Why Threat Actors Love Targeting Law Firms

In February 2021, the law firm Jones Day confirmed that hackers had stolen confidential client data through a vulnerability in Accellion's file-transfer appliance. Sensitive case documents, including those related to major corporate litigation, ended up on the Clop ransomware gang's dark web leak site. Jones Day wasn't a small operation — it's one of the largest firms in the world. And that's precisely the point.

Cybersecurity for law firms isn't an abstract IT concern anymore. It's a direct threat to client trust, regulatory standing, and your firm's ability to operate. If you're a managing partner, IT director, or compliance officer at a legal practice, this post gives you the specific threats you face, the defenses that actually work, and the training strategies that reduce your attack surface starting today.

Law firms sit on a goldmine of exploitable data: merger details, intellectual property, litigation strategies, personally identifiable information, financial records, and attorney-client privileged communications. A single breach doesn't just cost money — it can trigger state bar disciplinary proceedings, malpractice suits, and permanent reputational damage.

The $4.88M Problem Hiding in Your Inbox

According to IBM's 2021 Cost of a Data Breach Report, the average breach cost for professional services firms hit $4.65 million. For firms handling regulated data — which describes virtually every law practice — costs climbed even higher. The Verizon 2021 Data Breach Investigations Report found that 36% of breaches involved phishing, making it the single most common attack vector across all industries.

In my experience, law firms are especially vulnerable to phishing because of how they operate. Attorneys routinely open attachments from unknown parties — opposing counsel, courts, new clients. They click links in emails from people they've never met. That workflow is a social engineering dream.

Wire fraud is the variant that hits law firms hardest. The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise (BEC) schemes accounted for nearly $2.4 billion in losses in 2021 alone — more than any other category. Real estate closings, settlement disbursements, and trust account transfers make law firms prime targets for credential theft and email impersonation.

You can review the FBI IC3's annual report at ic3.gov for the full breakdown.

The Five Threats Every Law Firm Must Prepare For

1. Phishing and Spear Phishing

Generic phishing emails cast a wide net. Spear phishing targets a specific attorney by name, referencing a real case or client. I've seen threat actors scrape court dockets for case numbers and attorney names, then craft emails that look indistinguishable from legitimate court notifications. One click installs malware or harvests credentials.

2. Ransomware

Grubman Shire Meiselas & Sacks learned this lesson publicly in May 2020 when the REvil ransomware gang stole 756 gigabytes of celebrity client data and demanded a $42 million ransom. Ransomware gangs specifically target firms they believe will pay — and law firms, desperate to protect privileged communications, often do.

3. Business Email Compromise

A threat actor compromises a partner's email account — often through credential theft via phishing — and sends wire transfer instructions to a paralegal or bookkeeper. The money leaves, and it doesn't come back. I've personally consulted on cases where six-figure sums vanished in under 90 minutes.

4. Insider Threats

Departing attorneys taking client files. Disgruntled staff exfiltrating data. Careless employees emailing privileged documents to personal accounts. Not every breach comes from an outside attacker.

5. Third-Party Vendor Risk

The Jones Day breach happened through a vendor's product, not through Jones Day's own infrastructure. Your e-discovery platform, cloud storage provider, document management system, and court filing service all represent potential attack paths.

What Does Cybersecurity for Law Firms Actually Require?

This is the question I get asked most often by managing partners. They want a checklist. Here's what actually matters, in priority order.

Multi-Factor Authentication Everywhere

If your firm hasn't enabled multi-factor authentication (MFA) on every email account, VPN, cloud service, and remote access tool, stop reading and go do that first. MFA blocks over 99% of automated credential-based attacks according to Microsoft's own research. It is the single highest-impact security control you can deploy.

This means every attorney, paralegal, legal secretary, and IT admin. No exceptions for senior partners who find it inconvenient.

Security Awareness Training That Actually Changes Behavior

Annual compliance checkboxes don't reduce phishing click rates. Consistent, scenario-based training does. Your people need to recognize BEC attempts, suspicious attachments, and social engineering tactics in the context of legal workflows — not generic corporate examples.

If you're building or upgrading your firm's training program, our cybersecurity awareness training platform provides structured modules designed for exactly this kind of workforce education. Pair it with regular phishing simulations to measure real behavior change.

Generic phishing simulation tests miss the mark for law firms. Your simulations should mimic opposing counsel emails, court filing notifications, client intake forms, and wire transfer requests. You need to know which attorneys click — and you need a consequence-and-education model, not a shame-and-blame approach.

