Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

    • Lawscot Tech

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. News and events
  3. Blogs & opinions
  4. Cybercriminals Are Watching: Why Law Firms Need a Better Defence

Cybercriminals Are Watching: Why Law Firms Need a Better Defence

31st July 2025 | Professional support

Cybercrime is not caused by lone hackers - it’s a global, professionalised industry. In this interview, Kerrie Machin, Business Development Director, at Mitigo Cybersecurity, explains why cyber risk management can’t be left solely to IT teams, how the most common attacks are unfolding today, and what the regulatory landscape means for law firms.

Q: Kerrie, what is the scale of the cyber threats law firms are currently facing?

A: It’s far more extensive and sophisticated than many firms realise. In 2024 alone, there were approximately 8.6 million cyberattacks reported against UK businesses. It is only set to get worse, in fact, Suzanne Grimmer of the National Crime Agency has predicted that this year will be the worst year on record for ransomware attacks in the UK.

The threat landscape has evolved significantly; cybercriminals now operate with the precision and coordination of a well-organised business. It's no longer just about phishing emails - it's a comprehensive ecosystem of threats, including advanced ransomware and supply chain vulnerabilities. Law firms, with their vast repositories of highly sensitive data, are prime targets. Nearly three-quarters of the UK’s top 100 law firms were affected by cyberattacks in 2024 - a staggering statistic, and one that continues to rise.

Q: Can you break down how that cybercrime ecosystem actually works?

A: Absolutely. It starts with ‘stealers’ - these are hackers who steal credentials and sell to other cyber criminals to carry out the attacks. In February alone, there is evidence that at least 23 billion stolen logs were circulating on the dark web. Next in the chain, we have initial access brokers who break into networks and then sell the access they have obtained to ransomware gangs and their affiliates. Ransomware gangs develop sophisticated malware and licence this to affiliates who use the malware to extort businesses. This licence model has significantly reduced the barrier to entry, meaning more and more cyber criminals are constantly entering the market.

Q: What are some of the most common types of attacks law firms are experiencing?

A: The most prevalent is Business Email Compromise – this is where criminals use phishing to gain access to a company’s email system. Once inside, they target invoices due to be sent to clients, alter the bank details, and trick the client into sending funds to the criminal instead of the intended recipient.

Then there’s ransomware, which often has the most devastating consequences.

Q: OK, what kind of damage can ransomware cause?

A: At its worst, it can cause businesses to collapse and cease trading. Downtime of 3 - 4 weeks is the best-case scenario - but in most cases, firms are affected for months and years.

Criminals will also steal confidential client data and threaten to expose it unless a ransom is paid. According to the National Crime Agency, average ransom payments are in the region of £1.5 million.

Unfortunately, ransom payments are only one element of the consequences. On top of that, there are additional financial losses relating to remedying the attack, lost revenue and cash flow implications - not to mention reputational damage, potential client lawsuits, regulatory penalties, and spiralling insurance premiums.

Q: What are the common mistakes law firms are making?

A: The biggest mistake by far is assuming their IT provider is also their cybersecurity expert. While IT teams can implement essential controls like multi-factor authentication (MFA) and antivirus software, they are not risk management specialists and seldom understand how cyber criminals behave. Unfortunately, this means vulnerabilities go unidentified and uncontrolled, and as a result, criminals then exploit those weaknesses.

It is a fact that every cyber breach we have investigated, the firm has solely relied on their IT provider marking their own homework.

Other common mistakes are firms thinking they’re too small to be a target, believing that cloud-based platforms are more secure than traditional server-based networks, and relying on the security of hosted cloud providers. Many of the attacks that we deal with here at Mitigo are aimed at small-medium-sized law firms who mainly operate in the cloud.

Q: Are regulators stepping up expectations too?

A: Absolutely. Obviously, regulators, including the Law Society of Scotland, expect firms to act in the best interests of their clients and keep their confidential information safe. Each firm also has obligations under GDPR, with the Information Commissioner’s Office (ICO) clamping down on firms who have experienced a data breach as a result of a cyber-attack - which in turn is due to negligent cyber risk management practices.

Additionally, the government has recently introduced the Cyber Governance Code of Practice, which outlines clear expectations for directors and partners regarding cyber risk management.

If you suffer a breach and can’t demonstrate appropriate governance and controls, there will be severe consequences.

Q: Finally, if you had one piece of advice what would it be?

A: Get an independent cyber risk assessment carried out by cyber risk management specialists. In our experience, too many law firms are reliant on their IT provider and are hoping they are secure.

Expectations are much higher now, with increasing pressure from regulators, not to mention the continued rise in cyberattacks.

It’s time to start proving that you are secure.

Is your firm really secure — or just hoping it is?

Law firms hold a wealth of sensitive client data and are a prime target for cybercriminals. Relying solely on your IT provider is no longer enough.

Mitigo provides independent cyber risk assessments, governance support, and ongoing protection tailored to the legal sector — helping firms reduce risk, meet regulatory obligations, and avoid business interruption.

Don’t wait for a breach to find out you’re exposed.

Mitigo is one of the Law Society of Scotland’s strategic partners - you can find out more and get in touch to arrange a confidential assessment.

info@mitigogroup.com | https://mitigogroup.com/

Add To Favorites

Additional

Categories

  • Equality and diversity
  • opinion
  • practice management
  • law society of scotland
  • executries
  • tax
  • mental health-adult incapacity
  • trusts-asset management
  • employment
  • europe
  • civil litigation
  • professional regulation
  • family-child law
  • criminal law
  • information technology
  • careers
  • reparation
  • human rights
  • property (non-commercial)
  • consumer
  • licensing
  • commercial property
  • planning/environment
  • insolvency
  • immigration
  • government-administration
  • welfare/benefits
  • client relations
  • education-training
  • interview
  • dispute resolution
  • corporate
  • agriculture-crofting
  • reviews
  • banking-financial services
  • intellectual property
  • New lawyers
  • Business support
  • Law Society news
  • Non-regulatory committees
  • Regulatory Committee
  • Career growth
  • International
  • Schools
  • Wellbeing
  • Member benefits
  • Professional support
  • Research and policy
  • In-house lawyers
  • Regulation
  • For the public
  • Legal aid
  • obituary
  • Public Policy Committee
  • Sustainability
  • Professional support
  • Technology
  • Wellbeing
  • Policy committees

News Archive

  • 2025
  • 2024
  • 2023
  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013
  • 2012
  • 2011
  • 2010
  • 2009
  • 2008

Related articles

  • Wellbeing skills for line managers: Sign up for our free four-part Lawscot Wellbeing series
  • Seven in ten Wills ignore the issue of digital legacy
  • Building an in-house community, one post at a time
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited