Lawyers will pore over legal principles on behalf of clients in a bid to prevail in judicial and other matters, but when it comes to cybersecurity solutions for their own practice, many firms fall short. At a time when more law firms are suffering cyber breaches targeting areas ranging from attorney trust accounts to sensitive client data, ignoring security puts many firms at risk, regardless of their size.

Why do so many lawyers shy away from implementing cloud security services and other measures? Part of the reason is a misperception about cybersecurity, and part of the reason is the way that firms are organized. The misperception, which many lawyers unfortunately believe, is that cybersecurity measures are expensive. This feeds into the second reason: many firms are organized as a form of partnership, and partners themselves do not want to dent their share of the profits, so they tend to vote down cybersecurity measures. In the long run, the vulnerabilities that result from a breach will carry a much higher price tag, and even if the firm gets dragged down as a result, many partners feel they can pack up their clients and decamp for another firm. Too often these days, there is little loyalty to a firm brand.

But fears about cybersecurity’s price tag tend to be overblown. In fact, when considered as an industry, the bar for law firm cybersecurity defenses is set so low that an individual firm that does even a little better than its peers will likely be passed over by hackers looking for easier targets. And the initiatives do not have to cost a lot. Instead of a comprehensive and expensive overhaul of a firm’s  complete system, think of the procedure as adding a series of layers to the  network, one process at a time, at a pace that suits a firm’s needs and budget.

A basic step will involve MFA, or multifactor authentication. This adds a layer of protection by implementing an additional step to the sign-in process before email and other accounts or apps can be accessed. Under an MFA protocol, a user — whether an attorney trying to access their own account or a hacker trying to hijack one— will first be prompted to provide additional identity verification, such as scanning a fingerprint or entering a code received by a phone or other device registered to the legitimate user.

Another basic is to create and use strong passwords to access email accounts or sensitive data. As Facebook founder Mark Zuckerberg discovered — after reportedly using the phrase “dadada” as a password — individual hackers and state actors alike possess advanced tools to crack simple and not-so-simple passwords. Still, many attorneys use combinations (like 1234) or names, like their mom’s maiden name, which are easy to remember but are also easy for outsiders to crack.

In contrast, machine-generated passwords can run up to 100 characters and are harder to guess. But people often have trouble remembering them and either change them the first time they are used, or write the long passwords on a Post-it Note that is left on desks or other insecure areas. One option is to use words that are easily remembered, but in a string that would not occur in normal use, like “surfboard string building.”

Other reasonably priced cyber-defenses include firewalls, which are network security systems that monitor and control incoming and outgoing network traffic based on preset security rules; email security software;  behavior-centric threat detection-and-response security on endpoints like laptops, smartphones, servers and other devices that communicate with networks; DNS (Domain Name System) security, which can keep users away from dangerous sites and keep malware from communicating with its operator. This kind of layered approach may help keep users and data secured even if one or more individual systems are compromised.

Installing a layered cyber-defense system, however, is not the end of the journey to security. Lawyers and others in a firm who access systems should be trained in the proper use of the defenses and their compliance should be monitored. Security awareness training does not have to be burdensome and compliance monitoring does not have to be overly intrusive. After all, the objective is not to implement Pentagon-level security, but to have defenses that are better than other peer-level firms. When that is in place, the odds are that a hacker will pass over your firm and instead target a less-protected one.

Carl Mazzanti is president of eMazzanti Technologies,  a cybersecurity and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].