Why mid-sized firms can’t afford to get cybersecurity wrong

Sensitive data and large transactions make the UK’s mid-sized law firms attractive targets for cybercriminals. Security must be an essential aspect of customer care, not an afterthought.

When the legal industry talks about cybersecurity it’s usually in terms of regulation and professional standards. These are important but the real focus should be placed on the devasting impact of cybercrime on real people’s welfare and lives. These human stories can be lost in a conversation that focuses on technicalities and compliance.

Unlike many corporate environments, law firms do not just process transactions or manage internal data. They safeguard moments that define people’s lives.

When people seek legal advice, it’s usually at a defining moment in their life, often when they are feeling at their most vulnerable or anxious. The data they entrust to a solicitor is very personal and would be devastating for it to be breached and exposed, possibly even leaked to the media. It’s this sensitivity that makes the information so valuable to cybercriminals because of the level of impact that public exposure of personal data would have on the victims. It also places extra pressure on law firms when encountering an extortion demand.

This motivation for extortion makes mid-sized law firms an attractive target for cybercriminals and yet, at the same time, they are also one of the most vulnerable. They may incorrectly assume they are too small, too low value or simply a small fish in a big pond. But for this sector, it is about far more than money. The real damage is often reputational damage for the firms and is deeply personal to those most impacted. When highly sensitive client data is exposed, the emotional fallout can be profound, affecting partners, staff and clients alike, and in some cases leaving lasting financial, social and emotional impact long after the incident itself.

Mid-sized law firms are often identified as the optimum target by cybercriminals. They have a wealth of highly sensitive data and are potentially less well-resourced than a large firm. In many cases, in-house IT teams are lean and focused on keeping systems operational but may lack the expertise and know-how to be able to successfully monitor and respond to threats round the clock.

Protecting data, protects people

People trust law firms with their intimate information and have no choice about what data is collected and how it’s processed and stored.

One only has to think about why clients turn to their local law firm to understand how devastating a successful cyber attack can be. People go to these firms often with the most personal, sensitive and life-defining matters: family breakdowns, financial disputes, criminal cases, probate, accidents, employment disputes. They trust that their sensitive information, documents and identities will be protected, for the duration of their case and beyond. 

Consider family law and care proceedings. Law firms working with social services handle some of the most sensitive data imaginable. Records relating to children in care. Medical histories. Safeguarding assessments. Court reports. The expectation of protection here is absolute. Under UK data protection laws, data related to children is considered a special category of personal data. A breach does not just risk regulatory fines. It risks exposing vulnerable children, prejudicing outcomes and undermining confidence in a system designed to protect those who cannot protect themselves.

In the case of personal injury or a medical negligence claim there may be personal health-related data. In employment law cases there may be allegations of harassment, discrimination or mistreatment against named individuals and enterprises. 

Criminal law brings its own stakes. Defence strategies, witness statements, police evidence and personal histories sit inside legal systems every day. If that information is exposed, altered or accessed improperly, the consequences extend far beyond inconvenience. Lives, liberty and justice itself can be affected.

There are many highly sensitive aspects of a person’s private life that can be exploited but it’s with conveyancing that we regularly hear the most impactful stories. That’s because these cases often involve both sensitive data being stolen as well as a person’s savings. When cyber criminals gain access to law firms, they’re not only looking for sensitive data they can exfiltrate and ransom. They also want to discover who is due to pay a large sum of money to the law firm. The largest everyday payments that will most attract an attacker’s attention are property purchases. 

If they gain access to conveyancing files, a criminal can discover the details and timeline of a house purchase, intercept the messages and send a convincing email requesting a sum is paid to their bank account rather than the solicitors. From the individual’s perspective, it’s arriving at a point in the transaction when they’re expecting to receive a solicitor’s request to make payment, such as at the point of contract exchange. The email looks authentic and references the details of the purchase and asks for the correct sum.

The result can be devastating. Not only may the individual lose their savings, but they may also lose their dream home. Whilst some law firms will likely have professional indemnity insurance  to cover redress, this still takes time to investigate and for people to obtain their money back. Meanwhile, individuals have not only lost their data and money but they’re also having to fight to get it back.

It’s not just the impact on individual’s that should be concerned, but also business to business relationships, that have similar needs and expectations when it comes to protecting sensitive data relating to mergers and acquisitions, disputes, and other matters. In the case of claims for negligence for example, the law firm may find themselves in the cross hairs of activists, intent of exposing data for social justice, rather than financial gain.

The point being, that law firms need must be empathetic to their clients, with regards their needs and expectations, and their right to privacy and security. 

Prioritise protecting people

It's everyday crimes like this that are the true human stories behind a threat that is growing year on year. According to Crowe's Law Firm Benchmarking Report, produced in conjunction with the Institute of Legal Finance & Management, 1 in 5 UK law firms experienced a cyber incident in the past twelve months alone. Protecting people, their data and their families means that law firms need to consider cybersecurity as a fundamental part of their business strategy, to protect what matters most and to deliver trust and resilience across the sector.

Until we talk about cyber risk through the lens of people, not just policy, we will continue to underestimate both its impact and its importance. Many law firms may be wondering where to start and a good option is to consider cloud-based services, which typically have a range of security and privacy controls built into the platform and application layers, that firms can take advantage of, based on the sensitivity and confidentiality of data. 

Good security is not about fear or compliance. It is about understanding the nature of the data you hold, classifying it properly, limiting access and being prepared when something goes wrong. It is about recognising why your firm might be a target and what the real-world impact of exposure would be.

The Solicitors Regulation Authority (SRA) and the Information Commissioner’s Office (ICO) have made it clear that failing to patch vulnerabilities or implement multi-factor authentication is not just a technical oversight, it’s a breach of professional duty that can result in significant fines and reputational harm.

Certification to known standards such as the UK Government Cyber Essentials scheme is a good step in providing assurance to clients but it’s often a snapshot in time, based on the applicability and timing of the audit. Cybersecurity needs to be considered beyond compliance checks, to counteract the evolving threat

That’s one of the main reasons why law firms choose to work with specialist security partners, such as Softwerx, who can protect against both existing and upcoming threats. A managed services partner can also provide education on the evolving threat. 

Cybersecurity is a business enabler that law firms need to put at the heart of their strategy. It’s not just about securing systems. It’s about protecting the livelihoods of people that come to them when they are most vulnerable and in need of help. It’s a way to show their trust is both honoured and protected.