BP Perspective Insights from a Business Partner

How to Protect Your Firm from the 4 Most Dangerous Cybersecurity Threats

It was a tempting offer contained in that October 2021 email that looked like it had been sent from the law firm of Debevoise & Plimpton to clients with money to invest. All a recipient needed to do to learn more about the supposedly golden financial opportunity teased in that email was review, sign and send back the conveniently attached nondisclosure agreement (NDA) via return email.

Tom Lambotte

However, the email in question did not come from Debevoise but from cybercriminals operating a convincing counterfeit of Debevoise’s website.

Anyone who made the mistake of downloading the NDA would have discovered too late that it was laced with programming code to force the host computer to belch out personal confidential information that could then be used to commit financial crimes.

Fortunately, Debevoise caught wind of the scam early on and moved with lightning speed to derail it. The more troubling aspect of this incident, though, is that the bad actors had email addresses of Debevoise clients in the first place. How was that even possible? Potentially, there were four significant ways.


The four most dangerous lines of attack cybercrooks use against law practices are as follows (but in no particular order): phishing, email fraud, ransomware and breaches.

Phishing is a ploy to get you or members of your team to divulge login credentials. With your username and password in hand, bad guys can effortlessly take control of your systems and access confidential information — potentially all of it.

Email fraud begins with a request landing in your inbox from what appears to be a person or organization you know and trust — but, in reality, it is from an impostor. The email asks you to download a document (that, unbeknownst to you, contains a virus) or to send money to an account that seems on the up-and-up but actually is controlled by the crooks.

Ransomware is a virus that stops you from opening any of your data files or, in the worst cases, operating your computers until you agree to pay a ransom.

Breaches are another way of saying cybercriminals have burrowed their way into your computer by identifying and then exploiting a systemic vulnerability. The prize here is the confidential data stored within.


There are several defensive moves you can initiate to counter a potential cyberattack.

Take stock of your cyberattack risk. For this, you’ll need to examine your computer systems with a fine-tooth comb in search of vulnerabilities. You’ll also need to look closely at the online work habits of yourself and your team to identify risky behaviors and unwise decision-making processes. The value of this exercise is that it can show you what’s broken and suggest the best sequencing for addressing those cyberattack defense shortcomings.

Implement cybersecurity policies and procedures. These will spell out what you and your staff need to do daily to protect data, such as being continuously vigilant, using strong passwords and ensuring computer screens are locked every time users walk away from their desks. Policies and procedures will also set forth the appropriate steps to take in the event of a cyberattack to quickly regain control of the situation and minimize the potential for damage. 

“The more adept you are at spotting assault attempts, the less likely it is you’ll become a victim (or, more accurately, the less likely it is that you, your clients, your brand image, your firm’s financial health and your law license will become victims).”

Make sure all software is up-to-date. Data breaches often happen after hackers smoke out a poorly written line of code in a widely used app or software product. However, almost as soon as the hackers punch a hole in the programming, the app maker or software developer becomes aware of it and rushes out an updated version that eliminates the vulnerability. (Makers and developers also become aware of vulnerabilities by employing hackers of their own to look for weaknesses.) Cybercrooks are counting on you being too lazy or distracted to download those updates; therefore, you should update as soon as new versions become available.

Train yourself and your team to recognize cybersecurity threats. The more adept you are at spotting assault attempts, the less likely it is you’ll become a victim (or, more accurately, the less likely it is that you, your clients, your brand image, your firm’s financial health and your law license will become victims). Everyone on your team (no one gets a pass) must complete cybersecurity training on an ongoing basis — as in, not a once-a year-thing. We recommend moving away from the typically dull, monotonous (and overwhelming) two to three hour cyber trainings. Instead, look for an ongoing cybersecurity course that may take 10 to 15 minutes once a month.

These and other defensive measures can be implemented individually as time, resources and opportunity permit.

Still, cybersecurity threats are a matter to be taken seriously. Law firms — large and small, famous and obscure — are considered prime targets for attack due to the high value of the data entrusted to them. Consequently, you have an obligation (likely spelled out by your state bar with help from the American Bar Association’s Model Rules of Professional Conduct) to take all reasonable steps to protect the confidential information in your custody.