Security

Playing Better Defense: 5 Data Security Tips for Law Firms

David-Morgan-Head-of-Product

David Morgan,

July 15, 2026 ・ 6 min read

A goalkeeper in a green jersey dives to catch a glowing digital sphere with icons in a stadium at night.

Soccer is a great source of excitement for fans, an excellent form of exercise, and, for those of us writing about data security best practices, a tenuous metaphor to add some flavor to an otherwise dry topic.

The game also offers a useful reminder that not everyone plays by the rules.

One unfortunate byproduct of the tremendous productivity gains that people can achieve using AI is that some people are utilizing this burgeoning technology for nefarious purposes. Law firms are a prime target because of the high-value, confidential data that they hold.

The end of 2025 saw a 14x surge in AI-generated phishing attacks, and 2026 has brought an increase in Phishing as a Service (PhaaS) toolkits that are rented out on a subscription basis, providing even the bad actors who have limited technical acumen with the ability to pose a threat.

It can seem daunting, but there are sensible and practical steps that you can take to minimize the risk to your firm. Here are five key recommendations:

1. Don’t use outdated formations (utilize automatic updates)

About 100 years ago, the dominant tactic in soccer was a 2-3-5 pyramid shape with 5 attackers. These days, this would be considered ludicrously offensive and easily bypassed (in technical terms: you kick the ball over their heads).

It makes a clear parallel to the risks posed by continuing to use outdated versions of software. Missing security patches is a leading cause of breaches, with a 2026 Verizon study finding that vulnerability exploitation was the initial access method for 31% of breaches.

For all software that allows it, ensure that automatic updates are enabled and do your best to avoid endlessly clicking “Remind Me Later” when prompted to update. For other software, habitually check whether you are using their latest version. Most modern systems will include a built-in update path, making it easy to stay current.

2. Don’t be predictable (exercise password discipline)

The best way to get caught out (on or off the field) is to do what’s expected. There are a few different variations of this problem.

Any team that has a lack of creativity can find it hard to score, and any short or non-complex password can be far too easy to crack.

Nobody wins a championship by being a one-trick pony. Similarly, the re-use of even a strong password means that a breach of one platform can expose all of your data. Consider using a password manager tool to generate and store complex passwords.

Update your passwords periodically, especially if they have been shared with anyone. There are tools online to help identify whether your favorite password has been included in a breach, but at a certain point it’s good practice to keep things fresh and not try to hang on too long (looking at you there, Cristiano).

3. Two goalkeepers are better than one (use multi-factor authentication)

OK, so this one stretches the metaphor a bit, but multi-factor authentication (MFA) is a crucial aspect of any security policy. For all that is written above about the importance of strong and unique passwords, a password alone still represents a potential single point of failure. Data security works best with a layered approach where multiple overlapping security measures maintain protection for your confidential client data.

Multi-factor authentication allows you to set a device (typically a phone) that will function as your authenticator in addition to your username and password. This will generate a unique code to be entered when logging in to ensure that even if a malicious actor were to obtain your password, they would not be able to access your system. This is the single most valuable mechanism to help keep your data secure.

LEAP supports authentication using the LEAP Mobile App, as well as other authenticators including those provided by Microsoft and Google.

If you’re a current LEAP client, more information about LEAP’s implementation of multi-factor authentication is available via LEAP University.

4. Cover your mouth if you’re talking tactics (use encryption)

Players and managers will cover their mouths on the pitch so that they can converse without everyone else intercepting their plans. That’s exactly what encryption can do for your data.

Make sure that the system that you are using to store client data is encrypting data both at rest and in transit. This will prevent anyone intercepting it from being able to read your confidential information.

You should also use secure client portals for file-sharing wherever possible rather than unencrypted email attachments. These can provide benefits like the ability to revoke access when no longer needed, or to track whether a shared document has been viewed.

An additional recommended step is to secure your devices. A lost or stolen laptop is a very common way for confidential files to become exposed. Full-disk encryption with tools like BitLocker or FileVault can mitigate the impact of a misplaced device.

5. Concentrate until the final whistle (stay vigilant)

A key statistic that remains the same year over year is that there is a human element involved in the majority of security breaches. Verizon’s 2026 Data Breach Investigations Report found this to be the case in 62% of breaches. Other estimates, such as by the security management software provider Mimecast, put the figure as high as 95%.

A lax approach to security can bypass even some of the best defenses. The recent Kali365 PhaaS platform uses device codes to bypass Microsoft 365 passwords and even MFA challenges.

Does this mean that those systems are unnecessary? Absolutely not; they can still prevent the vast majority of account-compromise attacks and should be cornerstones of your security policy, but without consistent vigilance, there is still the capacity for exposure.

  • Think defensively: Be cautious with all incoming emails and other communications, especially if you are prompted to download files, input credentials, or act hastily.

  • Don’t forget to review: Keep track of audit and system logs to identify any unusual or suspicious behavior.

  • Work as a team: Make sure that everyone in your firm is undertaking regular training to keep their knowledge of security best practices current.

The uncomfortable truth behind the stats is that most data breaches aren’t thirty-yard screamers—they’re defensive lapses and own goals. But unlike a soccer match, everyone can win at data security. Update, encrypt, verify, and stay switched on, and most attacks will never even make it out of their own half.

About the Writer

David-Morgan-Head-of-Product

David Morgan

Head of Product

David Morgan is the Head of Product for LEAP US. David has 15 years of experience working in legal tech. Starting his career in a company that went by the name of Perfect Software, he now fervently believes that there is no such thing. Instead, product development is a constantly iterating cycle of improvement, testing, and client feedback. He is passionate about innovation and developing new solutions to help attorneys to be more productive, profitable, and to help them achieve the best outcomes for their clients.

Spend less time managing tasks and more time practicing law

See how LEAP can help you streamline workflows and save time