Attorney Steve Fretzin—host of the podcast “Be That Lawyer”—recently had me on his show to talk about law firm cybersecurity. He was clearly unsettled by what I shared.
For example, phishing scams. I told Steve that even the smartest lawyers could fall for these, no matter how confident they are in their ability to spot them.


I also presented statistics showing that 29 percent of all law firms in the U.S. have been victim of a data breach. I contended that those 29 percent are just the ones willing to admit to having been breached and that the actual number is likely much higher.
Steve correctly identified one of the reasons why so many law firms are having their data stolen: clicky fingers. He said that the vast majority of us tend to unthinkingly click on links that pop up on our screens. It’s almost like a reflex, he said—we’re shown a link, and we want to click on it before we’ve even had a chance to consider what we’re doing or to weigh the potential risks involved.
That led to a discussion about the value of taking a multilayered approach to cybersecurity. As I explained to Steve, phishing schemes are not the only threat. There are also ransomware attacks, viruses, third-party website breaches, and more. It was my expressed view that only by implementing a multilayered approach to cybersecurity can a law firm realistically hope to safeguard the client data entrusted to it.
The starting point for a multilayered approach, I said, is cybersecurity training. I conceded that many people find cybersecurity training ineffective. Still, in my opinion, that’s because they’ve never enrolled in a training course built around modern psychological tactics, such as using fun storytelling to make information memorable and prevent participants from tuning out.


An element of cybersecurity training is phishing simulations, which I described as surprise drills designed to reveal who on your team is most likely to fall for a phishing scam—the point being that once you know who is vulnerable, you can then offer them additional support to make them stronger.
Some other items I mentioned as belonging to the multilayered-approach bucket included: A.I.-based phishing detection filters that flag suspect emails; password manager software to end the risky practice of making up easily remembered (and easily cracked) passwords; and Dark Web scanning to monitor for the presence of your personal login credentials on what I like to characterize as an Amazon-style marketplace for stolen user IDs and passwords.
Related to all this, I said it’s extremely important nowadays for law offices, large and small, to obtain cybersecurity insurance. However, I also noted that it’s difficult to procure such a policy unless you can show you’ve implemented a multilayered approach to cybersecurity—because, without that, the insurer will see you as way too big a risk to cover.
Steve and I talked about other data-protection matters as well, and you can listen to them in full by clicking this link to the podcast.