In the world of cybercrime, everybody from individuals to nation states is a target \u2013 some more attractive than others, of course. Health care organizations have gotten the most headlines recently, and the Internet of Things (IoT) offers an almost unlimited attack surface.But law firms are attractive too. They hold sensitive, confidential data ranging from the personal (divorce, personal injury) to the professional (contract negotiations, trade secrets, mergers and acquisitions, financial data and more) that, if compromised, could cause catastrophic damage both to the firm and its clients.The Wall Street Journal reported recently that hackers broke into the networks of two of the nation\u2019s most prestigious firms, Cravath Swaine & Moore and Weil Gotshal & Manges, in 2015. The two, \u201crepresent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations,\u201d the Journal said.The FBI and Manhattan U.S. Attorney\u2019s office were investigating to see if the hack was aimed at getting information to use for insider trading.Tom Brown, managing director and global leader of Berkeley Research Group\u2019s Cyber Security\/Investigations practice, said law firms are being targeted more, \u201cpossibly because hackers are looking to maximize their returns. If successful, they can obtain information on multiple clients through one attack.\u201dHackers are looking to maximize their returns. If successful, they can obtain information on multiple clients through one attack.But while high-profile cases like those in New York make national news, many others don\u2019t. Or, if they do, the firms are not always identified. The\u00a0Cybersecurity Law Report (CSLR) reported recently that four firms in northern Virginia were hit by ransomware attacks late last year. But none of the firms was named.And few firms are willing to talk publicly about it either. More than half-dozen attorneys did not respond to a request from CSO to discuss law firm breaches. This, according to the public relations representative of one firm, is due to, \u201csensitivities around the topic.\u201dSensitive or not, it is an obvious and growing problem. As the Journal put it, the increase in hacking tools and hackers for hire has made it, \u201ceasier for criminals to breach computer networks as a way to further a range of crimes, from insider trading to identity theft.\u201dRebecca Hughes Parker, managing editor of The Law Report Group, said the\u00a02015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, and noted a recent\u00a0report that a Russian hacker targeted 48 top law firms to access information on mergers and acquisitions.(A ransomware attack) can cost the firm a great deal of money to handle, and can be costly to its reputation.Peter Zeughauser, chairman of the Zeughauser Group, a consultancy to large law firms, said whether it is alerts from the FBI, concerns expressed by clients or news of hacks, \u201cthere is a higher level of concern,\u201d about cyber attacks.In the case of ransomware, even if the goal is simply to collect money rather than use the confidential data, it is generally very troubling to clients, according to Parker.\u201cIt can cost the firm a great deal of money to handle, and can be costly to its reputation,\u201d she said.The obvious response to all this is to improve cyber defenses. While no technology is entirely bulletproof, experts have said for years that better \u201csecurity hygiene\u201d can take organizations out of the \u201clow-hanging-fruit\u201d category.Their clients are telling them, if you don\u2019t do all those things, you\u2019re not going to pass our audit and we\u2019re not going to hire you.And while, as Brown put it, \u201cthere is no \u2018answer-in-a-box,\u2019 since each law firm has its own risk profile,\u201d there are still a number of general principles that will lower any firm\u2019s risk profile. The following recommendations come from Brown, Parker, Zeughauser and a Q&A by CSLR with John Simek, vice president and co-founder of Sensei Enterprises.1. More\/better employee trainingAs has been said numerous times, people are the weakest link in the security chain. And that weakness is being exploited more effectively by criminals who have become much more sophisticated with phishing emails.\u201cPeople are the problem,\u201d Simek told CSLR. \u201cAll the technology in the world is not going to prevent an attack.\u201dLaw firms can be particularly vulnerable, since court filings are public record. An attacker can easily get the name of the attorney of record and, using his or her name, send a phishing email with a malicious attachment that purports to be an updated complaint from that attorney.Yes, training consumes what could otherwise be billable hours, but dealing with ransomware or a major breach is vastly more expensive.2. Keep backups disconnected from the network and the InternetWith the explosive rise of ransomware, backups should be mandatory. But they will do no good if backup drives are connected to the network, since that will allow malware to infect them as well.3. Install all patches and updatesPatches do exactly what the name implies \u2013 patch a \u201chole\u201d in the software that is vulnerable to an attack. Virtually all of them are free, so the only thing they cost is attention and time - time very well spent. Failing to patch known vulnerabilities is a bit like leaving the door open and the files unlocked at night.4. Update software \u2013 especially when it is no longer supportedThis costs money, which is a major reason many firms don\u2019t do it. The thinking is comparable to keeping an old car \u2013 it\u2019s running fine, so there is no good reason to spend money buying a new one.But that makes sense only as long as the software is supported. After that, it is a bit like continuing to drive the old car when you can no longer get service or parts for it. If the water pump goes, you\u2019re stuck with a much more expensive problem than if you\u2019d upgraded earlier.And when a system is no longer supported, that means it is no longer patched. It is another version of the leave-the-door-open syndrome.5. Block executable files, compressed archives and unidentified usersWhile human failure can always undermine technology, that doesn\u2019t mean tech can\u2019t offer a measure of protection. If \u201c.exe\u201d or zip files are blocked before they reach users\u2019 inboxes, employees can\u2019t click on what they never see.The network should also be programmed to block any unidentified users from modifying files.6. If you use cloud storage, make sure your firm controls the encryption keySimek said some cloud providers don\u2019t allow users to define the encryption key, \u201cbecause they fear that if the user forgets (it), their backups will be useless. Although that is certainly a possibility, if a firm is planning to use a cloud-based backup, it will want a provider that allows it that control,\u201d he said.7. Make your cybersecurity program meet the needs of potential clientsAn increasing number of clients are using security consultants, \u201cto give them a template that they can tailor to their own needs depending on the type of data they have and the size of the firm they are looking at hiring,\u201d Parker said.Zeughauser said one of the things law firm executives say \u201ckeeps them up at night\u201d is the increasing demand for security from clients. \u201cTheir clients are telling them, if you don\u2019t do all those things, you\u2019re not going to pass our audit and we\u2019re not going to hire you,\u201d he said, adding that technology is on track to become the second-largest annual expense of law firms, exceeded only by the cost of staff.\u201cFor 60 to 70 years, the second biggest expense has been rent,\u201d he said.There are standards that will certify a firm\u2019s cybersecurity, including the ISO 27001, but Parker said only a few firms have adopted it. That may be in large measure because it is both expensive and time consuming.But the\u00a0National Institute of Standards and Technology (NIST) has small business standards that can amount to self-certification, Simek said. It allows firms to, \u201cassess their infrastructure, and whether they have any weaknesses and whether the assistance of a third-party is needed.\u201d8. Have clear, effective restrictions on remote access and mobile devicesThis can be complicated, Parker said, because, \u201cdifferent practice areas at the same firm sometimes can operate as discrete businesses and it can be hard to mitigate cyber risk. Partners also may opt out of certain cybersecurity protocols.\u201dThis is an area where it is crucial to have a CIO or other executive who oversees and enforces data security, privacy and information governance, including remote access and BYOD.9. Set systems to capture log data, for forensic purposes if a breach occursSimek said the biggest problem in responding to a breach is a lack of log data. \u201cNobody had the foresight to configure their devices or their systems to capture information on an ongoing basis. That\u2019s a killer for the investigations.10. Share threat informationAccording to the Journal, law firms last year formed an information-sharing group to exchange information about cyberthreats and other vulnerabilities. It is modeled after a similar organization for financial institutions.Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, which oversees the legal group, said 75 firms have joined the group so far.