Computer Security Lock

Common Employee Mistakes That Cause Law Firm Data Security Breaches


As organizations grow, they collect, process, and store large volumes of data and become soft targets for cyber attacks if they don’t keep up with the latest cybersecurity measures.

A law firm security breach is a serious incident – law firms handle sensitive, personal data, and a leak can be a costly affair for the firm. In fact, the cost of a data breach has shot up in the last couple of years, reaching record-high figures in Canada.

The hidden costs of a data security breach

study by IBM revealed many insights into cybersecurity in Canadian firms. Canada ranked in the top three countries globally for data breach costs. The study found that the cost of a data breach incident in 2021 was CA$6.75 million on average, which is higher than the 2020 average of CA$6.35 million. This is the highest since Canada was included in the survey seven years ago. The average Canadian figure is also higher than the worldwide average of approximately CA$5.4 million per incident.

The study revealed that stolen credentials of users accounted for 20% of all breaches. About 44% of the breaches exposed customers’ personal data, including names, emails, passwords, and healthcare data.

As Ray Boisvert, associate partner at IBM security, stated, “It should be a stark reminder for businesses to not let security lag behind as they accelerate their digital transformation.”

Are employee errors causing law firm data security breaches?

Given that data security breaches prove to be so expensive for organizations, a lot of focus has been on what’s causing these security breaches?

Surprisingly, according to the Association of Corporate Counsel, employee error is the most common cause of data breaches in organizations. Survey responses from more than 1,000 in-house lawyers in 30 countries showed that  30% of breaches occurred due to employee error.

This is definitely a cause of concern for law firm stakeholders. While your employees may not intentionally expose your sensitive data or systems to cyber attackers, they can and do make mistakes that put data or systems at risk, whether because of a lack of awareness or by accident.

Let’s look at some typical mistakes that law firm employees make, putting their data and networks at risk for cyber attacks:

Accidentally emailing or uploading data and documents

It is not uncommon for an employee to accidentally email out or upload sensitive information to a recipient outside the organization. For example, Computerworld reported a case back in 2013, where a server had exposed the personal information of  145,000 job applicants at Virginia Tech university. However, IT employees failed to notice that the server wasn’t configured to follow the university’s security protocols, and the university blamed the leak on human error.

Sending valuable data to incorrect recipients via email

The simple act of sending an invitation for a webinar resulted in a  cybersecurity investigation in the UK. The email recipients could see each other’s email addresses as the sender had failed to use the ‘BCC’ field and instead put all recipients in the ‘To’ field! A minor mishap? Or a major incident of employee negligence of cybersecurity practices? The latter, it seems – as the local council’s data protection officer who undertook a risk assessment had to disclose the incident and confirm the action taken to the relevant authorities.

Misconfigured access or allowing for unwanted access

Outdated and legacy software stacks often invite hackers, exposing vulnerabilities in the organization’s information governance policies. Employees may attract cyber attacks and compromise sensitive data by ignoring software updates, disabling security features or downloading unauthorized software, executables or apps.

Phishing scams

According to a cybersecurity report by  ACC, another common mistake that can lead to a data breach is unaware employees falling prey to phishing attacks. Third parties send malicious emails to trick employees into furnishing their personal information.

How can your law firm avoid data security breaches?

Educate employees

The first step is to raise awareness about cybersecurity in all end-users. Educate employees about the dangers of unsecured access, the risk of phishing scams, and the importance of not clicking on unknown emails or links within emails and instant messages.

Make them understand that running executable files can expose their device and the company’s network to malware.

Train them to be vigilant about cyber scams and the dangers of accidental emailing or uploading of sensitive data publicly.

Establish strong information governance policies

A common mistake law firm stakeholders make is to assume that they can prevent cyber attacks using perimeter security technologies such as firewalls or antimalware that “wall-off” the firm from outside attacks.

However, they need to complement their perimeter security measures with a strong information governance policy to ensure that:

  • Users must properly authenticate themselves to access information.
  • Users can only access information of relevance to them.
  • All client information is encrypted, and all user actions involving their access or use of information are tracked.

Additionally, use insights from analytics reports to alert your IT administrator if you notice any unusual activity that looks suspicious and maybe a sign of a data breach by either internal or external attackers.

Work with a reputed IT services provider to enable the latest cybersecurity solutions and best practices

We cater to every functional and strategic technology need of a law firm’s business.

We enable a secured IT environment for your law firm, with multiple layers of security, including secured encryption, security checks to prevent spamming, deploying a content server to manage documents in a secured environment with easy access for users across locations.

  • Our custom IT solutions for law firms help set up, maintain, and support all your IT infrastructure and cloud storage systems.
  • We equip your networks with security services.
  • We put in checks and balances to prevent unauthorized access and leverage advanced information security mechanisms like endpoint detection and response (EDR).
  •  We secure your mailboxes to stop email spamming and deploy network security layers that detect and prevent unwanted access to 3rd party email ids (outside the organization).
  • We help you put in place stringent information governance best practices to avoid the common mistakes your employees make that can expose your law firm to data breaches.

Our fixed price policy for the entire suite of services is well-appreciated by put clients. Learn more about our  Managed IT Services for Law Firms.

Our hybrid workplace solutions for modern law firms are the perfect fit for your practice and offer a complete turnkey IT enterprise cloud solution for one hassle-free Learn more about our  Cloud Desktop Services for Law Firms.

We build custom IT setups specifically designed for your firm that integrate with and support your firm’s software, workflow, and infrastructure. Learn more about our Custom IT Delivery for Law Firms.

Contact us for a free assessment of your law firm’s data security needs.