Part two of a two-part series

This article originally appeared in the July 2025 issue of Cybersecurity Law & Strategy. Read it here.

In the modern digital landscape, both personal and organizational cybersecurity are more critical than ever. While individuals face evolving threats like phishing, identity theft and data breaches, entities like law firms, corporations and other organizations must work to stay ahead of increasingly sophisticated attack methods including ransomware and credential-based exploits.

The second part of this two-part series summarizing modern security practices as advised by the National Institute of Standards and Technology’s latest guidelines, (a framework that prioritizes proactive, resilient and user-friendly strategies), shares 10 tips to take your firm or organization’s security from good to great.

Cybersecurity is a critical priority for any organization aiming to stay ahead of increasingly sophisticated threats in today’s digital landscape. This is especially true for law firms and others that routinely handle sensitive data, be it their clients’ or their own. Evolving attack methods, such as phishing, ransomware, and credential-based exploits, demand robust, enterprise-wide defenses to protect sensitive data and maintain operational integrity. The NIST 2025 guidelines provide a framework for modern security practices that prioritize proactive, resilient and user-friendly strategies.

The latest cybersecurity measures, from advanced authentication protocols to network security tools and data protection strategies, are essential for firms to effectively protect themselves. By implementing these best practices, organizations can fortify their defenses, reduce their attack surface and maintain a competitive edge in security. 

1. Employ Long Passwords, Not Complex, Fast-Changing Passwords  

Traditional password policies, which mandate complex combinations of uppercase letters, numbers and special characters while requiring frequent changes, are increasingly ineffective and counterproductive. According to the most recent NIST guidelines, complexity does not inherently improve security. And in fact, it often leads to user frustration, resulting in predictable patterns or insecure workarounds such as writing passwords down.

Modern cyberthreats, such as brute-force attacks and credential stuffing, exploit weak or reused passwords, risks that traditional complexity requirements fail to effectively mitigate. Additionally, frequent password resets without evidence of compromise encourage users to create weaker passwords or recycle old ones, undermining security.

The NIST guidelines emphasize that longer passwords, ideally 15+ characters, are significantly harder to crack, easier to remember and more effective against today’s sophisticated attack methods.  

2. Have EDR Monitoring in Place 

Antivirus software, as the name suggests, comprises tools that remove viruses. However, those viruses have become more and more sophisticated and no longer follow any certain playbook. However, with the advancement of technology and the emergence of AI, attackers have now become sneakier in their incursions and no longer use precreated patterns. This is why using an EDR (endpoint detection and response) is vital. Not only does an EDR monitor and analyze the behaviors of system changes to detect anomalies; it immediately stops and kills any process or file that can cause harm to the system. 

3. Adopt Passkey Login When Available

Passkeys, released in 2022, are an alternative to passwords. Passkeys surpass passwords in security as they are inherently more resistant to phishing and credential breaches since they are not based on character strings. Passkeys use a biometric or PIN verification method to authenticate and rely on a public-private cryptographic key for which the private key is stored on the user’s machine and the public key is stored on the website. This new method of authenticating provides a more secure and seamless way for users to log in. 

4. Enable MFA 

Multifactor authentication significantly enhances security by requiring multiple forms of verification, such as a password combined with a code from a mobile device or a biometric scan. This additional layer of protection makes it much harder for attackers to gain unauthorized access to individual or firmwide systems, even if they obtain a user’s password through phishing or data breaches.

The latest NIST guidelines strongly recommend MFA as a critical defense against modern cyberthreats, reducing reliance on passwords alone and safeguarding accounts and systems from compromise, even in the face of sophisticated attacks. 

5. Stay Up to Date on Software 

Failing to update software and devices leaves systems vulnerable to exploits targeting known vulnerabilities, which attackers actively exploit. Modern threats, such as ransomware and zero-day attacks, often leverage unpatched systems to gain access. NIST’s 2025 guidelines emphasize robust security practices, but outdated software undermines even strong passphrases or MFA, as attackers can bypass authentication through unpatched vulnerabilities, compromising entire networks or devices even without user interaction. 

6. Use a Robust Email Security Gateway 

Email remains a primary vector for malware and phishing attacks, with attackers using sophisticated techniques to deliver malicious payloads or steal credentials. A robust email security gateway filters incoming and outgoing emails, blocking malicious attachments, links and phishing attempts before they reach users. By leveraging advanced threat detection, such as AI-driven analysis and real-time threat intelligence, these gateways minimize the risk of email-based attacks, aligning with NIST’s 2025 emphasis on proactive defenses to protect organizations from evolving cyberthreats. 

7. Use a Web Proxy 

Web proxies act as a critical line of defense by controlling and monitoring internet traffic, preventing users from accessing malicious or unauthorized websites. By enforcing corporate policies, proxies restrict access to risky sites, such as those hosting malware or phishing scams, and provide visibility into user activity. This helps organizations mitigate threats like drive-by downloads and data exfiltration, aligning with NIST’s guidelines for reducing attack surfaces and maintaining secure browsing environments. 

8. Use a Firewall with Integrated IPS 

A firewall with an integrated intrusion prevention system provides real-time protection by monitoring network traffic for suspicious activity and blocking potential threats. Unlike traditional firewalls, an IPS-enabled firewall actively analyzes packets to detect and prevent exploits, malware and other malicious behavior before they reach internal systems. This layered defense, as recommended by NIST, strengthens network security and helps organizations stay ahead of sophisticated cyberattacks targeting vulnerabilities. 

9. Restrict Administrative Access 

Granting end users administrative access to systems increases the risk of unauthorized changes, malware installation or privilege escalation by attackers. Restricting administrative access to only IT staff ensures that critical system configurations and sensitive operations remain secure.

By limiting privileges, firms reduce the attack surface and prevent accidental or malicious actions that could compromise systems, aligning with NIST’s 2025 recommendations for least-privilege access controls. 

10. Back Up Important Data Offsite 

Regularly backing up critical data offsite, ideally utilizing immutable storage, protects against data loss from ransomware, hardware failures or other disasters. Immutable backups ensure that data cannot be altered or deleted by attackers, providing a reliable recovery option. This practice ensures business continuity and safeguards sensitive information, reducing the impact of cyberattacks and supporting robust data protection strategies. 

To remain at the forefront of cybersecurity, law firms and other organizations must adopt a proactive, multilayered approach that integrates advanced technologies and strict access controls. Implementing enterprise-grade solutions like EDR systems, email security gateways, web proxies, IPS-enabled firewalls and offsite immutable backups creates a robust defense against sophisticated threats. Complementing these with strong authentication practices, such as long passphrases, passkeys and MFA, while maintaining up-to-date systems and restricted administrative access, ensures a reduced attack surface and enhanced resilience.

By embedding these NIST-aligned strategies into their operations, firms can safeguard critical assets, maintain business continuity and lead the fight against evolving cyberthreats. 

Reprinted with permission from the July 2025 edition of the Cybersecurity Law and Strategy Law Journal Newsletter © 2024 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or [email protected].