Tabs3 Ad. One solution. Zero server stress.
TimeSolv: Looking to improve profitability? Just bill better
Tech Tips

Starting 2026 Safely: Cybersecurity Best Practices for Law Firms

By Ben Schorr

Protect your practice with these essential 2026 cybersecurity best practices for law firms.

Cybersecurity can’t solve every problem, but it can help you protect your clients and your reputation. With sensitive client data at stake and ethical obligations to uphold, it’s essential to follow these best practices to defend against email scams, malware, and credential thieves.

computer lock and password information representing law firm cybersecurity best practices

Table of contents

Lawyers are entrusted with confidential information, making them prime targets for cyberattacks. ABA Model Rule 1.6 requires attorneys to safeguard client data, making cybersecurity not just a technical issue, but an ethical one. I’m guessing I don’t need to go much further with this, as you’ve hopefully been hearing this since law school.

The Threat Landscape

The story goes that famous bank robber Willie Sutton was asked why he robbed banks, and he replied, “Because that’s where the money is.” (Sutton denied ever saying that, but it’s still a useful parable). As the custodians of their clients’ sensitive and valuable data, law firms are priority targets for modern-day robbers.

Some of the most prominent ways that bad guys target firms are:

  • Phishing. Deceptive messages designed to steal credentials.
  • Ransomware. Malicious software that locks data, or threatens to expose it, until a ransom is paid.
  • Credential theft and credential stuffing attacks. When attackers use stolen passwords to access accounts.

Phishing and Email Security

Phishing attacks often use urgent language, suspicious links and unexpected attachments. Here’s how to stay safe.

Verify sender addresses.

An email that comes not from “Microsoft.com” but from “Microsoft365-support.ru” is suspect. Likewise, a message that claims to be from your client or business partner but was sent from an unrecognized Gmail account should raise an eyebrow. Is that REALLY them?

Be reluctant to click.

When you hover your mouse cursor over a hyperlink, most systems will show you what that link actually goes to, and in many cases, it’s not what the link appears to be. If the URL shown looks even slightly suspicious, don’t click it. And never click links or open files you weren’t expecting. Even if they appear to come from somebody you trust.

If you receive a file or link you weren’t expecting or that seems suspicious, reach out to the person who sent it via a different medium, such as a phone call, text or a new email (not a reply to the suspicious message!) to confirm that the file or link is legitimate.

Don’t share your credentials, especially with strangers.

They’re the keys to your data house and can be quickly misused, with devastating consequences, in the wrong hands. If a stranger, especially one claiming to be from an organization you trust, asks you for your password, that should raise red flags. IT or banking support shouldn’t need you to give them your password, especially not over the phone, text or email.

Beware of Malware

Ransomware and other malware usually present as a file that you’re encouraged to open. This may be in an email or text message or as a download from a website. In some cases, malware pretends to be a useful app or game.

Never click unexpected files.

Just as with our phishing defense above, don’t click on files or links you weren’t expecting, even if they appear to come from somebody you trust. If you receive a file or link you weren’t expecting or that seems suspicious, reach out to the person who sent it via a different medium, such as a phone call, text or a new email (not a reply to the suspicious message!) to confirm that the file or link is legitimate.

Keep it clean.

Be reluctant to install apps or games, especially from unvetted sources. Just because an app may appear in the app store of your device doesn’t mean it’s been carefully vetted. Read the reviews, pay attention to which company makes the app, and only install/keep apps that you’re actually going to use.

Stay up-to-date.

It’s remarkable how often I see people whose devices have months of pending updates they’ve never bothered to install. Those updates often contain important security fixes that are key to keeping your data protected. Install the updates. The couple of minutes it takes are a lot less painful than having to explain why you got compromised through a vulnerability that the manufacturer had patched months earlier.

Tip: Just restarting your device regularly can help keep your updates current.

Are your backups current? Are you sure?

Keep all your key data backed up, ideally in a secure cloud or offline location and be sure to test your backups. Backups are only useful if they’re complete, current and you know how to restore the data if something bad happens.

Keep Your Credentials Secure

Strong, unique passwords and multifactor authentication are your best defenses. Credential attacks go a lot further than simply guessing a bad password. (Hopefully you’re not using “Pizza” or “Password1” as your password anywhere.)

Email addresses are common usernames today, and if you use the same password for your bank account as you do at “giggleworkstoys.com,” then you may be in trouble. Your bank may have great cybersecurity, but does GiggleWorks Toys? If bad guys break GiggleWorks’ site and find your username and password there, they’ll try that username and password at thousands of other sites across the web, just hoping to get lucky. That’s called a credential stuffing attack.

Warning: If you think somebody else might know your password, you need to change that password immediately.

Use long, unique, complex passphrases.

Create passwords that are at least 12 characters long, using a mix of uppercase and lowercase letters, numbers and symbols. Avoid using easily guessed information, such as birthdays or common words, and never reuse passwords across multiple accounts.

Store passwords in a password manager.

A common problem with good passwords is that they can be hard to remember and frustrating to type. As a result, people tend to choose short, simple passwords that are easy to guess or crack. And they use them over and over. A password manager is a piece of software that can remember your long, unique, complex passwords for you.

Modern password managers can also generate random (or nearly random) secure passwords for you, saving you the trouble of having to dream one up yourself.

Enable MFA for all accounts.

Multifactor authentication is probably the single most important thing you can do to secure your accounts. The way MFA works is that when you sign into your account, the system will ask for a second thing — called a “factor” — to help prove that you are who you say you are. There are three kinds of factors:

  • Something you know — like a password or memorized PIN.
  • Something you have — like a USB key or physical device.
  • Something you are — like a fingerprint or facial scan.

MFA requires not just two steps, but two different factors to be involved. Asking for a password and a memorized PIN, for example, wouldn’t be MFA because that’s not two factors, that’s two of the same factor (something you know).

A bad guy might guess, or trick you into revealing, your password, but they can’t guess your fingerprint. That makes it a lot harder for them to break into your account.

A common objection to using MFA is that it’s a hassle, but a properly configured system won’t actually ask for your second factor very often. In fact, most of them can learn how you commonly sign in — from your laptop, in your home, during work hours, for example — and won’t ask for the second factor when the sign-in is typical. But bad guys who steal your password probably aren’t signing into your device in your home — they’re signing in from their lair in Scamistan. Your system should recognize that’s not typical and demand the second factor … which they won’t have.

Use passkeys when possible.

Passkeys are a modern way to sign in to your accounts without having to remember or type a password. Instead, when you set up a passkey, your device — like your phone or computer — creates a unique digital “key” for each account. This key is stored safely on your device and works together with the website or app to confirm your identity when you log in.

What makes passkeys different from traditional passwords is that you never actually see or enter the key yourself, and it’s never sent over the internet. Hackers can’t steal your passkey by tricking you with fake websites (a common problem called phishing) or by watching what you type. To use a passkey, you simply approve the sign-in with something simple, like your fingerprint, face recognition or a PIN you set up on your device.

Unlike regular biometrics alone, which just unlock your device, passkeys use your biometric or PIN to approve the use of your unique digital key for logging in to a website or app. This means your fingerprint or face scan isn’t sent anywhere; it just lets your device use the passkey safely.

In short, passkeys combine the convenience of biometrics with stronger security than passwords, making it much easier and safer for you to access your accounts.

Stay Alert Out There

Cybersecurity can’t solve every problem, but it can help you protect your clients and your reputation. Take action today to strengthen your defenses and stay alert.

More Tech Tips From Affinity

Image © iStockPhoto.com.

Sign up for Attorney at Work’s daily practice tips newsletter here and subscribe to our podcast, Attorney at Work Today.

Categories: Artificial Intelligence, Lawyer Tech Tips, Legal Software, Legal Technology, Office 365, Tech Tools
January 16, 2026
share TWEET PIN IT share share
Schorr Ben Schorr

Ben M. Schorr is Innovation Strategist at Affinity Consulting Group. He was previously a Senior Content Manager for Microsoft and is also the author of several books on technology including “The Lawyer’s Guide to Microsoft Outlook,” “The Lawyer’s Guide to Microsoft Word” and “OneNote in One Hour.” He was a Microsoft MVP for 20 years and involved with management and technology for more than 25. In his free time, he’s an Ironman triathlete. Follow him @bschorr.

More Posts By This Author

Sponsored links

MUST READ Articles for Law Firms Click to expand

One of a Kind: A Proven Path to a Profitable Law Practice
By Jay Harrington

Lawyer-turned-legal marketer, Jay Harrington explores how lawyers can harness creativity... Click for More

Artificial Intelligence
Actionstep How Does Your Law Firm Stack Up? Get the Report
CallRail Ad spot 3 Jan 2026 Top 2025 law firm Challenge
Trellis White Paper 2025 Navigate Civil Litigation Challenges with Trellis
Captain Compliance banner ad 2025 Who law firms use to stay compliant with privacy requirements
Resources
Attorney At Work Partners
envelope

Welcome to Attorney at Work!

       

Sign up for our free newsletter.

x

All fields are required. By signing up, you are opting in to Attorney at Work's free practice tips newsletter and occasional emails with news and offers. By using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.