The legal industry has long been a prime target for cybercriminals due to the highly sensitive and confidential data it holds. However, a new report from the International Legal Technology Association (ILTA) and Fenix24, "Security at Issue: State of Cybersecurity in Law Firms," reveals a crucial shift in the threat landscape. The report, based on a survey of 60 law firms, indicates that while awareness and investment are rising, fundamental vulnerabilities persist, and human-operated attacks are now the primary concern.
The most striking finding of the report is the change in perceived top threats. For the first time, phishing has taken the top spot, cited by 50% of respondents, surpassing previous top concerns like ransomware and user behavior. The report notes that phishing was a new category this year, and its immediate rise to the top signals a shift from traditional malware-based attacks to more "complex, human-driven breaches."
The top five security concerns for 2024, in order, are:
• Phishing (50% of firms)
• Data exfiltration (35% of firms)
• Ransomware (33% of firms)
• Social engineering (27% of firms)
• User behavior (27% of firms)
"The rise of phishing as the top perceived threat reflects both the increasing complexity of phishing schemes and the vulnerability of humans as weak points in any organization's cyber posture," said Chirag Patel, Senior Attorney at Clark Hill LLP. "AI has enabled threat actors to craft more convincing phishing attacks, making them more likely to succeed even against organizations with otherwise robust cybersecurity systems. This underscores the critical importance of continuous training and vigilance."
The latest list of concerns highlights that firms are no longer fearing "drive-by encryption" but are instead "increasingly worried about targeted attacks where a human agent maneuvers past weak points in the defenses." Attackers are now using a double extortion tactic, exfiltrating sensitive client data for additional leverage before encrypting systems.
Despite the growing awareness, the report reveals significant gaps in legal firms' security postures:
Backup vulnerabilities: Immutable backups, considered the "single most reliable recovery measure in a ransomware event," remain underutilized. Only 50% of firms reported having at least one immutable backup system, leaving the other half exposed to catastrophic data loss.
Inconsistent MFA practices: Multi-factor authentication (MFA) adoption is inconsistent, especially on high-value targets. Just 50% of firms apply MFA to backup solutions, 37% to backup storage, and a mere 18% to production storage systems. The report emphasizes that these are key targets for attackers in a ransomware event and are "underdefended."
Weak lateral movement controls: Many firms fail to block the tools and techniques that allow threat actors to move freely across their networks. Alarmingly, 73% of firms surveyed have "no administrative segmentation." The report also notes that 52% of firms do not require MFA on Remote Desktop Protocol (RDP), a common vector for lateral movement.
Declining confidence: Security confidence has dropped across firms of all sizes. Only 38% of very large firms (750+ attorneys) rate themselves as "very secure," down from 50% last year. This decline is attributed to heightened awareness of threats and increased scrutiny from assessments.
“Law firms have the same security problems as every other business, with two added complications: (1) everyone knows they have secret and therefore valuable information; and (2) lawyers have an ethical duty to protect client confidences," said Jake Bernstein, Esq., Co-Host, Cyber Risk Management Podcast; Partner, Data Protection, Privacy & Security Group, K&L Gates LLP. "While many law firms do an admirable job with security, being targeted means that your margin for error is much smaller than the more common 'victims of opportunity.' For this reason, law firms need to move away from merely reactive security work and become just as secure as large financial institutions who are constantly under attack. There is no other realistic path forward.”
A reactive approach to security remains prevalent. The report found that firms continue to rely on external pressures to drive security initiatives, with client requirements and penetration testing tied as the top drivers of change. This is a significant finding, as it suggests internal leadership often fails to prioritize cybersecurity, with many firms citing "resistance from leadership and limited funding as barriers to improvement."
The report's findings are a clear call to action. Law firms need to rethink their approach to cybersecurity and move beyond a reactive, compliance-driven mindset. The most secure firms, comprising 90% of those who rate themselves as "extremely secure," are those that view security as a holistic effort with buy-in and support from firm leadership.
The report underscores the urgency for legal cybersecurity teams to:
Adopt and properly configure immutable backups to prepare for ransomware events
Expand MFA coverage to all high-value systems, especially backup and production storage
Implement a Zero Trust security model to limit lateral movement and persistent access
Treat security as an organizational-wide priority with clear leadership support and an aligned budget.