The number of cyberattacks on legal firms is growing, and resellers and MSPs have a crucial role to play in keeping them safe – and there are various ways that this can be done.
Confidentiality is in the DNA of law firms, whether criminal or corporate. The volume of information that law firms hold – increasingly in the cloud – is vast, and much of it is not for public consumption. Of course, this means that it is a target for cybercriminals who see opportunities to make money.
Dr Keiran Fleming, CTO for the Barrister Group, says the cyberthreats to law firms are substantial and growing. “The National Cyber Security Centre has repeatedly flagged the legal sector as one of the most targeted professional services industries in the UK,” he says.
“The most common attack vectors are phishing and spear-phishing – by far the most prevalent, often tailored to look like court correspondence or Bar Council communications, business email compromise, ransomware attacks targeting case management systems and supply chain attacks through less well-defended third-party vendors.”
Phil Skelton, international business director, at eSentire, notes that the number of successful cyberattacks against UK law firms increased by 77% in 2024, according to the 2025 Cyber Security Breaches Survey, with 55% of professional firms reporting cyber breaches:
“Legal firms are still seeing an increase in experiencing phishing attacks, making it the most widely reported cyber incident,” he adds. “AI is making this more effective, with AI-generated phishing achieving significantly higher click-through rates than human-crafted attacks. Also, ransomware attacks on UK law firms have also increased with the average ransom demands now exceeding £89,000, and the rise of Ransomware-as-a-Service.”
Hybrid complications
The growth in hybrid working continues to complicate matters for those in charge of security at legal firms. “Hybrid working has made security more complex, largely because it removes the clear boundaries firms once relied on,” says Mike Perez, chief technology security officer at Ekco. “Legal professionals are now accessing sensitive information from a mix of locations and networks, which makes it harder to maintain consistent oversight and control.
“This creates more potential entry points for attackers. Home networks and unmanaged endpoints can introduce risk that isn’t always visible to internal IT teams. At the same time, the way legal work is carried out hasn’t changed. Decisions are often time-sensitive, and access to data needs to remain seamless.
“The challenge is maintaining that level of accessibility without weakening security. This is why many firms are shifting towards approaches that focus on identity and access rather than location, alongside stronger endpoint management and better visibility across their environments.
“Hybrid working itself is not the issue, but it has exposed gaps in traditional security models that were built around an office-based environment. For many firms, this is accelerating the move towards externally managed security models that can provide consistent protection regardless of where work is taking place.”
Chris Boland, cyber security consultant at SYTECH, adds that when employees use personal laptops or mobile devices that aren’t under the firm’s MSP, the IT team loses all visibility. “For example, a solicitor might be reviewing a confidential document on a personal device that lacks critical security patches or is already compromised with malware however, without device management, there is no way to verify the health of that device before it touches sensitive case files,” he says.
“Staff will often use a VPN to connect to their workplace network; however, VPNs themselves can be vulnerable and provide an opening for attackers. Having a managed vulnerability scanner employed on your network can help detect vulnerabilities as soon as they are reported, so you can patch any potential issues before an attacker exploits them.”
Hybrid working increases the potential of vulnerabilities as employees have multiple access points, adds Phil. “Employees can easily connect to systems that are not secure, exposing confidential and sensitive client information, financial details etc,” he adds.
“According to the 2025 Cyber Security Breaches Survey, 29% of companies in the UK experienced at least one incident connected to remote or hybrid working. Companies must implement clear security policies around hybrid working, showing employees how to secure their data and network. Phishing attacks have evolved beyond email – employees should be trained on what a potential attack can look like allowing them to alert security teams in a timely manner.”
Effective security
There is a myriad of threats out there, but also various means of helping to ensure data stays secure. “Multi-factor authentication (MFA) is non-negotiable, but it is no longer a silver bullet,” says Dray Agha, senior manager of security operations at Huntress.
“MFA is a mandatory baseline for mail identities and VPN access. But we have also observed threat actors bypass it through ‘push fatigue’ (spamming users with approval prompts until they give in) or by exploiting unpatched vulnerabilities on the VPN appliance itself. MFA must be enforced universally, with absolutely no exceptions for senior partners or legacy systems.
