When UK law firm Gateley announced in 2020 that it had suffered a cyber security breach, it raised a question that every partner in the profession has since had to confront: why are law firms becoming a top target for cybercriminals? Several years on, the trend has only accelerated.
In Gateley's case the attack was discovered quickly by the firm's IT team, which limited the volume of data stolen. Even so, the firm had to notify affected clients and trace the stolen data to where it had been downloaded. The incident made public something every law firm leader already suspected: that a breach carries not just operational cost, but reputational risk that can outlast the attack itself.
Gateley is far from alone. Global giant Jones Day had gigabytes of sensitive client data exposed through the 2021 Accellion file-sharing breach, and many more incidents have followed across the sector — some publicly disclosed, many more resolved quietly.
Listed firms must announce successful cyber attacks to inform stakeholders and regulators. One can only guess how many unlisted, privately owned law firms have suffered attacks in silence, potentially paying the ransom to retrieve their data.
Criminals Recognising New Opportunities
The UK National Cyber Security Centre has for years warned of a worrying trend: 'ransomware as a service'. Professional hackers make ransomware variants and lists of credentials available to others — for a one-off payment or a share of profits from successful attacks.
This lowers the barrier to entry for cybercrime, allowing less technically skilled attackers to buy ready-made tooling from developers without the costs and risks of building it themselves. That brings a new class of criminal into the frame, ready to undertake their own attacks.
NCSC guidance also highlights that more sophisticated criminals spend time conducting in-depth reconnaissance on potential targets, working to identify cyber security weaknesses, before launching phishing and spear-phishing attacks to gain access to networks.
They then search for not only business-critical data to encrypt and hold for ransom, but the backups that can help mitigate the damage of a ransomware attack. It is a chilling development for any organisation that believed an offline backup was sufficient protection.
"Criminals recognise law firms fear not only the financial loss if funds are stolen, but the potential reputational damage they would suffer if a breach is made public. That is a powerful motivation to meet the hackers' demands."
Criminals Recognise a Good Target
Attacks on big law firms make the news, often because of the potential fallout if the firm undertook Government work or large corporate transactions, when sensitive data can be very valuable to criminal actors. But what is the future for smaller firms with client accounts plump for the picking?
The big firms will attract more attacks simply due to the scale of their networks and the potential for a security hole or zero-day vulnerability being discovered. They may have the best alerting and monitoring, as well as effective defences, but the potential rewards will ensure every law firm, regardless of size, continues to be the subject of increasingly sophisticated and regular attacks.
Smaller firms that often lack the specialist expertise to prevent a sophisticated attack, now not only face the threat from sophisticated hackers turning to easier targets, but the growing threat posed by non-tech savvy criminals. They are buying attack software and chancing their collective arms, hoping to get lucky. And they only need to be lucky once.
What This Means for Your Firm
This is a snapshot of the current threat facing every internet-connected business, but law firms in particular. It perhaps explains why Illume is currently engaged by a number of SME law firms to discover weaknesses in their networks before the hackers do.
Defeating the criminals in this ever-changing threat environment is hard for in-house IT teams, but calling on specialist support can make life a lot easier and safer. A CREST-accredited penetration test gives you an accurate, evidence-based picture of where your vulnerabilities lie, before an attacker finds them for you.
So if after reading about why law firms are becoming a top target for cybercriminals and the threat you face, you'd like to get a security assessment underway, please get in touch today and we'll explain the steps you can take towards a safer future.