Cybercriminals Are Watching: Why Law Firms Need a Better Defence
Cybercrime is not caused by lone hackers - it’s a global, professionalised industry. In this interview, Kerrie Machin, Business Development Director, at Mitigo Cybersecurity, explains why cyber risk management can’t be left solely to IT teams, how the most common attacks are unfolding today, and what the regulatory landscape means for law firms.
Q: Kerrie, what is the scale of the cyber threats law firms are currently facing?
A: It’s far more extensive and sophisticated than many firms realise. In 2024 alone, there were approximately 8.6 million cyberattacks reported against UK businesses. It is only set to get worse, in fact, Suzanne Grimmer of the National Crime Agency has predicted that this year will be the worst year on record for ransomware attacks in the UK.
The threat landscape has evolved significantly; cybercriminals now operate with the precision and coordination of a well-organised business. It's no longer just about phishing emails - it's a comprehensive ecosystem of threats, including advanced ransomware and supply chain vulnerabilities. Law firms, with their vast repositories of highly sensitive data, are prime targets. Nearly three-quarters of the UK’s top 100 law firms were affected by cyberattacks in 2024 - a staggering statistic, and one that continues to rise.
Q: Can you break down how that cybercrime ecosystem actually works?
A: Absolutely. It starts with ‘stealers’ - these are hackers who steal credentials and sell to other cyber criminals to carry out the attacks. In February alone, there is evidence that at least 23 billion stolen logs were circulating on the dark web. Next in the chain, we have initial access brokers who break into networks and then sell the access they have obtained to ransomware gangs and their affiliates. Ransomware gangs develop sophisticated malware and licence this to affiliates who use the malware to extort businesses. This licence model has significantly reduced the barrier to entry, meaning more and more cyber criminals are constantly entering the market.
Q: What are some of the most common types of attacks law firms are experiencing?
A: The most prevalent is Business Email Compromise – this is where criminals use phishing to gain access to a company’s email system. Once inside, they target invoices due to be sent to clients, alter the bank details, and trick the client into sending funds to the criminal instead of the intended recipient.
Then there’s ransomware, which often has the most devastating consequences.
Q: OK, what kind of damage can ransomware cause?
A: At its worst, it can cause businesses to collapse and cease trading. Downtime of 3 - 4 weeks is the best-case scenario - but in most cases, firms are affected for months and years.
Criminals will also steal confidential client data and threaten to expose it unless a ransom is paid. According to the National Crime Agency, average ransom payments are in the region of £1.5 million.
Unfortunately, ransom payments are only one element of the consequences. On top of that, there are additional financial losses relating to remedying the attack, lost revenue and cash flow implications - not to mention reputational damage, potential client lawsuits, regulatory penalties, and spiralling insurance premiums.
Q: What are the common mistakes law firms are making?
A: The biggest mistake by far is assuming their IT provider is also their cybersecurity expert. While IT teams can implement essential controls like multi-factor authentication (MFA) and antivirus software, they are not risk management specialists and seldom understand how cyber criminals behave. Unfortunately, this means vulnerabilities go unidentified and uncontrolled, and as a result, criminals then exploit those weaknesses.
It is a fact that every cyber breach we have investigated, the firm has solely relied on their IT provider marking their own homework.
Other common mistakes are firms thinking they’re too small to be a target, believing that cloud-based platforms are more secure than traditional server-based networks, and relying on the security of hosted cloud providers. Many of the attacks that we deal with here at Mitigo are aimed at small-medium-sized law firms who mainly operate in the cloud.
Q: Are regulators stepping up expectations too?
A: Absolutely. Obviously, regulators, including the Law Society of Scotland, expect firms to act in the best interests of their clients and keep their confidential information safe. Each firm also has obligations under GDPR, with the Information Commissioner’s Office (ICO) clamping down on firms who have experienced a data breach as a result of a cyber-attack - which in turn is due to negligent cyber risk management practices.
Additionally, the government has recently introduced the Cyber Governance Code of Practice, which outlines clear expectations for directors and partners regarding cyber risk management.
If you suffer a breach and can’t demonstrate appropriate governance and controls, there will be severe consequences.
Q: Finally, if you had one piece of advice what would it be?
A: Get an independent cyber risk assessment carried out by cyber risk management specialists. In our experience, too many law firms are reliant on their IT provider and are hoping they are secure.
Expectations are much higher now, with increasing pressure from regulators, not to mention the continued rise in cyberattacks.
It’s time to start proving that you are secure.
Is your firm really secure — or just hoping it is?
Law firms hold a wealth of sensitive client data and are a prime target for cybercriminals. Relying solely on your IT provider is no longer enough.
Mitigo provides independent cyber risk assessments, governance support, and ongoing protection tailored to the legal sector — helping firms reduce risk, meet regulatory obligations, and avoid business interruption.
Don’t wait for a breach to find out you’re exposed.
Mitigo is one of the Law Society of Scotland’s strategic partners - you can find out more and get in touch to arrange a confidential assessment.
Additional