Our phishing awareness training for organizations lets you deploy realistic simulations and track results over time, so you can measure whether your firm is actually getting safer or just checking a box.

Endpoint Detection and Response

Traditional antivirus is insufficient against modern threats. Endpoint detection and response (EDR) tools monitor for suspicious behavior — not just known signatures. When ransomware starts encrypting files at 2 AM, EDR can isolate the machine before it spreads laterally to your document management system.

Encrypted Communications and Data at Rest

ABA Formal Opinion 477R (2017) clarified that attorneys have an ethical obligation to use reasonable measures to protect client communications. If you're sending privileged documents over unencrypted email, you're potentially violating your professional responsibilities.

Use TLS for email in transit. Encrypt laptops and mobile devices. Encrypt cloud storage. This isn't optional — it's an ethical mandate.

Zero Trust Architecture

The zero trust model assumes that no user, device, or network segment is inherently trustworthy. Every access request is verified. For law firms with multiple offices, remote workers, and third-party vendors, zero trust reduces the blast radius of any single compromised credential.

NIST Special Publication 800-207 provides a detailed framework for implementing zero trust. You can access it at csrc.nist.gov.

The Ethical Obligations You Can't Ignore

Here's what separates law firm cybersecurity from every other industry: attorneys have professional ethical duties around data protection. ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

At least 20 state bars have issued ethics opinions addressing technology competence. California's Formal Opinion 2020-203, for instance, explicitly addresses the duty of technology competence including cybersecurity measures.

A data breach at your firm isn't just a business problem. It's a potential ethics violation that can result in discipline, suspension, or disbarment. That reality should drive your security budget conversations.

Incident Response: The Plan You Need Before the Breach

Most law firms I've worked with have no written incident response plan. When a breach occurs, they scramble. Partners argue about whether to notify clients. IT tries to contain the damage without documented procedures. Hours pass while ransomware spreads.

What Your Plan Must Include

  • Defined roles: Who leads incident response? Who contacts law enforcement? Who handles client notification?
  • Containment procedures: Step-by-step instructions for isolating compromised systems.
  • Communication templates: Pre-drafted client notification letters, regulatory filings, and internal communications.
  • Forensic readiness: A relationship with a digital forensics firm established before you need them, not during a crisis.
  • Regulatory requirements: A matrix of which states require breach notification, within what timeframes, and to which authorities.
  • Cyber insurance coordination: Your carrier's breach hotline number and policy requirements for coverage.

CISA offers practical incident response guidance that's applicable to organizations of any size. Their resources at cisa.gov are a solid starting point.

Test the Plan Twice a Year

A plan that sits in a binder is worthless. Run tabletop exercises. Simulate a ransomware attack on a Friday afternoon. Walk through a BEC scenario where a partner's email has been compromised. See where the plan breaks down. Fix it. Test again.

Cyber Insurance: Necessary But Not Sufficient

Every law firm should carry cyber liability insurance. But I've seen too many firms treat a policy as a substitute for actual security controls. Insurers are tightening requirements — many now mandate MFA, EDR, and documented security awareness training before they'll issue or renew a policy.

If your firm can't demonstrate these controls, you may face coverage denials, higher premiums, or exclusions for preventable incidents. Treat your insurance application as a security audit. Every question on that form maps to a control you should have in place.

Building a Culture of Security at Your Firm

Technology alone doesn't protect a law firm. Culture does. And culture starts at the top.

When the managing partner refuses to use MFA, every associate gets the message that security is optional. When partners forward client documents to personal Gmail accounts, staff follows suit. When security training is treated as a nuisance, employees treat threats as someone else's problem.

I've seen firms transform their security posture in under a year by doing three things consistently:

  • Leadership models the behavior. Partners complete training first and visibly comply with security policies.
  • Training is ongoing, not annual. Monthly micro-trainings and quarterly phishing simulations keep awareness sharp.
  • Reporting is rewarded. Staff who flag suspicious emails get recognized, not ignored. This creates a human detection layer that no technology can replicate.

Your Next Steps

Cybersecurity for law firms isn't a one-time project. It's an operational discipline — like conflict checks, timekeeping, and trust account management. You wouldn't wing those processes, and you shouldn't wing security.

Start with these immediate actions:

The threat actors targeting your firm don't care about your billable hours, your reputation, or your client relationships. They care about leverage. Your job is to take it away from them.