Cybersecurity and law firms: What you need to know in 2025

Cybersecurity remains top of mind in industries across the globe as we enter the new year. And for good reason. From 2021 to 2023, there was a 72% increase in data breaches and 94% of organizations reported email security incidents. Additionally, a recent survey by the American Bar Association found that 29% of law firms had suffered a security breach in the past year. As cyber-threats continue to grow, it’s more vital than ever for those in the legal space to understand how these attacks can occur and what they can do to help protect themselves.  

To better understand hackers, it may be helpful to know what motivates them. Attack methods are constantly changing and improving as technology evolves but attackers typically have one goal in mind: to make money. Generally, this can be accomplished in one of three ways:    

Stealing data: Stolen data is extremely lucrative and the higher level the data, the more valuable it is. But depending on the exact goals of the threat actor, a breach in the system may not be immediately evident. Some will seize the data they immediately have access to while others may hang back and observe, waiting for the right opportunity to access higher-level data at a later time.  

Deploying ransomware: In this type of attack, the hacker will deploy programs that encrypt data files, making them impossible to access. They will demand payment, usually in the form of cryptocurrency, in exchange for the keys to unlock the data, or promise not to publicly release or sell the data to others if their demands are met. While the data is sometimes released back to the victim as promised, the data is often sold to third-party threat actors regardless. The legal industry faces especially steep ransom demands with the 2024 industry median right around $1 million, while the median demand across all industries is around $600k (Reference: Artic Wolf 2024 Threat Report).  

Selling access: While some hacker groups operate independently, many participate in the vast cybercrime ecosystem, which includes highly specialized groups. Initial Access Brokers typically focus on collecting and selling credentials to other types of groups, such as ransomware gangs. Usually accomplished through phishing schemes that trick victims into giving up their passwords or directing them to malicious websites that quietly steal password stored in the browser.  Phishing schemes are becoming increasingly complex, particularly with the rise of AI as a tool to implement text and voice scams.  

For individuals working at larger organizations, most cybersecurity controls will be handled by the IT or security teams. However, it’s still important to remain vigilant when responding to emails and texts and to follow good cybersecurity practices such as using multi-factor authentication, verifying the identity of the other party in digital interactions, and checking the target URL before clicking on any links.  

Those working at smaller organizations without an IT or security team will need to be more proactive in implementing cybersecurity measures. This includes strategies such as: 

• Checking the security settings in third-party software and web services.  The most secure options aren’t always enabled out of the box.  It’s important to review and update all default settings to the most secure option possible for your specific usage.  A few examples include changing MFA from optional to required, enabling email alerts for logins from new devices, or disallowing data sharing with external email domains.  
   

• Ensuring that operating systems and other applications are up to date. Many updates include security patches that address the latest threats and vulnerabilities.  
   

• Utilizing modern EDR or XDR tools, the next generation threat protection software. Legacy antivirus software will scan systems, looking for signatures that indicate a virus or malware. EDR tools take this a step further by monitoring user behavior and activity for suspicious patterns and XDR goes even further by extending protection beyond the device, including monitoring of networks, emails, and other services.  
   

• Using up to date Wi-Fi devices and encryption.  The older a device is, the more likely it is to use unsecure protocols that are easy to compromise.  When this happens, an attacker within Wi-Fi range can redirect your internet traffic to their own servers where they can monitor your inputs.  
  
  

• Stay informed on the latest cyber threats by monitoring feeds such as US-CERT, Mandiant, or Microsoft. 

The impact to organizations that fall victim to cyberattacks is two-fold. There are of course the monetary damages that come from loss of productivity and fines and sanctions if the data affected was regulated. But there is also the reputational impact that organizations suffer from as they notify various parties that their data has been compromised.  

No matter your role or the size of your organization, we all have a part to play in cybersecurity. Check back with us throughout the year as we continue to talk through cybersecurity trends and strategies that anyone can implement.