“Defence in Depth is the only true safety net, as an effective, mature security posture requires assuming the perimeter will be breached. This means coupling MFA with continuous endpoint monitoring (EDR) and 24/7 telemetry logging (SIEM) to catch anomalies in real-time. If an attacker compromises a VPN credential, strict network segmentation, least-privilege access and behavioural monitoring are what actually stop them from reaching the firm’s document management systems.”
Mike agrees that MFA remains one of the strongest defences against credential-based attacks. “But on its own, it is not enough,” he adds. “What is becoming more important is how access is managed more broadly, with a shift towards models like zero trust, where users and devices are continuously verified rather than assumed to be secure.
“For legal firms, the focus is also on visibility. Knowing who is accessing sensitive data, from where, and under what conditions is critical, particularly in hybrid working environments. Encryption plays a key role here as well, ensuring that even if data is intercepted, it cannot be easily exploited.
“Beyond individual tools, many firms are moving towards managed detection and response, where threats are actively monitored and handled in real time. This is where managed service providers play a critical role, giving firms access to capabilities that would be difficult to build and maintain in-house.
“Ultimately, the firms that are better protected are those that treat security as an ongoing operational discipline.”
Mark Challis, head of cyber & AI security at EIP, agrees that MFA is essential. “But it is not infallible,” he adds. “Zero trust principles are increasingly important and form a core part of our security strategy at EIP, alongside our ISO/IEC 27001 certification, widely regarded as the gold standard for information security.
“In addition, strong data classification, encryption and robust identity management all play a critical role in protecting systems and data. Beyond technology, people remain one of, if not the most important, factors in maintaining security. Effective user awareness training, clear and practical policies, and visible commitment to security from senior leadership are all essential.”
Chris adds that a strong starting point is achieving Cyber Essentials certification, which is an affordable, government-backed scheme. “Achieving this protects your firm from around 80% of common cyberthreats by ensuring fundamental technical controls, such as firewalls and patch management, are correctly implemented and MFA is enabled where possible,” he says. “Beyond the security boost, it builds immediate trust with clients and is often a mandatory requirement when bidding for government or high-value legal contracts.
“From there, firms should continue to enhance their security posture. This includes adopting the Principle of Least Privilege, which ensures users only have access to the systems and data necessary for their role, as well as providing regular cybersecurity awareness training for staff.”
Building relationships
Resellers and MSPs have a crucial role to play in keeping legal firms safe from cyberattacks and relationships with specialists can be key to this.
Dr Kieran says resellers should build relationships with legal IT specialists who understand the sector’s subtleties. “Any recommendation should explicitly map to the NCSC’s Cyber Essentials framework, as a minimum,” he adds. “For larger or more complex operations, a roadmap toward Cyber Essentials Plus makes sense. Both give the customer something measurable to demonstrate to insurers and regulators, which increasingly matters.”
Ryan Davis, channel account manager at CultureAI, says resellers can work with vendors that provide risk assessments across different data loss vectors, helping organisations understand their current exposure. “In the context of AI usage, these assessments can offer insight into how tools are being used, where sensitive data may be at risk, and what controls may be needed to mitigate potential issues,” he adds.
Dray adds that resellers shouldn’t sell one-size-fits-all IT packages but align their solutions with the unique regulatory and reputational risks of the legal sector. “They need to champion comprehensive frameworks that prioritise 24/7 active threat hunting, encrypted communications, and rapid incident isolation over basic antivirus and static firewalls,” he says.
“Insist on 100% security visibility. The most devastating legal firm breaches we investigated recently occurred when security tools were only partially deployed (e.g., installed on servers but not on employee laptops), or when critical VPN logs weren’t being fed into a centralised SIEM. Resellers must advocate for complete visibility across the firm’s entire digital estate so that when a threat actor inevitably tests the fences, defenders can catch and evict them in minutes, rather than days.”
