A fundamental ethos across the legal industry is that of attorney-client privilege. Protecting data and sensitive information is sacred to client relationships, and the data that firms collect and store is exactly the sort that threat actors are hunting for.
Data theft and the inevitable accompanying reputational damage, regulatory issues notwithstanding, can do as much harm as ransomware itself. Threat actors that successfully breach a law firm and exfiltrate data can wield it as blackmail material to both the firm and the impacted clients, making law firms particularly lucrative targets. These evolving cyber threats place the legal sector at a serious crossroads: adapt and invest in meaningful security improvements or risk exposure to increasingly aggressive and motivated attackers.
Despite rising cybersecurity awareness and investment, law firms show a decline in security confidence. This decline likely stems from heightened awareness of threats, increased scrutiny through assessments, and the growing complexity of securing modern IT environments. This trend came to light in the July 2025 research report, Security at Risk: The State of Cybersecurity in Law Firms, produced by Fenix24 and the International Legal Technology Association (ILTA).
The downward trend in confidence corresponds directly to the increased awareness and spending — the more a firm pays attention to its security posture, more gaps it sees. Even with increased focus on security, fundamental vulnerabilities remain across the industry:
- Inconsistent adoption of key safeguards like immutable backups and MFA
- A reliance on external drivers for change, rather than strong internal security leadership
- A disconnect between perceived and actual security threats
Data backups as the best cyber defense
Immutable data backups — those that cannot be encrypted, altered or deleted by any means — are the single most reliable recovery measure in a ransomware event. However, survivable backups are underutilized within the legal sector. In fact, the Fenix24-ILTA research, conducted during 2024, found that only 50% of firms reported having at least one immutable backup system. Even if all 50% of these systems are truly immutable and retain a complete copy of the firm’s data (both being very unlikely scenarios) that still leaves 50% of all surveyed law firms with no reliable avenue of recovery if they suffer a breach by a threat actor bent on destruction.
Law firms are starting to recognize the importance of backups in their security stack. While backup solutions are now listed as the fourth most critical security control, many firms fail to back up critical infrastructure like domain controllers or data stored in SaaS applications. This leaves roughly half of responding firms exposed to catastrophic data loss.
Meanwhile, less than 40% of law firms are blocking:
- Remote access tools — a preferred ingress vector of ransomware threat actors
- Unapproved file sharing platforms — a common exfiltration technique
- Password vaults/personal e-mail/browser-based password caching — often used for phishing, social engineering, and stealing credentials
No wonder only 38% of law firms surveyed rate themselves as “very secure,” down from 50% in 2023. However, this decline in security confidence may be the most hopeful data point in the entire report. Recognizing a problem is the first step to solving it. Firms have removed their blinders and are starting to appreciate the risks they face.
What’s driving change among law firms?
When it comes to closing these gaps in security, insurance carrier and client requirements help drive change, although law firms are often resistant or reluctant to fund security initiatives. Perceived user inconvenience is another major blocker of change. However, third-party audits and assessments (penetration tests, tabletop exercises) have recently begun to push firms toward more a robust security posture, which is a rapidly emerging new trend to see in previous surveys.
The report shows that 82% of firms’ security budgets are “adequate,” while 23% acknowledge existing security gaps. These findings reveal a misalignment between spending and real-world risk. As stated in the report, rising costs for skilled professionals, advanced detection tools, and security services put increasing pressure on budgets. This often forces firms to prioritize compliance over proactive defenses.
While many firms are increasing investment in security, they are often doing so without a clear alignment between budget allocation and threat mitigation, leaving critical gaps that remain unrecognized and unaddressed.
The legal industry’s evolving views on cybersecurity
The 2024 survey bucked many trends from previous years. User behavior took a tumble from the top security threat all the way down to #5, with phishing, data exfiltration, ransomware, and social engineering — in that order — all now viewed as bigger risks, according to the report.
It’s interesting that the percentage of firms rating user behavior as a top-three security risk is virtually identical to the previous year’s findings (27% in 2024 vs. 28% in 2023). Meanwhile, data exfiltration, ransomware, and social engineering all saw massive jumps in 2024. Simply put, no one is any less worried about user behavior, but they are now much more worried about other threats.
Data exfiltration concerns increased from 5% to 35%, ransomware from 17% to 33%, and social engineering from 11% to 27%. Data exfiltration poses a particularly dire threat to law firms. The exposure of client data and the associated loss of client trust can be as devastating as the permanent destruction of the data itself.
Firms no longer fear malware or older style “drive-by” encryption events. Instead, they are increasingly worried about targeted attacks where a human agent maneuvers past weak points in the defenses, exfiltrates sensitive data for additional leverage and reputational damage, and then attempts to shut down operations and extract a ransom payment. This behavior is on the rise globally and makes headlines almost daily. It is a very real risk to law firms.
As fatalistic as it may sound, law firm security teams should spend less time shoring up their defenses and more time planning to pick up the pieces and put the firm back together. They should imagine a worst-case scenario, a true existential, firm-ending crisis. What does it look like? What is destroyed? Who is impacted? How long does it last, between destruction, forensics investigations, and rebuilding? What does it truly cost in both time and money?
Once the security team fully appreciates this situation, they should begin to implement changes to lessen that impact. If data loss is the concern, harden the backup tools. If exfiltration is the risk, deploy data loss prevention tools, data classification, and least-privileged access. If loss of communication in a crisis is what slows down recovery, create out-of-band communication channels. Nothing will ever protect a firm completely. That is not an achievable goal. But addressing these concerns will allow IT teams and attorneys alike to rest easier by ensuring that disaster will be survivable, and that there is a plan to rebuild.
Join our LinkedIn group Information Security Community!
