Skip Navigation

February 11, 2021 |

Why are law firms major targets for hackers?

By Ben Filipkowski

With contributions from Jane Harwood.

Loading table of contents...

Imagine, for a moment, the impact of a single successful cyber attack on your law firm—it could be devastating. The truth is that any business, no matter the industry, could be targeted by a cyber attack, but the type of data you manage, as well as the third parties you work with, could make your business a more appealing target.

Each day, professional services firms in the legal, accounting, and finance sectors work with sensitive, confidential intellectual property and personally identifiable information that clients trust is being kept private and secure. This makes them highly attractive targets in the eyes of attackers.

Now imagine a cyber attack resulting in this valuable data being compromised. Whether it’s stolen, held for ransom, sold, or posted publicly, a single compromise could result in fines or other impacts to the bottom line, and even lasting reputational damage.

Put simply, law firms and legal professionals are facing a growing cyber security threat.

Matt Holland, Field Effect’s Founder, CEO, and CTO, recently appeared on the Technically Legal podcast to discuss some of the ways hackers target law firms and steps to take to build effective cyber defences. We’re sharing a few of the highlights from the conversation here.

Why do cyber attackers target law firms?

“Law firms, for the longest time, have flown under the radar,” says Matt. “A law firm is basically the formalization of relationships between businesses and people, and the documents and communications around all of those resources . . . it’s absolutely enormous.”

Access to this information could give a cyber criminal insight into how a firm does business, in turn exploiting this information for their own ends to execute specific attacks.

“If I’m an attacker, regardless of motivations, all that information is useful for me to understand how business dealings work between particular entities,” adds Matt.

These attacks aren’t hypothetical, either; attackers are already targeting law firms, with a recent review by the Solicitors Regulation Authority (SRA) in the United Kingdom reporting that approximately 75% of surveyed law firms had been hit by some type of successful cyber attack.

“I’ve been an entrepreneur for 15 years, and just thinking about all the documents that I’ve signed, the business dealings and all those things, there’s a huge intelligence and attacker value in that type of material,” adds Matt. “Law firms really need to take this type of problem seriously.”

“There’s a huge intelligence and attacker value in that material. Law firms really need to take this type of problem seriously.” – Matt Holland, Field Effect Founder, CEO, and CTO

And while a successful attack could potentially expose confidential information and sensitive intellectual property, operational downtime poses a much more immediate concern. Because many law firms operate on an hourly billing model, downtime following an attack and during recovery translates into lost revenue and other urgent financial concerns.

How cyber attacks on law firms work

Before any theft or extortion can take place, attackers need a way in. Devices connected to the Internet are inherently at risk of an attack, but there are a few common techniques and tools cyber criminals will use to try and gain access to an organization’s IT network or devices.

Social engineering and phishing

“Social engineering is the art of convincing somebody you are someone they trust,” says Matt. The term encompasses a number of techniques to manipulate a user to take an action, some more direct than others, and is most commonly seen in phishing attempts.

“Phishing is the concept of exploiting social engineering to convince somebody to click on a link or provide credentials to a particular website,” he explains. “This could happen in the form of somebody sending you an email—it looks legit, like it’s coming from an entity you trust, so you click on a link that leads to an exploit.”

That exploit can then take over the host computer or device. Once an attacker has access to your computer, they can use it to go deeper.

“Perhaps you click on a link and that leads you to a login page that looks like a portal you’re used to, but it’s basically a simulated instance of that,” says Matt. “They take your credentials and can then use those credentials to log in to the original portal on your behalf.”

From there, an attacker could test these credentials against any number of accounts or services. If a password is reused anywhere, then an attacker would have access there, too.

“A lot of people will reuse passwords, so if you use a password on Site A and it’s also your email password, it could then lead, potentially, to email compromise and a whole world of problems,” says Matt.

Business email compromise

Once they have those credentials, staging further attacks becomes much easier. This includes initiating financial redirects as part of a business email compromise (BEC).

“Let’s say, for example, I get into your email,” says Matt. “I look into your invoices, I get to understand your payment schedule, who your customers are, and then right before you send out your invoices, I send an email to your customers—from your account—saying, ‘Please send money over to this location.’”

BEC attacks and the resulting financial redirection has cost businesses nearly $26 billion since 2016 alone. Attacks are low-cost and easy to execute, and by the time they’re detected, it’s easy for attackers to dismantle their operations and walk away.


Ransomware continues to be a major threat for businesses of all sizes and in every market vertical, with 57% of Canadian IT professionals saying that it could have the greatest impact on their organization. The most common forms of ransomware encrypt data on a local host, preventing users from accessing it unless they pay up—a particular challenge for law firms that, increasingly, rely on digital technology to operate.

Regardless of whether an attacker is encrypting, removing, or deleting data, defending against these attacks still relies on catching the initial attack early before it can encrypt or delete the intellectual property.

How to secure your law firm against cyber attacks

Tackling cyber threats and mitigating risks are challenging processes for any organization, and law firms are no exception. The good news is that your approach to defending against these threats and proactively building an effective cyber security program is no different from any other business.

“The human element is often the problem the large majority of the time, be it clicking on a link or misconfiguring a network, and that is something I think goes understated,” says Matt. “A lot of cyber security vendors will tout that they can stop anything, but no, you can’t stop someone making a bad decision unless you educate them.”

“You can’t stop someone making a bad decision unless you educate them.” – Matt Holland, Field Effect Founder, CEO, & CTO

Taking steps to inform and educate staff about cyber threats is vital to defending against attacks. “First step, sort the budget out, second step, what can you do with that budget?” says Matt. “Unless you’ve actually got the budget to bring in a team of ten people from an intelligence agency, I’d wipe that off the table right off the bat.”

“The rate at which the cyber security industry evolves, you’d need a company of specialists constantly staying ahead of the curve, educating themselves, making sure they’re staying on top of the threats that pose a risk to your company.”

Instead, he recommends leveraging a managed detection and response (MDR) solution like Field Effect Covalence. Covalence makes it possible for firms of all sizes to take advantage of a sophisticated, cost-effective cyber security defence.

“With MDR, we provide the software, the monitoring platform, and then we also provide a team of operators and analysts that work directly with the customer to learn about their network and understand it,” explains Matt. “Then we use our technology to identify and block threats. Basically, we make it affordable to have intelligence-grade cyber security for a company of five to ten people, which is a really special thing.”

Securing your company doesn’t have to be confusing, costly, or complex.

If you’re ready to learn more about proactive, comprehensive cyber security, contact our team today.