CBA Record March-April 2026

LPMT BITS & BYTES BY KEVIN THOMPSON Lawyers of All Ages: Six Tips to Protect Your Legal Office from Cyberthreats Y oung lawyers are more likely to be digital natives, so they likely have a lot to teach older practitioners about their technology stacks. Still, the duty to practice safely and competently with technology applies across all generations, especially with cybersecurity. Lawyers are increasingly the target of sophisticated cyberattacks, so it is critical to follow best practices. Here are six such practices. Good security starts with good credentials. Don’t allow users to have simple pass words to the firm’s systems. Longer passwords or passphrases should be required, at least 12 characters long, with a mix of uppercase, lowercase, numbers, and symbols. Don’t allow passwords to be reused across multiple sites or systems. I recommend that firms require the use of a password manager to store longer, harder-to-guess passwords and passphrases. Requiring periodic password changes can be a pain, but if that new password is stored in the password manager, it is easier to be compliant. Turn on multifactor authentication whenever possible. This should be a mix of fac tors, such as something you know (like a password), something you have (like Google Authenticator), and something you are (like a fingerprint or face ID). Don’t allow both factors to be of the same type. Remember that in Illinois to use biometrics, you will need user consent for BIPA compliance. I also recommend staying on top of additional recom mended factors. These days, many sites are moving away from text message-based second factors, as text messages themselves are not secure. Be vigilant with email. One of the most common attack vectors is phishing emails. Get into the habit of looking to see where the email comes from. For example, mail coming from “Chicago.bar.ru” is suspect, as opposed to “chicagobar.org.” Don’t automatically click on links within emails. Most email clients allow you to hover over links to see where they go, as opposed to the link text that is displayed. For example, a link that says it is going to “https://learn.chicagobar.org/live-committee-meetings” but actually is going somewhere else is problematic. If you get an email that you’re not expecting with an attachment, you should be cautious. You can use alternative methods such as a phone call to ask the sender if they were sending you a file. Better to be safe than sorry, especially since the attachment could be disguised malware or even ransomware. Remember that hackers often try to

create a false sense of urgency with their emails. Stop, breathe, and look closer at emails before taking any action. Be wary of social engineering. One common attack method is for a caller to claim to be from “IT” or “Support,” and then asking for passwords or other infor mation. Don’t be in the habit of giving login information to anyone. Be wary of deepfakes, too. For example, larger orga nizations have had calls from someone sounding like the company president asking for a change in where to send deal proceeds. Verify all such requests through alternative channels. Keep your devices up to date. Many patches are important security fixes to stop attack vectors that are either actually being used or are likely to be exploited. You don’t want to be the person who was hacked because you failed to install an update that was released months earlier. It takes much less time to update than to deal with the consequences of failing to do so. Don’t install tools or browser exten sions without checking with your IT person. “Shadow IT” is an industry term that refers to apps running on systems without the user’s knowledge or approval. Sure, the browser extension might help you take a full-page screenshot, but what if it were also leaving a security backdoor for a hacker to exploit? Just today, I saw a list of 17 popular browser extensions doing exactly that. Also, remove apps or extensions you don’t need or use any more. This reduces the number of appli cations that need to remain up to date. The front line of your practice’s security is you. The duty of technologi cal competence doesn’t require you to become an expert in all technology, but it does require you to use reasonable care with the technology you have.

Kevin A. Thompson heads the intellectual property practice at Levin Ginsburg, where he is a partner; he also chairs the CBA’s Law Practice Management and Technology Committee and co-chairs the International and Foreign Law Committee. He receives no compensation by vendors for products mentioned in this column.

40 March/April 2026