Why Most Law Firms Get Hacked – And What You Can Do About It

Your enterprise security controls are only as strong as the weakest link in your defence. Unfortunately for organisations such as Target, Facebook and Google, gaps in their supply chain security have resulted in major cyber breaches, leading to the theft of millions of dollars, reputational embarrassment and the sacking of several high-profile executives. What these industry giants had in common was that they all were victims of phishing attacks, which proves to be the most significant cyber threat that law firms face across the globe today.

Analysis shows that human actions are overwhelmingly at the heart of many vulnerabilities within the legal sector, and cyber attackers are activity seeking to exploit our human weaknesses to compromise target systems. Often this is through an employee or a supplier being tricked using social engineering.  For example, up to 95%[1] of all attacks on enterprise networks are the result of successful spear phishing, with 76% of businesses reported being a victim of a phishing attack in the last year[2].  Furthermore, the SRA reports that over £11 million of client money was stolen due to cyber crime in 2016-17[3], with this number increasing over the last year. If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.

The act of phishing is to try and illicit a response from a person or group of people via mediums such as:

  • Email
  • Text (also known as ‘smishing’)
  • Phone calls / voicemails (also known as ‘vishing’)
  • Social media or,
  • a combination of some or all the above.

The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others either consciously or unconsciously.

Some examples of the techniques include:

  • An urgent request for client information or significant funds
  • Instruction from someone in authority, such as a Partner
  • Curiosity
  • Appealing to your compassion

If the subject matter is compelling enough, it can be hard to resist the urge to carry out the attacker’s request.  This is one of the challenges for tackling threats such as phishing; we don’t see a simple every day task such as opening and responding to emails as being a threat.

To address this, there needs to be a greater understanding of what the threat is, the effect it could have, how we can help to stop it, and most importantly; to feel like we have an active part to play. Ensuring supply chain staff have responsibility for cyber security within their role is the key to your supply chain being an active part of your cyber defences rather than a part of the vulnerability. The risk of your supply chain staff being compromised through a phishing attack could lead to unprecedented access to your own systems – a risk that no law firm wants to take.

However, to empower that individual, you need to provide them with awareness – ensuring you have the right awareness programme in place to affect real changes to your supply chain staff’s behaviours is critical.

A good approach is to start out in a single area such as phishing – which is currently the most significant threat to law firms[4] – and progressively expand it over time to include other areas such as password security, social media, information handling and other relevant subjects. These awareness campaigns can be rolled out internally, as well as monitoring the improvement across your supply chain.

Technology and perimeter controls will always be your first line of defence, and they are incredibly valuable in protecting your firm from the cyber threats you face. However, there will be times when the attackers get through and then it is up to your internal and your supply chain staff to protect you. Only once you have a cyber aware workforce with a security culture embedded within your firm and on to your suppliers, can you be confident in their ability to be your last line of defence.


BLOCKPHISH provides law firms with the ability to improve their resilience against phishing attacks. We deliver simulated phishing emails and awareness learning to your staff, specifically tailored to emulate real-world cyber threats. BLOCKPHISH aims to improve recognition and understanding of these threats, and reduce the possibility that a phishing email will compromise your security or lead to a sophisticated cyber-attack.


We provide a vast and broad cyber consulting capability to ensure your firm receives the guidance and expertise it requires to strengthen its defences against cyber-attacks.

  • Support the creation and realisation of an appropriate cyber strategy from managed Security Operations Centres (SOCs) to the delivery of manged ethical phishing campaigns.
  • We will help you to understand the cyber risks your firm faces and identify, establish and operate a robust and pragmatic governance and management system to address those risks
  • Assess your people, process and technology solutions and deliver a remediation and improvement plan to mitigate any vulnerabilities
  • Provide first responder capability in the event of a cyber incident to the stem the impact of an attack, restore services or data quickly and prevent repeat occurrences.
  • Embed cyber aware behaviours within your firms culture to reduce your vulnerability to cyber-attacks.
  • Deliver cyber simulations and incident and crisis simulations for key staff to ensure your firm is best prepared to respond effectively in the event of a cyber breach
  • Provide training and professional development for your security professionals
  • Assess and support you in your journey to comply with the EU’s General Data Protection Regulation (GDPR) and ensure you avoid the high penalties (4% of global revenues) for non-compliance
  • Our Certified consultants deliver assessment services including Cyber Security Risk Assessment, Cyber Security Strategy & Architecture, Cyber Essentials, PCI DSS, ISO27001, UK DPA and other internationally recognised standards

Join Europe’s elite legal cyber security community.