Industry News Legal Management Updates

Critical Security Measures for Smaller Law Firms

While 2020 put many businesses and industries on pause, cybercriminals have accelerated and evolved their efforts further. That means cybersecurity is more important than ever. Is your firm equipped to handle whatever security threats come its way?

Eli Nussbaum

For many smaller firms, the answer to that question is no. For any number of compelling reasons, smaller firms are often missing a critical focus on cyberthreats. If your firm has yet to put as much emphasis on security as it should, now is the time to get on the path to a better program. The first step is understanding the nature of today’s security risks and how to combat them.


At smaller firms, both security infrastructure and placing a priority on security can be lacking. Servers often sit in an unlocked closet or corner of the office, which effectively leaves all of the firm’s work and data unprotected. User devices, employed more frequently than ever, may not include key mobile device management functions, so every time someone sends or receives an email or downloads a document to a personal device, the firm’s risk exposure increases.

Risk exposure also increases when employees use unknown and unsecured Wi-Fi networks for firm business. While less frequent these days, a prime example of this is lawyers traveling and using hotel or airport Wi-Fi. When employees operate on random networks, all communications to and from their device have the potential to be intercepted.

In the days before email was encrypted, a common attack method was to infiltrate the data flow, wait for a good conversation to hijack and then inject a new communication in an attempt to have funds rerouted. Email encryption has addressed some of the risk; however, failing to secure devices can open the door to the same types of breaches.


Combating today’s security risks requires an awareness of those risks and how they impact your firm. You already know that your physical data needs to be protected and maintained within the firm’s control, but electronic data must also be protected under a similar umbrella. As the owner of that data, your firm needs to determine how people are accessing its data and protect it where it resides and when it is moving between devices. Then safeguards need to be in place to ensure it is encrypted on devices, when communicating back to your organization and that you can remove it from devices when it should no longer be there.

Data security is no different than physical security — if something looks wrong, don’t trust it. We’re used to identifying physical risk because we see it every day. It’s time to start thinking about digital risk in the same manner. You monitor the people you interact with, the ones you let into your spaces and how freely they are able to move about your office; you should also be monitoring which players are connecting and how they are connecting to your systems just as vigilantly.

Think back to the example of lawyers on hotel Wi-Fi — even if data in transit is encrypted, whoever controls the Wi-Fi has access to the devices on that network. Those individuals can potentially read or exfiltrate data if the device is not properly protected and encrypted. Device management ensures that you restrict access to your data to only outlets under the firm’s control, including minimum security standards such as patch levels, malware protection and encryption and authentication requirements.

Data security is no different than physical security — if something looks wrong, don’t trust it. We’re used to identifying physical risk because we see it every day. It’s time to start thinking about digital risk in the same manner.

Of particular relevance today are the various devices your staff are using remotely. Do you know all of the laptops, phones, tablets or other devices your employees connect to your network? Even if they are not firm-issued, every device used to access your data needs to have mobile device management and security parameters. They must be protected with approved malware tools and be running current versions of operating systems — in short, they need to not be easily hackable. If devices don’t meet minimum requirements, they must be denied access, even if their users have proper credentials.

There are many simple security measures that can be put in place that are often overlooked by small firms. For example, firms should require complex passwords that change every 90 days. Data should be encrypted both at rest and in transit. Multifactor authentication should be in place, requiring information beyond a password to access email and systems in order to thwart attackers if credentials are compromised. Internal systems should always be up to date, with all hardware and software continually patched to prevent third parties from taking advantage of known flaws.

Incredibly important is security awareness training: Employees should undergo regular security awareness training on current threats. End-users are the final line of defense for your organization, and if they aren’t familiar with what to look out for or how they should react, they won’t. Security measures are only useful if your employees understand why and how to use them.


Small firms are realizing they haven’t taken all the necessary steps to optimize their security posture. Now is the time to address your most critical security gaps.

No firm can implement foolproof security in a single effort. From a budgetary perspective, there are only so many things you can do at once. From a user perspective, there’s only so much change you can impose upon your staff. Your firm’s security posture should continually evolve to meet the changing threat landscape.

Consider what is most critical today — things like security awareness training, enforcing password complexity and encrypting devices — and implement that first. Then consider what you want to focus on next year and your wish list for the future.

