Cyber threat landscape for the legal sector in 2025

The UK legal sector is vast and diverse, encompassing everything from small firms to multinational corporations. As of early 2023, the industry had over 32,000 organisations, generating more than £43 billion in revenue and employing over 320,000 people.

This makes the legal sector a prime target for cybercriminals. With threats constantly evolving, neglecting IT and data security can lead to severe financial and reputational consequences.

In recent times the focus has been on external cyber threats, including ransomware and phishing. However this has diverted attention from insider threat, a critical but often overlooked risk.

Recent reports have revealed that 70% of data loss is caused by careless or malicious insiders, highlighting the critical need for strong internal security measures.

In this blog post, we will explore the threat landscape of the legal sector for data loss, this will combine internal and external risks and threats.

Why your law firm must protect confidential data

Clients place a huge amount of trust in law firms to safeguard their information and assets, expecting the highest level of confidentiality and security.

Beyond this expectation, as a firm, you also have a legal and professional obligation to protect sensitive data, as outlined by the SRA, the Bar Standards Handbook, and the Legal Services Act 2007.

It is, therefore, critical that your firm has appropriate IT and cyber security measures and controls in place. Failure to do so, could be catastrophic.

Law firms handle vast amounts of highly sensitive and confidential information, making them prime targets for cyber criminals. This data holds significant value for criminal organisations, while operational disruptions can result in lost billable hours and additional costs to clients.

The legal sector’s vulnerability to ransomware is particularly concerning, as firms may feel pressured to pay ransoms to restore access to their systems and data quickly.

Smaller law firms, which make up a large portion of the sector, often lack the resources for comprehensive cyber security measures and frequently rely on outsourced IT providers. This reliance creates an additional risk. An attack on a single provider could compromise multiple firms at once.

Reputation is everything in the legal profession, making law firms prime targets for cyber extortion.

A PwC study found that 85% of clients would stop using a service provider if they perceived a lack of data security. Criminals exploit this, knowing firms will go to great lengths to safeguard their reputation and client trust to avoid losing business and future opportunities.

What is a data loss event?

A data loss event refers to any incident where sensitive, confidential, or valuable data is lost, stolen, or exposed, whether accidentally or through malicious intent.

Proofpoint recently reported that 85% of organisations worldwide experienced at least one data loss event in the past year, with the UK figure standing at 73%.

Alarmingly, 10% of affected organisations reported more than 30 incidents each.

The root cause of these breaches is surprising, with 70% of organisations that suffered a data loss event claiming it was due to human error or negligence.

In the UK, the Information Commissioner’s Office (ICO), the independent body responsible for data protection and privacy, reported that in 2024, 66% of all data incidents were non-cyber-related, further emphasising the role of human factors in data loss.

Ultimately, data loss is, at its core, a human problem. This risk is magnified when considering that many cyberattacks, such as phishing, rely on human interaction to succeed.

What is a careless user?

A careless user isn’t necessarily acting with malicious intent, often, their actions are simply mistakes. However, it doesn’t matter whether a cybercriminal kicks down your front door or an employee accidentally leaves it wide open, the consequences are still equally devastating.

Common careless user actions include:

• Misdirected emails
• Engaging with a phishing attack
• Sharing data to the wrong person/organisation
• Installing unauthorised software

In 2024, Proofpoint reported that just 1% of users were responsible for a staggering 88% of data loss events.

After careless users, technical failures are the next leading cause of data loss. These can typically be traced back to two root issues: compromised systems and misconfigured systems, both of which often stem from human oversight, with around 50% of technical failures attributed to user mistakes.

Even simple errors are widespread. A third of employees admit to having sent an email to the wrong recipient at least once or twice. However, this figure is likely an underestimate. How many times have you mistakenly sent an email to the wrong person in the past year?

If we take this statistic at face value, an organisation with 500 employees could expect around 340 misdirected emails per year. Alarmingly, 84% of these emails in the past year contained sensitive attachments.

The impact of misdirected emails can range from mild embarrassment to severe reputational damage, financial penalties from the ICO, and legal consequences.

More than 90% of organisations that experienced an incident reported negative consequences, with over 50% facing business disruption and nearly 40% suffered reputational damage.

What is a malicious user/action?

As mentioned earlier, whether due to human error or malicious intent, the outcome can be the same. However, this risk should not be overlooked.

One of the most common causes of intentional security breaches is disgruntled employees, an issue that can be difficult to detect within an organisation.

