How COVID ruined a perfectly promising year and changed the way we look at information security

Steve Henn, Chief Revenue Officer, ORRIOS

Recently, I had the good fortune of sitting down for an interview with Aaron Fritz, CEO of Inertia Legal, to talk about information security and the ways COVID 19 has affected law firms and the business of law.

During our time together, we discussed OnTrack®, ORRIOS’ information security compliance software. It’s a tool designed to help law firms and a variety of businesses efficiently create, manage, analyze, and monitor their information security and data privacy programs.

Beyond user-friendly compliance tech, we explored a few interesting topics and observations from the past five months. Months where it became clear that the COVID pandemic ruined a perfectly promising year and will change the way we secure information in the future.

1. Law Firms have officially become hackers’ favorite targets.

This is more acceleration of a trend than a newsflash, but the anecdotal evidence is sobering:

  • In May 2020, ransomware hackers got into a New York City law firm and were demanding $42 million, or they would release confidential information.
  • 100% of UK’s Top 100 firms suffered a cybersecurity incident in the last year.
  • One third of law firms with 10-99 lawyers suffered from a cyber breach in 2017.
  • 60% of small businesses fold within 6 months of a cyber-attack.

Law Firm Cybersecurity Statistics


And legal support vendors are targets as well: One of the largest eDiscovery providers was held hostage with a ransomware attack. This further shows that information security is important to demonstrate to clients and demand from vendors.

2. BYOD now means Bring Your Own Desk.

Work@Home means that law firms’ information security staff are dealing with possibly hundreds of different environments. And in the vast majority of cases, the home environment was not set up to protect against data breaches. Are firms ready to trust the security of their confidential information to that $29.99 home router? Or the Alexa device listening in from the kitchen counter?

In addition, physical security is worrisome. Do your Work@Home employees have a private office or are they using a kitchen table? Are printed documents out in the open for spouses and children to see? We are all quite comfortable with our families, but should we expect our clients to be comfortable as well?

3. Best practices must involve Security Maturity.

Losing client data is akin to violating attorney-client privilege, and we should take it just as seriously. I defined Security Maturity as having:

  • An implemented compliance program,
  • Based on a recognized framework or standard,
  • With thoughtful controls to mitigate remote workforce risks,
  • Managed in a single platform to efficiently support and demonstrate compliance,
  • That can provide proof for clients, partners, vendors, and management, and
  • That is continuously assessed and improved.

4. For the cost of a summer associate, OnTrack checks all the security boxes.

We pointed out that the right approach will result in saving money and time for the firm while demonstrating seriousness in protecting client data. Cost-effective solutions, that take complexity out of the compliance process, are available.

5. The Next Normal requires a hybrid attorney work model.

I would note that the legal profession is a social profession. Building trust with clients involves face time and no one will make partner from home. So, in the “Next Normal” the hybrid employee will need to seamlessly operate at home and in the office. More access points mean more vulnerabilities, so the job of the firm’s infosec team will become even more important, and it will not get easier.

Thanks again to Aaron for an engaging discussion. If you want to check out the whole conversation, watch the video on our LinkedIn channel.

Then, watch the on-demand recording of our webinar, Information Security for Law Firms: An ISO 27001 Case Study in Protecting Clients, Collaboration, and Communication.

ORRIOS’ OnTrack platform enables organizations to develop effective data privacy and information security programs, so they can demonstrate compliance for customers, regulators, and stakeholders. OnTrack helps guide compliance teams in creating, managing, analyzing, monitoring, and continuously improving sound compliance programs for a variety of compliance frameworks, standards, and regulatory requirements.

Contact Steve Henn at or 203-803-2127 for more information.