Threats of a cyberattack are very real, as proven time and time again, most recently with this week's ransomware attack at DLA Piper.

Attorneys who work on cybersecurity and as well as experts in the field acknowledged the severity of this week's breach and said that in-house lawyers need to be more cautious than ever about securing their information. That includes the data companies share with vendors and outside counsel.

Larry Ponemon is chairman and founder of research think tank the Ponemon Institute, which specializes in data protection. He has worked with DLA Piper as a consultant in the past and considers its data privacy and security measures to be “very good.”

“From my experience, it's an excellent firm with reasonable due diligence procedures,” Ponemon said. “This tells me … this could happen to anyone.”

A DLA Piper spokesman did not immediately respond for comment but in a June 27 statement, the firm said it was working closely with leading external forensic experts and relevant authorities, including the FBI and the U.K.'s National Crime Agency. “We are working to bring our systems safely back online,” the statement said.

Ponemon did not comment directly on DLA Piper's breach but said in general that in-house counsel and law firms need to encrypt all email communications whenever possible. He recommended avoiding email attachments for documents with sensitive data. Instead, he suggested, they should use data sharing document tools. “The ones that are free are not very secure,” he warned, adding that those that cost money are usually more effective.

A report released this week by IT security provider LogicForce found 40 percent of law firms were breached in 2016 without knowing it.

John Sweeney, president of LogicForce, called this number “scary,” and said firms and in-house lawyers “have to take into consideration the fact that lawyers have an ethical obligation to protect a client's data.”

On the other hand, he believes firms are trying. “I don't think there's a law firm that doesn't have policies in place and isn't training their people,” he said.

Sweeney recommends that in-house counsel have a solid auditing process in place for their law firms—in which they ask tough questions to keep them accountable. “If you're not doing the right things, shame on you,” Sweeney said. “If I'm the CEO of IBM and I entrust IP for Watson to a big or small IP firm, think about if it got stolen what the impact would be. These are very serious issues.”

Sweeney knows that no company or law firm is immune to cyber threats, but said that “law firms have to realize they are in the IT management business whether they want to be or not.” He said because firms are holding onto companies' trade secrets, intellectual property or even M&A activity dealings, “law firms are definitely a highly targeted industry.”

Behnam Dayanim, a partner with Paul Hastings, advised that in-house counsel monitor vendors and law firms with which they share information. But he said there is some leeway: They should prioritize how sensitive the data is that they are sharing with each firm and audit accordingly.

Collin Hite, an attorney at Hirschler Fleischer, said these types of conversations about cyber risk assessments need to occur “at least yearly.”

“This is not a 'fix what you need, put it on a shelf and forget it' scenario,” Hite noted. “It needs to be reviewed, tested, updated on a regular basis.”

Having the best technology isn't a foolproof plan, though. Employees need to be properly trained, according to Hite.

“Make sure your law firm is keeping up, because as we've seen this week, the criminals are using new vectors of attack. You can have the best software, the best information security officer, but if an employee clicks on a phishing email, all bets are off,” he said.

He added: “It doesn't matter if it's a multinational Am Law 50 firm or a five-person boutique down the street. If you're not viewing the situation from a holistic risk management viewpoint, you're missing the boat.”

Contact Stephanie Forshee at [email protected]