Why law firms are high-value targets
Attackers don't pick targets by size. They pick by what a breach is worth to them — or what it's worth to you to get your data back.
Law firms check every box. You hold confidential client communications protected by privilege. You handle trust accounts and escrow funds. You work on deals, litigation, estate plans, and matters that would embarrass or damage clients if they became public. And you operate under a professional duty of confidentiality that creates real pressure to pay a ransom and stay quiet rather than disclose an incident.
That combination — valuable data, financial transactions, and institutional reluctance to report — makes law firms one of the most consistently targeted categories of small business, regardless of practice size or location.
The real threats: what actually happens
Business email compromise and wire fraud is the most financially damaging threat category for law firms. Attackers compromise a firm email account — often through a reused password or a successful phishing email — then monitor silently for weeks, waiting for a closing, a settlement disbursement, or a deal wire. At the right moment they intercept the wiring instructions or send a spoofed email from the attorney's own address with changed banking details. The client or counterparty sends funds to the attacker's account. Recovery is often impossible once the wire clears.
Ransomware encrypts your files and frequently your backups too, if they're connected to the network. For a firm without tested, isolated backups, the choice becomes paying the attacker or rebuilding from scratch. Attackers increasingly also exfiltrate data before encrypting it and threaten to publish client files unless paid — a tactic called double extortion.
Data theft and account compromise is quieter but just as damaging. Stolen client files, privileged communications, or deal information have value on dark markets. Compromised email accounts can be used to send further attacks to your clients, damaging those relationships even after the intrusion is discovered.
The controls that close these gaps
Multi-factor authentication on everything. MFA on email is the single most effective control against account compromise and business email compromise. If an attacker steals a password but can't pass the second factor, they can't send fraudulent wiring instructions from your account. MFA should also cover remote access, your document management system, and any cloud application that touches client data. See the MFA guide for how to roll it out.
Email security. A properly configured email gateway filters phishing and impersonation attempts before they reach inboxes. DMARC, DKIM, and SPF records prevent attackers from sending email that appears to come from your domain — which protects your clients from receiving fake messages that look like they're from you.
Full-disk encryption. Every laptop and workstation should have full-disk encryption enabled. If a device is lost or stolen, the data on it is unreadable without the login credentials. This is a baseline requirement under most state bar technology competence guidance.
Endpoint detection and response (EDR). Traditional antivirus identifies known malware. EDR monitors behavior — catching threats that don't match a known signature, including ransomware before it finishes encrypting your files. Paired with monitored alerts, EDR is how you find out about a compromise in hours rather than weeks. The EDR overview covers what to look for.
Secure client file sharing — not email. Email is not a secure channel for transmitting client documents. A client portal or secure file-sharing platform with access controls and audit logs is the right tool. It also makes it much harder for an attacker monitoring email to intercept documents or redirect clients.
Tested, isolated backups. Backups stored on the same network they back up can be encrypted alongside production systems. Offsite or cloud backups with immutable retention — where even an administrator can't delete them during the retention window — are the difference between a recovery and a ransom conversation. Backups that have never been tested are not backups; they're hopes.
The ethics dimension: competence, confidentiality, and client questionnaires
Cybersecurity isn't just a business risk for law firms — it's an ethical obligation.
ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information. The competence comment to Rule 1.1 explicitly states that competent representation includes understanding the benefits and risks of relevant technology. State bars across the country have adopted the same language or issued formal opinions that interpret it to require specific practices: encryption of client communications, vendor agreements with confidentiality provisions, and documented incident response procedures.
Beyond bar obligations, the landscape is changing practically. Many large corporate clients now send security questionnaires to their outside counsel before engaging them or as part of annual reviews. Cyber insurers increasingly require evidence of specific controls — MFA, EDR, backup testing — before issuing or renewing a policy.
A firm that can answer those questionnaires with real documentation is a firm that wins the engagement and keeps its coverage. A firm that can't is losing both.
What to look for in an IT provider
Not every managed IT provider understands the law firm environment. The right partner should be familiar with the specific workflows involved — document management systems, e-filing, time and billing, and the secure client communication requirements that set legal apart from general business IT.
More importantly, they should be able to explain what they're monitoring and why. Ask whether they have experience with professional services firms, whether they carry cyber liability insurance themselves, and whether they can produce documentation of your security controls for a bar response or client questionnaire. If they can't answer those questions clearly, keep looking.
Cybersecurity for a law firm isn't about buying the most expensive tools. It's about having the right baseline in place, monitoring it, and being able to demonstrate that you take your clients' information seriously — because the bar, your clients, and your insurer are all asking.