Cybersecurity consultants say that foreign governments and organized criminal groups see large law firms as fabulous treasure houses of confidential data – stuffed full of intellectual property, legal strategies, information on pending mergers the passwords of client accounts…

The American Bar Association estimates that 80 percent of the 100 largest firms in the US have aleady been breached, and a survey of members of the International Legal Technology Association released last week showed that for the first time ever, security management is viewed as the biggest challenge facing legal IT departments.

What should law firms be doing about this threat? Cybersecurity consultants spoke with The Am Law Daily about how the most cautious firms are protecting their clients’ data from hackers, and what they’re spending.

Larry Ponemon, who runs his own research institute and consultancy on privacy and data protection, said there are four key people that firms with 500 lawyers or more should have on staff.

The first is a chief information security officer who oversees cybersecurity. This person should not report to a chief information officer, but to an executive body, Ponemon said. Security technology isn’t going to yield the kind of return on investment that CIOs are looking for, so they’re likely to stop cybersecurity advocates in their tracks.

The second staff member should be “someone who is a regulatory policy wonk”, Ponemon said. This person should understand data protection laws in all the countries where a law firm works.

The third is a security architect who makes sure that the technology a firm is using to protect itself is built properly and is working according to plan.

Finally, large law firms should have a forensics expert on staff who can figure out how to stop the bleeding when a breach occurs, said Ponemon. He added that more ambitious firms will also have someone on staff who is involved in training lawyers and staff members to operate cautiously when dealing with data, emails and their portable devices.

“Law firms have a unique role in data protection,” Ponemon said. “They have the ability to discover and collect as much information as they need to when trying a case.”

He estimated that about 10 percent of major law firms have a well-defined security program that looks something like what he recommends. He added that they spend between $3 million and $5 million a year on cybersecurity.

Last week, Chase Cost Management released a survey that said spending on information security at Am Law 200 firms rarely exceeds 1.9 percent of gross revenue, as noted by sibling publication LegalTech News. Half the CIOs who responded to the CCM survey said they felt their firm wasn’t spending enough.

But there are some steps that law firms can take that don’t cost anything, said Charles Carmakal, a vice president in the forensics division at FireEye, the IT security company that raised $303.6 million in an initial public offering in 2013 and remains on the hunt for acquisitions in the cybersecurity space. (LegalTech News reports that Mandiant, a division of FireEye, has found that 80 of the 100 largest US firms have been hacked since 2011.)

Carmakal said that a lot of firms make elementary mistakes, such as using the same administrative password across all their systems.

Another common problem is that senior attorneys often open any attachment they receive. “Every attorney wants new business, so if they get an email from a prospective client, there’s no reason they wouldn’t click on a link,” he said. (A report released last month by Verizon showed that members of the company’s in-house legal department were most likely to click on phishing emails and links.)

Carmakal said that taking steps to limit the level of access that employees have to their own systems, while unpopular because it slows down work flow, is another way to reduce risk that costs only time. He added that there are free programs available that will prevent unauthorized applications from running.

When law firms do experience a breach, they call people such as Carmakal. The costs that then ensue can dwarf those that would have prevented a breach. “It’s not uncommon for it to be in the millions, and it could be in the tens of millions. It depends on the situation,” he said.

Daniel Garrie, co-head of the cybersecurity practice at New York lawyer Zeichner Ellman & Krause, works with fellow law firms and banks on privacy protection. He said it’s not always the top-tier firms that have the best systems in place. “The irony is, it’s not a matter of how good your law firm is; it’s about how strong your technology resources are,” he said. Earlier this year he co-authored a cybersecurity column for sibling publication Corporate Counsel riffing on an episode of CBS’ The Good Wife, where a fictional law firm is faced with a cybsecurity threat offering it the choice between paying $50,000 or risking the deletion of all its client files.