Office 365 is a staple in many law firms, but it may also be a popular target for hackers looking to exploit contact lists for phishing schemes or sell account access to other bad actors online. While multifactor authentication security protocols can help to effectively—and somewhat easily—mitigate those risks, it's possible that some smaller and midsized firms may still lack the motivation or assistance required to erect those safeguards.

A 2020 Data Security and Incident Report released last month by law firm Baker & Hostetler indicated that in 31% of the 950 cyber incidents featured, bad actors initiated an Office 365 account takeover following the initial breach.

"[Bad actors] run searches to look for invoices so they can trick people into wiring money out, and they are very effective at doing that. And then they sometimes sell off access to the account. … There are about 15 different flavors of what people do when they get access to your account," Craig Hoffman, editor of the report and leader of Baker & Hostetler's digital risk advisory and cybersecurity team, told LTN in early May.

He also mentioned that multifactor authentication (MFA) is often an effective deterrent against hackers since it requires users to verify their identify using multiple pieces of evidence. For example, an attorney may enter their username or password and then receive a separate PIN number sent to a phone or secondary device meant to unlock access. But are law firms initiating those security protocols?

Christopher Ballod, a vice chairman of the data privacy and cybersecurity practice at Lewis Brisbois Bisgaard & Smith, said that the firm doesn't use Office 365, but he pointed out that law firms are frequently targeted for cyber attacks—and are often unprepared. "In my experience as breach counsel to law firms, most who do use [Office] 365 do not have MFA enabled."

Still, while helpful, he noted that MFA is no sure bet against a breach. "Those that do still frequently get socially engineered into giving up the second factor code anyway," Ballod said.

Still, many large firms have taken very deliberate steps with regards to their Office 365 security. Fish & Richardson, for example, has MFA in place for its entire tenancy, meaning that both firm employees and visitors are unable to access any Office 365 functions without first engaging in the multifactor process.

Beau Mersereau, chief legal technology solutions officer at Fish & Richardson, said MFA is both an effective way to protect against unwanted access and relatively easy to set up inside Office 365 itself. "It took us about 10 minutes to turn on multifactor authentication," Mersereau said.

Lawyers at Parsons, Behle & Latimer also use MFA to access Office 365. As an added layer of security, computers have also been configured to forget sign-on credentials after each use and the software detects when employees sign in from an unfamiliar location.

Tomu Johnson, of counsel at Parsons Behle, indicated that larger firms may face more pressure to adopt MFA provisions due to their client roster, which can skew toward security-conscious industries such as the banking, health care, securities, or telecom sectors. Meanwhile, smaller law offices could be a different story altogether.

"I think smaller to medium-sized firms would have difficulties using these security features, not because they are difficult to setup, but simply because they don't have the staff to help them set up those features. Moreover, small law firms may not have client pressure forcing them to adopt enhanced security measures," Johnson said.

But as laws such as the General Data Protection Regulation and California Consumer Privacy Act continue to raise the financial stakes for businesses hit by a data breach, law firm MFA holdouts could in turn find themselves either having to adapt or risk losing out on business.

According to Gulam Zade, CEO of the legal-centric IT consultancy Logicforce, some firms may already be feeling the pressure, with more client-mandated security audits or questionnaires specifically dictating the use of MFA.

"I think [clients] are going to take away the option of whether you're going to use multifactor authentication or not. You have to do it," Zade said.