% response can be viewed as more representative due to the larger sample size.

As to specific policies, the 2023 Survey reported that 55% have an email use policy followed by 51% with an internet use policy, 50% for computer acceptable use, 50% for remote access and 44% for social media.

There was a big downturn in those firms having an incident response plan with only 34% of respondents reporting in the affirmative. That’s a pretty big drop from 42% last year. Larger firms, with much to lose, tend to be prepared with an incident response plan. As expected, firms of more than 500 attorneys are the most likely to have an incident response plan (78%), followed by 59% for firms of 100-499, 54% for firms of 50-99, 34% for firms of 10-49, 19% for firms of 2-9 and 19% for solo respondents. An incident response plan is an absolute necessity if you want to successfully navigate the storm following a cyber incident. It is your “road map” for response and will save you much time and money, not to mention the significant number of headaches.

Shields Up!

One of our favorite free cybersecurity resources is Shields Up on the Cybersecurity & Infrastructure Security Agency (CISA) website. There are some great tips and guidance for protecting your confidential data.

But what are attorneys doing to protect themselves in this rapidly changing cyber world? The 2023 Survey helps answer that question by identifying some of the security tools law firms have available. Some sort of spam filter is the most common tool at 80%. Software firewalls was second at 76%, followed by anti-spyware (71%), mandatory passwords (70%), pop-up blocker (67%) and email virus scanning (66%).

There are few technologies better at preventing unauthorized access to data than encryption. To that end, the 2023 Survey reported that 48% of respondents have file encryption available for their use. Email encryption is slowly increasing. 42% of respondents indicated that email encryption was available. Solo lawyers were at the low end with 33.1%. The percentage increased as the law firm size increased with 500 or more lawyers being at 68.8%. Larger law firms tend to have encrypted email as part of their email service, while the solo and small firm lawyers tend to take advantage of the secure communications capabilities within their practice management system.

The responses for two-factor authentication (2FA) are a little disappointing. Today, we see the term multi-factor authentication (MFA) used more often than 2FA. MFA just means you can have two or more factors. MFA typically comes at a price lawyers love. It’s FREE. Common implementations of MFA include SMS text message, authentication application (code or push) and hardware token (e.g. YubiKey). The 2023 Survey reported that 54% of attorneys have 2FA available. The percentages bounced around slightly for the various numbers of lawyers at a location, but typically around half of them have 2FA. Since there is rarely a cost to implement 2FA, it is a mystery why the percentage isn’t much higher. Since the question was “Does your firm have the following security tools?” and not “Do you use the tool?,” perhaps the perceived inconvenience of 2FA factored into the responses. Microsoft’s own data supports that implementing MFA will stop 99.9% of credential-based account attacks. With such a high effective rate, every lawyer should be using MFA everywhere they can, both personally and professionally.

Security Assessments

One way to determine the firm’s security posture is to perform an assessment. While performing periodic reviews of your own vulnerabilities, having a third party perform a security assessment can reveal more information using “fresh eyes” and cybersecurity scanning tools to survey your environment. Your own IT folks have a vested interest in the outcome of the assessment, so using an outside firm makes a lot of sense. Some cyber insurance carriers may require that a third party perform an assessment. Some clients may also want to know the status of your cybersecurity by requiring third party assessments or reviewing past assessments, policies and other documentation.

29% of respondents reported that their firms had a full security assessment performed by a third party. Respondents from firms of 2-9 lawyers reported 27%, 10-49 lawyers reported 36%, 50-99 lawyers reported 59% and 100-499 lawyers reported 35%. Solo lawyers were at the low end with only 21% responding that their firm had a security assessment conducted by a third party.

Even if your firm had a third party perform a security assessment, that doesn’t prevent your client or a potential client from asking to see the firm’s security requirements documents/guidelines. The survey reported that 27% of respondents had been asked by clients for the firm’s security requirements document/guidelines. Larger firms are more likely to receive such requests. According to the 2023 ABA Legal Technology Survey Report, requests for security requirements documents/guidelines were made to 50% of firms with over 100 lawyers, 59% for 50-99 lawyers, 41% for 10-49 lawyers and 15% for firms of 2-9 lawyers. Once again, solo lawyers were at the low end with only 9% of respondents stating that a client or potential client had asked for the firm’s security requirements document/guidelines.

As mentioned earlier, some cyber insurance companies may require a security assessment for the firm. As a minimum, you will be required to complete a questionnaire to obtain or renew coverage. The answers to the questions will be used to assess the security risk for your firm, thereby setting potential coverage limitations and rates. Besides the cyber insurance companies, clients are also interested in the security posture of their law firms and may request the completion of a security questionnaire. The 2023 Survey reported that 22% of respondents answered that a client or potential client had asked their firm to complete a security questionnaire. Larger law firms are more likely to have a client or potential client ask their firm to complete a security questionnaire with 50% of firms over 100 lawyers answering in the affirmative followed by 48% of firms with 50-99 lawyers, 27% for 10-49 lawyers and 14% for firms of 2-9 lawyers. Solo attorneys were at 4%.

