Law firms are all too familiar with the challenges of information security, with data confidentiality a core objective for most organisations. Firms must maintain electronic data archives and records for compliance and regulatory purposes. These must be kept extremely secure and protected at all times. Guaranteeing the confidentiality of this data is both a legal requirement and a necessity to maintain customer confidence. This creates a significant challenge as the very sensitivity of this data makes legal services companies a prime target for cyber-criminals. If a breach occurs and data is stolen, the financial and reputational implications can be immensely damaging for the company. For instance, the recent Mossack Fonseca breach highlights just how sensitive data can be and how far a breach can spread. The majority of legal cases handled by small to medium-sized firms are less enticing for journalists and public scrutiny, but that doesn’t make these companies any less of a target for a determined adversary. Where should we allocate resources? Interestingly, a large number of firms are more concerned with lax internal security policies than they are with the prospect of a targeted attack. According to research by the International Legal Technology Association (ILTA), the most concerning threat was ‘careless employees’. 60.9% of those interviewed stated people were a major risk to their organisations data security. This was in contrast to 9.9% that stated hacking activity. There are two points to take away from these findings: Law firms are right to be concerned. Employees are a target for phishing, hackers and other malicious activity. Strong information security policies must be put in place. These should be supported by a comprehensive security infrastructure and round the clock network monitoring. There is a disconnect between perception and reality. Breaches are becoming more common across every sector. Hackers are becoming increasingly sophisticated and better at hiding their presence. Just because something isn’t visible, that doesn’t mean it doesn’t exist. Essentially, law firms need to assess their current security commitments and analyse how they would perform under a real-world attack scenario. This will enable a clearer picture of their security posture and will highlight what needs to be done to improve risk management and build effective cyber defences. After all, doing nothing and sticking with the status quo will not be a legally viable excuse should a breach lead to a court case.