Some warning signs are easier to identify, such as employees facing disciplinary action, those who have been passed over for a promotion, or individuals being monitored due to poor performance.

Ensuring that access to data and sensitive information is regularly reviewed, especially for employees in these situations, should be a key part of your security policies and procedures.

However, some risks are harder to spot. Employees experiencing financial hardship, struggling with mental health challenges, or dealing with addiction may be more vulnerable to committing malicious acts for financial gain.

Data loss for UK Legal Sector in 2024

In 2024, 2,011 data loss incidents were reported to the Information Commissioner’s Office (ICO) within the UK legal sector, ranking 7th among all industries.

58% of incidents were categorised as non-cyber events, with the most common being:

• Data emailed to the wrong recipient (44%)
• Data posted or faxed to wrong recipient (13%)
• Loss/theft of data or paperwork (11%)
• Failure to redact (8%)

Cyber-related incidents accounted for the remaining 42%, primarily caused by:

• Phishing attacks (61%)
• Uncategorised cyber attack (23%)
• Ransomware (11%)

Following these reported incidents, the ICO took various actions based on the severity and circumstances of each case:

• Informal action taken (71%)
• Full investigation pursued (1%)
• No further action required (18%)
• Cases remain open (9%)

In 2024, data breaches within the UK legal sector affected between 1.1 million and 9.4 million individuals (data reported in ranges).

External cyber attacks

Cyber criminals are constantly adapting, refining their techniques, and using more sophisticated tactics to target businesses. We explore the most common types of cyber attacks below.

Phishing (Social Engineering)

Phishing and similar attacks fall under the category of social engineering, where attackers manipulate individuals into revealing sensitive information or performing an action that compromises security. These methods allow cybercriminals to bypass technical controls entirely.

Phishing is not a new threat. Typically, attackers send mass emails impersonating legitimate organisations, attempting to steal sensitive information such as passwords or bank details—or to deploy malware, such as ransomware.

Gone are the days of easily spotted scam emails riddled with spelling mistakes and poor grammar. Today’s cybercriminals are more sophisticated, even using AI-driven language models to craft convincing messages.

Phishing isn’t limited to email. Attackers are also using texts and WhatsApp messages referred to as smishing, and vishing, the use of voice calls to solicit the same information.

Spear phishing: a more targeted approach

Unlike mass phishing, which casts a wide net in the hope of tricking as many people as possible, spear phishing is highly targeted. Attackers focus on specific individuals, gathering information from public sources such as social media or company websites to make their attacks more convincing.

Spear phishing messages are often designed to appear as if they are from a trusted colleague or senior figure within an organisation. Attackers may include personal details, such as the target’s job role or recent projects, to increase credibility. By creating a sense of urgency, they pressure the victim into acting quickly without thinking critically about the request.

Whaling: CEO Fraud & Executive Phishing

A newer and more sophisticated attack method gaining traction in 2024 is whaling, also known as CEO fraud or executive phishing. These attacks target high-profile individuals within a law firm, such as CEOs or CFOs, with the goal of stealing financial data or authorising fraudulent transactions.

Cyber criminals conduct extensive research on their targets, carefully crafting their messages to make them as believable as possible. These attacks are designed to fit the specific responsibilities of the executive being targeted. For example, an email directed at a CEO might focus on approving a financial transfer, whereas one aimed at a CFO could request access to sensitive financial reports. Attackers also add urgency and personalisation, making the request appear both genuine and time sensitive.

Phishing attacks are becoming more targeted because they are proving to be highly effective. Traditional phishing has an 18% success rate, while spear phishing is significantly more successful, with 53% of attempts leading to a breach. Although data on whaling is still emerging, it is expected to have at least a 53% success rate, if not higher.

A solicitor was found guilty of failing to prevent a ‘Friday afternoon’ cyber scam, which resulted in £290,000 being transferred to cybercriminals. The solicitor, deceived by a spoofed email address, sent the funds without taking additional verification steps. As a result, they were fined £10,000 and ordered to pay £16,000 in costs. This case highlights the devastating impact of phishing attacks and the importance of verifying financial transactions before processing them.

What your firm should do if targeted by a phishing attack

If you receive a suspicious email, text, or phone call, the most important step is to stop and think before taking action. Even if the request appears to come from a senior executive, always take the time to verify it through an alternative communication method. For example, if you receive an email requesting an urgent bank transfer, pick up the phone and call the person directly to confirm the request.

