This week, I am attending the Evolve conference put on by International Legal Technology Association (ILTA). ILTA, of course, sponsors the large conference in the summer that is attended by thousands. Evolve is much smaller and is designed to address two topics: GenAI and Cybersecurity. Attendance is capped at a limited number, and exhibitors and sponsors are confined to small, uniform spaces in hallways outside the sessions.

The result is a smaller, less formal, and less overwhelming conference. It’s a good idea. Sometimes less is indeed more.

The Evolve keynote was given by Tara Wheeler, CEO and founder of Red Queen Dynamics, a cybersecurity compliance company. The title of her keynote was Unveiling the Intersection of AI and Cybersecurity.

Wheeler focused on the cybersecurity risks to law firms and the problems particularly small firms face. My two main takeaways from the risks she identified:

  • Security through obscurity won’t work. Too many law firms and lawyers seem to think they aren’t vulnerable because they only handle stuff no one is interested in. This ignores a key problem the bad guys exploit. Most people might not care, but clients do—and law firms do—both for business and ethical reasons. When something is extremely valuable to even a small group, it’s valuable to the bad guys.
  • Small businesses and small firms are especially vulnerable. Many law firms don’t have the resources to keep up with the rapidly changing world of cybersecurity or to deal with regulatory requirements. When faced with a cybersecurity crisis, many small businesses simply go out of business.

These two problems are related, of course. Their intractability is one reason so many lawyers and law firms remain deficient in cybersecurity protection and knowledge.

The Risks

The impact of these two problems was apparent when you look at the risks to law firms Wheeler identified in her keynote:

  1. Rise of ransomware. Law firms are high-value targets due to sensitive client data. It’s hard to recover from attacks because firms are responsible for keeping data confidential—and failing to do so has serious consequences. It is fundamentally a breach of trust
  2. Supply chain attacks. The vulnerability of third-party providers is another major problem, and it’s hard for smaller firms to police.
  3. Single points of failure. Employees with access to highly confidential data are a huge risk. These failures can be malicious, but more often they happen because lawyers don’t follow the rules—or don’t know them. Both situations involve a failure of training. In my experience, lawyers often don’t understand the importance of cybersecurity, and IT people don’t appreciate the lawyers’ billable hour business model. Wheeler described what so many lawyers have experienced: the palpable contempt IT often shows toward lawyer users. It often fail to grasp that every moment a lawyer spends in training is a moment lost for revenue-generating billable work. A better understanding of this reality would yield more respect for lawyers’ time. On the lawyer side, too often they’re multitasking or mentally someplace else during training sessions.

Teaching people who don’t want to be there takes time and planning

Wheeler also demonstrated the need to use examples from the physical world to help non-tech people understand concepts like a single point of failure. Interesting. Impactful. This is the kind of training that’s needed. Teaching people who don’t want to be there takes time and planning. Too often, cybersecurity training reflects neither.

  1. Data exfiltration. Data breaches aimed at extracting information for monetary gain are another growing threat. AI enables attackers to combine databases and do even more damage. Law firms hold tons of confidential information—from health records to Social Security numbers to financial information—all of which can be very valuable, particularly when merged with other data bases.
  2. Evolving compliance demands. It’s becoming increasingly hard to deal with ever-changing and complex standards and regulations. This includes stricter data protection requirements, often driven by developments in Europe and stricter client data handling standards.
  3. Enhanced data breach reporting requirements. Reporting obligations are getting more burdensome and costly. Small businesses, including law firms, often can’t keep up.

The Solutions

These are all real threats to law firms. Wheeler offered some real-world solutions, including:

  • Multifactor authentication
  • Access control
  • Use of AI to identify threats
  • Better security for remote work and collaboration with third parties
  • Better training
  • Creating a culture of vigilance and response

The Future

It all sounds good but doesn’t necessarily solve the problem of attitude and resources. This is especially true when you consider Wheeler’s outlook for the near future:

  • More and better use of AI hacking tools 
  • More regulatory pressure, requiring even more costly proactive security practices
  • Shifts in the cybersecurity insurance market, increasing costs
  • Increased globalization, leading to even more complex regulatory compliance demands

It Ain’t Rosy

The cost of cybersecurity is going up—and that will put even more pressure on smaller law firms. Not a rosy picture.