The key to security is constant evolution and addressing it in a way that’s supportive of the main goal of your business: serving your clients. The right security implementation will give you all of the tools and practices you need to keep your firm safe without interfering with your ability to provide great client service and generate revenue for the firm.

Diversity Dialogue Broadening Business Perspectives

ICYMI (In Case You Missed It): Free D&I Resources Available to You

The legal industry is the least diverse profession in the United States, so it is no wonder that the Association of Legal Administrators faces a similar fate in its lacking diversity and inclusion. Just over 70% of ALA’s membership is between the ages of 47 and 66, with the majority of that number also being white and female. Just over 20% of ALA members are male, and less than 17% of our members are minorities.

It is imperative to note that only focusing on diversity, without equal attention on inclusion, will fail every single time. Law firms have been focused on improving diversity statistics for decades yet continue to have serious issues related to firm morale and culture, leading to high turnover and little true diversity or inclusion. An inclusive firm works to create an environment that allows individuals to be their authentic selves and engages, enables and empowers employees to do their best work.

Our goal for the legal industry is for the makeup of our firms (lawyers, support staff and administrators) to be representative of the communities we serve. Simple, right? Yet we continue to fall unacceptably short of this goal and have a long road of work ahead of us. But this is where ALA’s Diversity, Equity, Inclusion and Accessibility (DEIA) Committee can help! Our committee’s purpose is to serve as inclusion and diversity advocates for the advancement and expansion of underrepresented groups in the Association and in the legal community at large.

So, ICYMI, the DEIA Committee can help you, your firm and your chapter evolve in the D&I space in three areas.


One of the biggest advantages of ALA membership is your access to chapter and law firm presentations and programs. The presentations are free of charge. However, when COVID-19 restrictions are lifted and travel is permitted again, we ask that reasonable associated travel costs be reimbursed. (There is no cost for virtual presentations.) Committee members are available to present educational content covering a variety of topics including:

  • Creating a Culturally Competent Law Firm
  • 25 D&I Tips
  • All Inclusive: How Chapters Can Create a Welcoming Environment
  • Bullies in the Workplace (will be available soon!)

In response to the social uprising that our county has experienced since George Floyd’s killing in May 2020, we have been hosting roundtable discussions along with a short presentation on racism in America. Our presentations are continuously updated to include the most relevant issues in the legal D&I space.


By now, chapters participating in the 2021 Presidents’ Award of Excellence have noticed the award criteria now includes more than a dozen D&I benchmarks. The criteria were repurposed from the former ALA Diversity Scorecard for chapters. While the criteria are currently optional, we hope they become required achievements for chapters in 2021 and beyond. Examples of the criteria include:

  • The chapter follows our committee on social media.
  • The chapter hosts a DEIA Committee presentation for its members.
  • The chapter has a formal D&I officer on its Board of Directors.

Many of you have inquired about the law firm scorecard, which was removed as an available resource in late 2019. Our committee has spent extensive time repurposing and restructuring it into the soon-to-be-released Law Firm D&I Benchmarking Guide. This benchmarking guide will help firms of all sizes navigate successful D&I initiatives, whether they have 3 or 3,000 lawyers. It also provides the right metric tracking for firms distributed throughout the spectrum — from those with no established D&I programs to those that have already made a lot of headway in this space. Members can expect this guide to be rolled out by the end of 2020.


If you haven’t had a chance to follow us on social media — Twitter, LinkedIn, Facebook — we encourage you to find us @ALADiversity! As you know, there is so much content out there right now and it’s hard to sift through all of it. We have a dedicated team responsible for cultivating the information that is meaningful and relevant to law firm administrators.

In June 2020, we launched our first-ever monthly social media challenge, #ALABiasBusters. There are various ways to participate, and our next challenge starts Monday, November 30, so be sure to follow us on social media to join in on the fun and win some awesome prizes. A huge thank you is warranted to all the chapters that have committed to donating prizes.

Lastly, while each of the nine members of our committee works tirelessly to make strides in D&I, in order for us to succeed, we need the involvement of every ALA member and business partner. We encourage you to be part of this conversation. If you have any questions or would like additional information on how we can be of service to you, please feel free to email our committee at [email protected].