If you suspect you have fallen victim to a phishing attack, report it immediately. If a payment has been made, contact your bank as soon as possible to attempt to recover the funds. For all other incidents, notify your IT department so they can investigate and mitigate any potential damage. The faster an incident is reported, the better the chances of preventing further harm.

What steps can you take to reduce risk within your organisation?

One effective measure is to implement a “Report Phishing” button within your email system. The easier it is for employees to report phishing attempts, the more likely they are to do so. This helps IT teams detect and block phishing campaigns before they cause significant damage.
Providing continuous employee training is also essential. Regular phishing simulations can help staff learn how to identify and respond to suspicious emails, reducing the risk of human error leading to a security breach. Employees should be trained to look for warning signs such as unexpected requests for sensitive information, urgent language, or slight misspellings in email addresses.

It is crucial to foster a zero-blame culture within the organisation. If employees fear punishment for falling victim to a phishing attack, they may avoid reporting incidents, increasing the risk of further damage. Encouraging a culture of openness and support ensures that employees feel comfortable reporting security concerns without hesitation.

Supply Chain

Over the past two to three years, supply chain (SC) risk has shifted from an emerging to current risk.

Supply chain risk encompasses a wide range of factors, including economic uncertainty, political instability, natural disasters, and supplier failures. However, today we will be exploring one particular pressing threat: cyber risk within your supply chain.

Most organisations rely heavily on suppliers to deliver products, systems, and services. A cyberattack targeting your supply chain can be just as damaging as a direct attack on your own organisation.

Identifying these risks can be challenging, as supply chains are often large, complex, and interconnected. Threats can emerge at any point and take many forms, whether they are inherent, introduced, or exploited by cybercriminals looking for vulnerabilities.

Inherent risk

An inherent risk is a type of vulnerability that will always exist within your supply chain, regardless of any actions you take.

For example:

• Reliance on security measures of external vendors and suppliers
• Lack of visibility and control over the supply chain network

Introduced risk

As the name suggests, this risk is introduced into your supply chain through various factors, such as human error, negligence, or malicious actions. These threats can originate from both internal and external sources.

For example:

• Unsecure data sharing
• Insufficient security measures in place, leaving vulnerabilities that could be exploited
• Use of compromised or counterfeit components or products
• Failure to perform due diligence

Exploited risk

Exploited risk occurs when a vulnerability within your supply chain is actively leveraged by cybercriminals to launch an attack, compromising the confidentiality, integrity, or availability of critical systems and data.

For example:

• Compromised supplier infrastructure can be used as a gateway to infiltrate your systems and data. This often occurs through email-based attacks, where a supplier’s compromised email account is used to send phishing emails or deliver malicious payloads.
• Unauthorised access can occur if cyber criminals exploit stolen or weak credentials to gain entry into systems and data managed by a supplier on your behalf. This can lead to data breaches or system disruptions.
• Insider threats arise when a supplier’s employee or even one of your own collaborates with external attackers, deliberately compromising your systems or data for personal or financial gain.

The 10th annual SotP report revealed that 67% of UK organisations have been targeted by a cyberattack through their supply chain.

As businesses strengthen their cyber security posture, investing in certifications like Cyber Essentials to implement robust technologies, systems, and processes, their supply chain can become their greatest vulnerability.

Once inside the supply chain, an attack can take many forms. Cybercriminals may steal data, interrupt services, use the supplier as a stepping stone to infiltrate your infrastructure, or launch a direct cyberattack.

Attacks can occur through direct targeting or chance:

• Direct targeting happens when cybercriminals identify a company as their primary target but find its defences too strong. Instead, they assess the supply chain, find a weak link, and exploit it.
• Chance attacks occur when a supplier has already been compromised. The attacker then spreads through the supply chain, looking for additional vulnerabilities to exploit.

Whether a company is a direct target or becomes a victim by chance, supply chain attacks are increasingly used as an entry point. These attacks can be extremely difficult, or even impossible, for employees to detect.

The role of email in supply chain attacks

Email remains the most common attack vector in the UK. Organisations rely on email scanning, antivirus software, and firewalls to filter out threats, and these controls have been effective in blocking many malicious emails.

However, if a supplier’s email account has been compromised, these standard preventative and detection measures become ineffective.

When an attacker gains access to a supplier’s email, they can bypass authentication and authorisation controls. The insider knowledge they gain allows them to replicate normal communication patterns, making it almost impossible to detect anomalies.

Consider this: if you receive an email from a trusted supplier or client, someone you communicate with regularly, would you hesitate to open a document, click a link, or enter your login credentials to access a file? That’s exactly what attackers are counting on.

Human risk in supply chain attacks

The latest SotP report also analysed user behaviour risks. Among the top five risky behaviours were sharing passwords and responding to messages from unknown senders.

Why do employees take these risks? The most common reasons cited were saving time, convenience, and meeting deadlines.

No matter how much training or phishing simulation exercises a company invests in, a compromised email account can still deceive even the most security-aware employees. Humans will always be the weakest link in cyber security.

Supply chain risk management is key to defending against these threats. Businesses already conduct financial checks and health & safety audits on suppliers, so why aren’t cyber security checks just as standard? To truly protect your business, you need assurances that your suppliers take cyber security as seriously as you do.

Ransomware

Ransomware attacks are a well-known cyber threat, well documented in the news and depicted in many films and TV shows. In these attacks, cybercriminals encrypt an organisation’s data and systems, demanding a ransom for their release. Many attackers also threaten to publish stolen data online, using blackmail tactics to extort further payments.

The National Cyber Security Centre (NCSC) and UK law enforcement strongly advise against paying ransoms. According to the 2023 State of the Phish report, UK organisations reported:

• 63% had paid a ransom.
• Only 34% fully recovered their data after payment.
• 46% were forced to pay multiple ransoms.
• 17% paid but received nothing in return.

The NCSC and ICO encourage organisations to be transparent about ransomware incidents and seek their support. This can help your business recover, support investigations, and contribute to efforts in preventing future attacks.

How can you defend against ransomware attacks

As a law firm, you should implement these key measures to protect your business:

• Regular backups: Ensure data is backed up and stored separately from your operational systems to prevent attackers from accessing it.
• Backup testing: Regularly test your backups to confirm you can successfully restore data in case of an attack.
• Follow best practices: Strengthen security by implementing Two-factor authentication (2FA) for added protection and Patch Management to keep systems updated and secure.

AI

Cybercriminals’ use of AI technology isn’t as new as you might think. Back in 2019, a UK CEO fell victim to an AI-powered voice spoofing scam. Believing he was speaking with his boss, the Chief Executive of the parent company, he was deceived by a cybercriminal who manipulated him into transferring $243,000.

Today, AI is more advanced and widely available than ever. Many people have used ChatGPT or similar tools, and cyber security professionals are leveraging AI to combat threats.

Unfortunately, criminals also have access to their own AI-powered tools. On the dark web, WormGPT, a black-hat alternative to ChatGPT, has been developed with no ethical safeguards. This provides individuals with little or no technical expertise with the right tools and scripts to execute sophisticated cyberattacks.

When AI tools first emerged, the fear was that robots would replace human jobs. However, the real threat is not a robot, it’s a human using AI to steal data, money, and identities.

The fight between security professionals and cyber criminals mirrors the classic good vs evil, cat-and-mouse struggle we see in films, with each side adapting to new technologies.

Hackers fall into three main categories

• White hat hackers: Ethical hackers who simulate attacks (with permission) to identify vulnerabilities and help organisations strengthen security.
• Black hat hackers: Malicious actors who exploit systems for personal or financial gain.
• Grey hat hackers: A mix of both. They hack systems without permission but don’t always act with malicious intent. Some inform organisations of vulnerabilities, often seeking payment to fix them.

Regardless of intent, all these groups are now integrating AI into their toolkits, making cyber threats more sophisticated and harder to detect.

A PwC study found that 85% of clients would stop using a service provider if they perceived a lack of data security. Once trust is lost, rebuilding it is not only costly and time-consuming. Firms risk losing existing clients and missing out on new business.

How Net-Defence can help

Cyber security isn’t just about investing in more tools, it’s about having the right expertise by your side. Just as the legal professional requires training and certifications, cyber security requires specialist knowledge.

Trying to manage security alone can leave gaps that cybercriminals are ready to exploit. Instead, law firms should work with trusted partners, like ourselves, to prevent, defend against, and recover from cyber threats.

Achieving industry-leading certifications, such as Cyber Essentials, keeping software and systems updated with the latest patches, and accessing a Security Operation Centre (SOC) for 24/7 monitoring and threat mitigation are all critical steps in protecting your business.

At Net-Defence, we provide tailored cyber security solutions designed to meet the specific needs of your firm.

We understand the unique challenges the legal sector faces when it comes to IT security, compliance, and data loss prevention, ensuring your business remains protected.