> series: sector_under_the_microscope —— part: 01/10 —— sector: legal —— threat_level: high<span class="cursor-blink">_</span>_
Law firms are one of the most consistently targeted sectors in the UK cyber threat landscape — and the reasons are straightforward. A typical law firm holds client funds in escrow, processes property transactions worth millions, stores privileged legal communications, maintains databases of personal and financial information, and operates under a professional obligation of confidentiality that makes public disclosure of a breach reputationally catastrophic. For attackers, law firms are a high-value, high-reward target.
This is the first article in our Sector Under the Microscope series, where we examine the specific threats, vulnerabilities, and security priorities for ten UK industry sectors — drawing on our experience from penetration testing engagements across each one. This is not theoretical guidance. It is informed by what we find when we test.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Requirement | What It Demands | Consequence of Failure |
|---|---|---|
| SRA Standards and Regulations | The Solicitors Regulation Authority requires firms to maintain effective systems and controls for the protection of client money and client data. The SRA has issued specific guidance on cyber security, including requirements for email security, staff training, and incident reporting. | Regulatory investigation, potential fine, conditions on practising certificate, and — in severe cases — intervention. The SRA has intervened in firms where cyber incidents revealed systemic control failures. |
| UK GDPR | Law firms process significant volumes of personal data — client information, witness details, medical records in personal injury matters, and financial data. Article 32 requires appropriate technical measures, which the ICO interprets to include security testing. | ICO enforcement action, fines up to £17.5 million or 4% of annual turnover, and mandatory breach notification to both the ICO and affected individuals. |
| Professional Indemnity Insurance | PI insurers are tightening cyber security requirements. Many now require evidence of security testing, MFA implementation, and staff training as conditions of cover. Premiums reflect the firm's demonstrable security posture. | Increased premiums, policy exclusions for preventable breaches, or inability to obtain cover at commercially viable rates. |
| Cyber Essentials | Increasingly required by corporate clients, government departments, and legal panels as a condition of instruction. Many large corporates and insurance panels now mandate Cyber Essentials Plus from their legal suppliers. | Loss of panel membership, exclusion from tenders, and reduced client confidence. |
Our penetration testing engagements in the legal sector consistently reveal a pattern of vulnerabilities that reflects the sector's characteristics — legacy case management systems, high levels of staff mobility, significant email reliance, and IT estates that have grown organically over decades of mergers and lateral hires.
| Finding | Prevalence | Business Impact |
|---|---|---|
| Weak or absent MFA on email and cloud services | Found in the majority of initial engagements | Direct enabler of BEC and email compromise. Without MFA, a single phished credential gives an attacker full access to email, client files, and — frequently — client account payment instructions. |
| Legacy case management systems with known vulnerabilities | Common in firms running on-premise CMS platforms | Unpatched CMS platforms frequently contain SQL injection, authentication bypass, and privilege escalation vulnerabilities. These systems contain the firm's entire client data estate. |
| Excessive Active Directory privileges | Common in firms with organic AD growth over many years | Fee earners and support staff with administrative privileges, nested group memberships that grant unintended access, and service accounts with Domain Admin credentials. Our password cracking article demonstrates how quickly weak AD credentials fall. |
| No network segmentation | Found in a significant proportion of smaller firms | Flat networks where a compromised reception workstation has the same network access as the finance server. Lateral movement from any compromised device to client accounts and matter files is trivial. |
| