Cybersecurity

How to combat cybersecurity threats when using artificial intelligence

  •  
  •  
  •  
  • Print

Cybersecurity

“The legal sector is a prime target for cyberattacks because of the valuable information it holds,” says Robert Scott, managing partner of Scott & Scott, a global law and technology services firm in Southlake, Texas. (Image from Shutterstock)

If you’re nervous about cybersecurity threats to your law firm, you’re not alone. Nearly 30% of firms experienced a security breach last year, according to the 2023 ABA Legal Technology Survey Report—a slight increase from the previous year.

Additionally, the ABA’s 2022 Legal Technology Survey Report found that 36% of firms reported losing billable hours—in addition to steep recovery and reparation costs as a result of data breaches, with the median ransom for legal organizations in 2023 being $1 million, according to a 2024 threat report by Arctic Wolf, a cybersecurity solution company.

Firm cybersecurity concerns are extremely serious, says Robert Scott, managing partner of Scott & Scott, a global law and technology services firm in Southlake, Texas.

Because firms handle vast amounts of sensitive information—including client data, proprietary business information and confidential legal strategies—a breach can lead to financial loss, damage to reputation and legal repercussions.

“The legal sector is a prime target for cyberattacks because of the valuable information it holds,” Scott adds.

For example, Grubman Shire Meiselas & Sacks, a firm in New York City specializing in the entertainment and media industries, experienced an attack from a group called “REvil,” according to a May 2020 story in Variety.

This group allegedly leaked information about celebrity clients, including singer Lady Gaga. The group requested $21 million before doubling its ask to $42 million, telling the firm that it would release the documents to the public if it didn’t receive the ransom, according to a May 2020 story in Business Insider.

Threats against firms will undoubtedly increase in the coming years, thanks to generative artificial intelligence tools that have made it easier to execute mass phishing attacks, says

Daniel W. Linna Jr., a senior lecturer and director of law and technology initiatives at the Northwestern University Pritzker School of Law. AI can create convincing emails that deceive people into sharing information, using deepfakes and even installing malware.

In particular, firms may be seen as a weak link because of their wealth of valuable information and relative lack of technological skills within the field.

Steps to take

The first thing that firms should do is to implement robust security measures and incident response plans to prevent and mitigate cybersecurity breaches. According to the ABA’s 2023 TechReport, 80% of firms have one or more policies regarding tech. But only 34% of respondents have an incident response plan, and only 29% say their firms had a full third-party security assessment.

A third-party risk assessment company can conduct an independent audit to help firms identify any security gaps, train employees in cybersecurity measures, and they can create an incident response plan, Scott says.

Firms can also work with with ethical hackers to find vulnerabilities in their systems, says Star Kashman, a founding partner of the Cyber Law Firm, based in New York.

It’s also key to have a cybersecurity company on call just in case anything suspicious, such as a phishing attempt or malware download, happens. These issues can be minimized by adding an email screening service plus annual employee cybersecurity training, she adds.

That’s because human error is the No. 1 cause of cyberattacks, accounting for 88% of the incidents, according to research by Stanford University cited in May 2023 in the Harvard Business Review.

Also helpful is requiring employees to update software regularly, to create strong passwords and to use firewalls and encryption to provide extra layers of security, Scott says.

Also crucial are firewalls, secure Wi-Fi access and intrusion detection and prevention systems software to detect and respond to suspicious activities in real time, he adds.

Don’t neglect assessing and monitoring the cybersecurity practices of your third-party vendors, as well, to ensure that they meet your firm’s security standards, Scott says.

The AI effect

While cybersecurity will always be a threat, especially if you’re using AI, there are ways to combat it. One of these solutions comes via AI.

AI tools can predict which vulnerabilities are likely to be exploited, and it can spot anomalous activities, says Linna, who is a member of the Northwestern Security & AI Lab, which focuses on using AI to prevent threats.

Cybersecurity tools powered by AI can monitor a firm’s network, detect unusual patterns that could indicate security breaches, and alert cybersecurity and IT teams in real time, Kashman adds.

Just be aware that some AI tools—including cybersecurity tools—can also introduce new security risks. You could easily expose private data to hackers, unauthorized parties or malicious users of AI tools if you input sensitive client information into them without knowing the potential for data leakage.

And while many firms and businesses install two-factor applications and password managers to combat this, Kashman suggests shying away from these for surprising security reasons.

“The more applications you download, the more chances hackers have of gaining access to your employee’s login credentials as each app, website or location where credentials are entered is another point of entry,” she says. “In addition, password managers are likely to be targeted more than the average app due to the sensitive information they hold, so they are unlikely to be worth the current risk.”

AI has other ways to tackle this issue, as well. AI can detect malignant email attacks with 98% accuracy, and network intrusion can be identified with 99.9% accuracy. On the other hand, you can decrease AI’s accuracy by 75% if you inject 8% erroneous training data (AI is only as accurate as the information that it receives), according to a recent study by researchers at Cornell University also cited in the Harvard Business Review.

After an attack

During a breach, there may be a loss or an exposure of sensitive client and case information, intellectual property, financial information, login credentials and privileged information. Financial losses could result from loss of client trust or from a ransomware attack followed by large financial demands in exchange for files and data, Kashman says.

The first thing that firms should do when discovering a cybersecurity breach is to contact an attorney specializing in tech and cybersecurity. That’s because certain disclosures and steps must be followed, and anything that you do or say without consulting an attorney could open you up to further liability.

Kashman suggests creating an incident response plan, which includes isolating impacted systems to prevent spreading, and conducting an extensive investigation to assess the breach’s scope, impact and severity.

With your attorney’s guidance, you have to notify impacted clients and regulatory bodies, she adds.

Larger firms may want to consider adding cybersecurity insurance or third-party cyber liability insurance. While it probably won’t be able to retrieve stolen data, the insurance company can help with the financial aftermath of the intrusion, Kashman says.

“Companies with sensitive information are more at risk for cyberattacks—no matter how secure and protected they are,” Kashman says.

Give us feedback, share a story tip or update, or report an error.