Law
firms
are
juicy
targets.
Secrets,
money,
privileged
communications,
and
tech
clueless
lawyers
minding
the
gate.
Passwords
like
“password123”
aren’t
cutting
it.
It’s
a
cybercriminal
buffet.
Artificial
intelligence
continues
to
elicit
all
the
hype
in
legal
tech,
but
cybersecurity
should
be
the
story
of
2025.
The
United
States
has
decided
to
actively
antagonize
global
cyber
threats
and
slash
spending
on
protection.
And
while
hacking
into
the
Department
of
Defense
is
as
easy
as
sliding
into
Pete
Hegseth’s
DMs,
bad
actors
aren’t
stopping
there
and
law
firms
are
prime
targets.
The
ILTA
Evolve
conference
offers
a
more
focused
program
than
most
shows.
Rather
than
try
to
cover
all
the
tech
challenges
facing
law
firms
under
one
roof,
the
second
annual
Evolve
event
narrows
its
focus
to
AI
and
cybersecurity.
The
latter
took
center
stage
—
literally
and
figuratively
—
in
a
frightening
keynote
address
from
Red
Queen
Dynamics
CEO
and
Senior
Fellow
of
Global
Cyber
Policy
at
the
Council
on
Foreign
Relations
Tarah
Wheeler.
Threats
are
coming
and
lawyers
mostly
don’t
get
it.
It’s
not
just
about
planning
ahead
either…
lawyers
fail
to
grasp
the
back
end
too.
Small
businesses
get
hit
all
the
time
and
60
percent
of
them
don’t
survive
the
aftermath.
Wheeler
told
the
story
of
a
breached
professional
who
wanted
to
recover
the
data
and
go
after
the
perpetrators…
with
a
$5,000
budget.
She
told
him
that
it
would
just
about
cover
the
cost
of
a
nice
letter
to
inform
clients
of
the
breach.
The
cost
of
doing
anything
more
substantial
on
the
back
end
is
wildly
more
massive.
Off
the
cuff
she
said
an
incident
response
firm
would
probably
charge
over
$650,000
to
embark
on
a
project
like
this
guy
wanted.
Just
a
stark
disconnect
when
it
comes
to
cost.
How
do
security
professionals
break
through
to
convince
the
lawyers
to
put
a
lot
more
money
behind
this
than
they
have?
Wheeler’s
unorthodox
but
shockingly
effective
approach
involved
picking
padlocks
on
stage.
Not
just
any
padlocks…
the
Master
140
Series,
the
most
popular
lock
on
the
market.
Watching
the
market
leader
for
physical
security
get
casually
cracked
over
and
over
while
she
continued
her
speech
helped
make
the
abstract
more
tangible.
Cybersecurity
can
be
tough
to
wrap
a
head
around,
but
physical
locks
are
more
real
and
the
message
is
that
whatever
you
think
you’ve
done
to
secure
data
is
not
much
better
than
the
Master
locks
getting
ripped
open
on
stage.
And
if
that
demonstration
doesn’t
drive
it
home,
have
a
chat
with
a
cyberinsurance
carrier
and
see
what
that
quote
looks
like.
Stop
manually
managing
TLS
certs
like
it’s
1998.
Multi-factor
authentication
isn’t
optional.
If
you’re
still
using
Internet
Explorer?
Stop
reading
this
article
and
go
unplug
your
entire
firm.
And
consider
working
backward
and
drafting
the
“we’ve
been
hacked”
press
release
now
as
an
exercise.
“The
incident
response
press
release
that
you
hand
you
to
the
partners
in
your
firms…
here’s
what
we
did,
here’s
the
controls
we
have
in
place,
here’s
how
they
were
breached,
here’s
how
quickly
be
responded,
and
here
is
the
way
that
we
will
be
better
in
the
future.
And
make
sure
that
what
you
say
on
that
paper
is
true,”
she
said.
Because
what
you
don’t
want
to
be
saying
is
“we
don’t
know
how
it
happened,
we
don’t
have
any
tools
in
the
place,
we’re
not
sure
what
was
lost.”
Take
the
time
to
seriously
grapple
with
security
as
more
than
a
checkbox
exercise.
In
other
news,
I
now
know
how
to
pick
a
Master
140
series
lock.
Joe
Patrice is
a
senior
editor
at
Above
the
Law
and
co-host
of
Thinking
Like
A
Lawyer.
Feel
free
to email
any
tips,
questions,
or
comments.
Follow
him
on Twitter or
Bluesky
if
you’re
interested
in
law,
politics,
and
a
healthy
dose
of
college
sports
news.
Joe
also
serves
as
a
Managing
Director
at
RPN
Executive
Search.