This is not great.
“In December, Dave Ries, a frequent co-presenter with the authors, wrote an excellent summary of the cybersecurity portion of the ABA’s 2021 Legal Technology Survey Report. Perhaps the most striking statistic is that 25% of the survey’s respondents reported their law firm had been breached at some time. Clearly, law firms are an attractive target for cybercriminals — with a plethora of data about so many people and businesses, law firms are a one-stop-shop for harvesting a wealth of information.”
Law firms are an attractive target because of the data, but also because it might be easier to breach a firm than it would be to hack the clients they represent. As the rest of the article goes on to describe, there are still too many firms without cybersecurity training, proper policies, or incident response plans. That is not going to keep things secure.
On top of that, as I’ve written before, the whole culture in firms is a problem. Anytime you have a large group of people in charge, (partners), who are often not to be questioned, social engineering gets a whole lot easier, and the likelihood that even some policy that exists might get ignored is pretty high.
Firms that want to get serious about security are going to have partners willing to apply the rules to themselves in order to stay as safe as possible. If you don’t have that, you don’t really have much.