It is no secret that cyberattackers consider law firms to be rich sources of valuable data. Escalating risks and client expectations mandate that midsize and smaller firms, with fewer than 200 attorneys, treat cybersecurity as a core element of their legal practice. Like their larger counterparts, midsized and smaller firms must comply with rules of professional responsibility to take reasonable steps to prevent the inadvertent or unauthorized access to or disclosure of information relating to client representation. Moreover, smaller law firms must contend with many of the same cybersecurity challenges and threat actors as larger firms. With ransomware attacks and data breaches constantly in the news, clients increasingly demand and expect their vendors—law firms included—to take steps to improve and ensure data security. In this evolving landscape, it is no longer reasonable for any firm, large or small, to treat cybersecurity as solely an information technology issue.

How much protection you need depends on the state of your technology systems, legal considerations such as applicable ethical rules, government and industry regulations, data protection laws, and client security requirements. It is also crucial for management and IT to consider and strike the appropriate balance between security and operability. Although cost is certainly a factor, many essential steps are scalable and affordable for all firms.