While some clients or potential clients requested completion of a questionnaire, fewer requested an actual security audit or other review of the firm’s security. Only 14% of clients or potential clients requested such an audit or review.

Cyber Insurance

Cyber liability coverage has been a white-hot topic over the last several years. Marsh McLennan Agency closely tracks cyber insurance trends. In the United States, cyber insurance pricing rose 11% in Q1 2023 compared to a 28% increase in the prior quarter.

Perhaps the stats above stem from an increase in premium costs impacting firms’ decisions to purchase cyber liability insurance. 40% of respondents reported their firms having cyber liability insurance, which is down from 46% in 2022. Respondents from firms of 50-99 lawyers are the most likely to have cyber liability insurance at 59% (up from 40% in 2022), followed by 57% of firms with 100-499 attorneys (down from 43% in 2022), 49% firms of 10-49 attorneys (down from 56% in 2022), 37% firms of 2-9 attorneys (down from 42% in 2022), 37% firms 500 or more (down from 40% in 2022), and 31% for solo attorneys (down from 38% in 2022).

Security Breaches

Probably the most quoted statistic from previous Surveys is the question about security breaches at law firms. The 2023 Survey asked respondents, “Has your firm ever experienced a security breach (e.g. lost/stolen computer or smartphone, hacker, break-in, website exploit)?” 29% of respondents answered in the affirmative. The response is a slight increase over the 27% from last year. As stated in the 2022 Cybersecurity TechReport, don’t be misled by thinking over a quarter of law firms suffered a data breach. You may have lost your computer or smartphone, or had it stolen, but that doesn’t mean the data was accessible by unauthorized personnel or that the loss or theft constitutes a data breach. In other words, a security breach is not necessarily the same thing as a data breach. The survey question would be more accurate if the term ‘security incident’ were used instead of asking about a security breach.

Even though 29% experienced a security breach, 19% reported not knowing if their firm had ever experienced a security breach and 52% reported not having experienced one. The percentage of respondents who reported that they “don’t know” is 5% for solo attorneys, followed by 5% for firms of 2-9 attorneys, 29% for firms of 10-49 attorneys, 14% for firms of 50-99, 41% for firms of 100-499 and 60% for firms of 500 or more.

Prevention and Recovery

As in the prior year survey, there were a few questions in the 2023 Survey that addressed specific technologies. One technology was password management. While we are moving more towards “passwordless” access (e.g. Passkeys), passwords will still be around for the next several years. Since passwords will be with us for some time, we’ll need to practice good password hygiene. This means no weak passwords and having a unique password for each login. In other words, NO password reuse. One tool to help with password management is a password manager. The 2023 ABA Legal Technology Survey asked the question “Do you use a password management tool (e.g. LastPass, Dashlane)?”

Overall, 33% of respondents reported that they use a password management tool, which is a slight increase from 32% last year. Like last year, the responses were fairly flat across all firm sizes with 41% of respondents from firms of 50-99 attorneys reporting the usage of a password manager, followed by 40% for firms 100-499, 35% for solo attorneys, 32% for firms of 10-49 attorneys and 28% for firms of 10-49 attorneys.

Good, reliable backups are critical for law firm operations. There doesn’t appear to be any end to ransomware attacks. While the preference is to avoid a ransomware attack to begin with, having the ability to restore operations using good backups is critical. The 2023 Survey question was “How does your firm back up its computer files?” The most common response among all firms (43%) was that they use some sort of online backup such as Mozy, Carbonite, etc. The next most common response at 32% was an external hard drive, followed by 25% offsite (e.g. store backups at home, bank, other office) and Network Attached Storage (NAS) (15%). There are still some firms clinging to legacy backup solutions such as tape and optical disc (CD & DVD), neither of which are cost-effective or reliable. It’s way past time to ditch the legacy technologies and start using modern methods to back up your data.

No matter what backup technology you select, it should be engineered to survive a ransomware attack and be tested on a periodic basis. All the backups in the world won’t do you any good if you can’t restore the data. Don’t just trust the report of a successful backup. Performing test restores will give you confidence in your ability to recover from a cyber-attack or natural disaster.

Conclusion

This TechReport is a limited summary of what law firms are doing to address cybersecurity. Much more detail is available in the Technology Basics & Security volume of the 2023 American Bar Association Legal Technology Survey. We have seen a tremendous increase in the number of data breaches at law firms over the past year. So much so, that that it is not uncommon for the firms to be embroiled in class action lawsuits following the breach. Not a very pleasant experience, to say the least.

Cybersecurity should be top-of-mind for every attorney. Constant vigilance is needed to keep our data safe and secure. The attack methods have become more sophisticated, often aided by the use of artificial intelligence. While many data breaches start with a phishing email, social engineering also plays a role, especially where financial transactions are involved. Cybersecurity awareness training for employees should be performed once a year at a minimum considering threats, vulnerabilities, and attack methods. Firms should also plan for implementing a Zero Trust Architecture (ZTA). If ZTA is a foreign concept to you, perhaps more education is needed. Microsoft offers a guide to ZTA which explains it in simple terms and is available at https://www.microsoft.com/en-us/security/business/security-101/what-is-zero-trust-architecture.

    Author