Security
:quality(82))
Soccer is a great source of excitement for fans, an excellent form of exercise, and, for those of us writing about data security best practices, a tenuous metaphor to add some flavor to an otherwise dry topic.
The game also offers a useful reminder that not everyone plays by the rules.
One unfortunate byproduct of the tremendous productivity gains that people can achieve using AI is that some people are utilizing this burgeoning technology for nefarious purposes. Law firms are a prime target because of the high-value, confidential data that they hold.
The end of 2025 saw a 14x surge in AI-generated phishing attacks, and 2026 has brought an increase in Phishing as a Service (PhaaS) toolkits that are rented out on a subscription basis, providing even the bad actors who have limited technical acumen with the ability to pose a threat.
It can seem daunting, but there are sensible and practical steps that you can take to minimize the risk to your firm. Here are five key recommendations:
About 100 years ago, the dominant tactic in soccer was a 2-3-5 pyramid shape with 5 attackers. These days, this would be considered ludicrously offensive and easily bypassed (in technical terms: you kick the ball over their heads).
It makes a clear parallel to the risks posed by continuing to use outdated versions of software. Missing security patches is a leading cause of breaches, with a 2026 Verizon study finding that vulnerability exploitation was the initial access method for 31% of breaches.
For all software that allows it, ensure that automatic updates are enabled and do your best to avoid endlessly clicking “Remind Me Later” when prompted to update. For other software, habitually check whether you are using their latest version. Most modern systems will include a built-in update path, making it easy to stay current.
The best way to get caught out (on or off the field) is to do what’s expected. There are a few different variations of this problem.
Any team that has a lack of creativity can find it hard to score, and any short or non-complex password can be far too easy to crack.
Nobody wins a championship by being a one-trick pony. Similarly, the re-use of even a strong password means that a breach of one platform can expose all of your data. Consider using a password manager tool to generate and store complex passwords.
Update your passwords periodically, especially if they have been shared with anyone. There are tools online to help identify whether your favorite password has been included in a breach, but at a certain point it’s good practice to keep things fresh and not try to hang on too long (looking at you there, Cristiano).
OK, so this one stretches the metaphor a bit, but multi-factor authentication (MFA) is a crucial aspect of any security policy. For all that is written above about the importance of strong and unique passwords, a password alone still represents a potential single point of failure. Data security works best with a layered approach where multiple overlapping security measures maintain protection for your confidential client data.
Multi-factor authentication allows you to set a device (typically a phone) that will function as your authenticator in addition to your username and password. This will generate a unique code to be entered when logging in to ensure that even if a malicious actor were to obtain your password, they would not be able to access your system. This is the single most valuable mechanism to help keep your data secure.
LEAP supports authentication using the LEAP Mobile App, as well as other authenticators including those provided by Microsoft and Google.
If you’re a current LEAP client, more information about LEAP’s implementation of multi-factor authentication is available via LEAP University.
Players and managers will cover their mouths on the pitch so that they can converse without everyone else intercepting their plans. That’s exactly what encryption can do for your data.
Make sure that the system that you are using to store client data is encrypting data both at rest and in transit. This will prevent anyone intercepting it from being able to read your confidential information.
You should also use secure client portals for file-sharing wherever possible rather than unencrypted email attachments. These can provide benefits like the ability to revoke access when no longer needed, or to track whether a shared document has been viewed.
An additional recommended step is to secure your devices. A lost or stolen laptop is a very common way for confidential files to become exposed. Full-disk encryption with tools like BitLocker or FileVault can mitigate the impact of a misplaced device.
A key statistic that remains the same year over year is that there is a human element involved in the majority of security breaches. Verizon’s 2026 Data Breach Investigations Report found this to be the case in 62% of breaches. Other estimates, such as by the security management software provider Mimecast, put the figure as high as 95%.
A lax approach to security can bypass even some of the best defenses. The recent Kali365 PhaaS platform uses device codes to bypass Microsoft 365 passwords and even MFA challenges.
Does this mean that those systems are unnecessary? Absolutely not; they can still prevent the vast majority of account-compromise attacks and should be cornerstones of your security policy, but without consistent vigilance, there is still the capacity for exposure.
Think defensively: Be cautious with all incoming emails and other communications, especially if you are prompted to download files, input credentials, or act hastily.
Don’t forget to review: Keep track of audit and system logs to identify any unusual or suspicious behavior.
Work as a team: Make sure that everyone in your firm is undertaking regular training to keep their knowledge of security best practices current.
The uncomfortable truth behind the stats is that most data breaches aren’t thirty-yard screamers—they’re defensive lapses and own goals. But unlike a soccer match, everyone can win at data security. Update, encrypt, verify, and stay switched on, and most attacks will never even make it out of their own half.
Spend less time managing tasks and more time practicing law
See how LEAP can help you streamline workflows and save time