Trending in Tech
 

Understanding the Need for Cybersecurity in 2025

As cyberattacks increase in frequency across all industries, law firms need to pre-emptively prepare by creating internal safety measures.
By Alex Heshmaty
October 2025
 

One in five US law firms suffered a cyberattack in a 12-month period, according to recent research from privacy company Proton. The study also revealed that around two-thirds of legal professionals are concerned about cyberattacks.

And they are right to be worried, with sensitive and confidential data held by firms providing a lure to a menagerie of cybercriminals, hacktivists and state-sponsored bad actors. A group of hackers reportedly suspected to be affiliated with the Chinese government recently infiltrated the IT systems of Washington D.C. firm Wiley Rein, apparently in an audacious attempt to gather intelligence for trade negotiation. 

Across the pond, the U.K.’s Legal Aid Agency — a public body that arranges legal assistance for those who cannot afford to pay for legal advice and representation — announced in May 2025 that it was the victim of a malicious hacking group which “accessed and downloaded a significant amount of personal data from those who applied for legal aid ... between 2007 and ... 2025.” This cyberattack that seemingly spanned almost two decades has led to significant fallout, with both lawyers and clients impacted, and a disruption in providing access to legal services. 

Why Are Law Firms Particularly Vulnerable to Cyberattacks? 

Although many of the most publicized cyberattacks involve large retailers and household names, the legal sector is a particularly attractive prey for cyber-predators due to the nature of information routinely handled by lawyers. 

Madison Iler, Chief Executive Officer of LMG Security, says, “Law firms hold vast amounts of sensitive and valuable client data that make them prime targets for theft and extortion.” But as well as holding data which can act as bait for cybercriminals, law firms also suffer more from the fallout of a hack. Iler notes that, while “law firms share many of the same cyber risks as other industries, the potential impact of these threats is heightened” as a result of this valuable information. Firms also face significant reputational risk upon suffering a data breach, Iler says. 

According to Steve Garbett, Head of Infrastructure and Information Security at Lawfront, the impact of a cyberattack on a law firm can be stark. “As a knowledge-based service, information is a key asset,” he says. “Loss or exposure of confidential client data can devastate a firm’s finances and reputation.”  

While law firms face similar cybersecurity risks as other companies, Garbett emphasizes that as firms have migrated away from physical documents to technology to service clients, a firm is particularly negatively affected because of the billable hours format. 

“Loss or exposure of confidential client data can devastate a firm’s finances and reputation.” 

Notable Cybersecurity Threats to the Legal Industry 

There are a vast array of methods used by hackers to gain access to data contained on IT systems commonly used by lawyers such as case management platforms and email tools. Earlier this year, the FBI warned that law firms were being targeted by cybercriminals using phishing and social engineering tactics to gain access to sensitive client data and subsequently demand a ransom to prevent it being published online.

“Phishing and business email compromise are ... top threats, as email is often exploited to steal funds or confidential information,” Iler says. She expands that today’s “most pressing cybersecurity risks for law firms are ransomware attacks, data exfiltration and cyber extortion.”  

An increasing source of risk also comes from interconnected IT systems that allow third parties to access a law firm’s networks. “Man-in-the-middle attacks and fund diversion attempts are ongoing threats,” Garbett says. “Supply chain vulnerabilities, often from compromised clients or third parties, are rising as systems become more interconnected.” 

MyCase
MyCase

Iler echoes these fears, warning that “vendor and cloud security gaps expose firms to risks beyond their direct control, making strong third-party due diligence and vendor risk management monitoring essential.” 

Back in the U.K., one law firm was recently fined £60,000 by the information regulator when it was discovered that hackers — who had gained access to their IT network using an administrator account that lacked multi-factor authentication (MFA) — had published vast troves of client data to the dark web. These types of “back door” cyberattacks can often be mitigated by ensuring that all staff take simple security precautions, such as enabling MFA. 

Is AI Making Cyberattacks More Likely? 

Despite the various efficiency benefits that AI can bring to a law firm, Garbett explains that it can also “produce novel methods of attack that have the capability to discover and exploit devices and people more effectively.” Any technical vulnerabilities “can be abused at scale, while allowing less-skilled actors to mount sophisticated attacks,” he says. 

In particular, phishing attacks can become much more sophisticated with the use of AI, as it is able to “craft near-perfect emails and websites, mimicking tone, logos and language — able to dupe even the most vigilant,” Garbett warns. 

All the existing cybersecurity risks are essentially exacerbated by AI, according to Iler. She says that social engineering hacks, in particular, are becoming “more convincing, faster and harder to detect” due to AI software that can be used create personalized phishing emails and generate deepfake audio or video for highly accurate impersonations of business partners, clients and others.  

Meanwhile, the adoption of a multitude of AI tools specifically designed for the legal sector can heighten the dangers of firms being exposed to cyberattacks. According to Iler, the very same AI software that is used by firms to enhance “speed and efficiency contributes to third-party intellectual property disclosure and security risks if AI vendors and tools are not thoroughly vetted and securely managed.” 

The adoption of a multitude of AI tools specifically designed for the legal sector can heighten the dangers of firms being exposed to cyberattacks.

Garbett says that firms need to understand how AI uses any data it is fed. “Where AI-consumed data is stored, how accessible it is and how it is processed is important to understand when considering a tool,” he says. “Improper use, testing or a poor product could result in inadvertent breaches if an AI agent were to ‘leak’ sensitive information.” 

How Can Law Firms Avoid Being Hacked? 

Irrespective of the sophistication of antivirus and security software, even basic hacks can make it through a law firm’s defenses if staff are not trained to recognize threats.  

“With a significant number of incidents involving human error, clear policies and a cyber-positive culture within the firm greatly contribute toward a strong security posture,” Garbett says. 

Iler emphasizes the importance of regular staff training to reduce the possibility of being hacked. “I recommend that law firms ramp up training and awareness, including the threats of AI-generated phishing and how to recognize deepfake audio and video,” she says. She also recommends implementing a clear system for reporting suspicious activity or situations and having firms educate their teams on both the risks of using unapproved AI and how AI can cause the disclosure of confidential data.  

But while reducing the risk of social hacks through regular staff training is arguably key, law firms also need “all the expected elements of a modern cybersecurity program, such as consistent patching, system hardening, monitoring and detection,” according to Iler. She says the focus should be on data protection controls such as MFA, role-based access, AI security and encryption. But above all, the experts emphasize that firms need to stay vigilant and develop a culture of continuous improvement and ongoing risk reduction. 

About the Author

Alex Heshmaty

Alex Heshmaty

Freelance Writer
Legal Words

Alex Heshmaty is a U.K.-based freelance copywriter and journalist, specializing in law and technology. He runs content marketing agency Legal Words, offering blogging and content creation for a wide range of businesses, including law firms and IT companies. Heshmaty has written extensively about the impact of technological developments on both lawyers and their clients.

Also in This Issue

Back to Top
ALA Logo

Copyright © 2025
The Association of Legal Administrators.
All rights reserved.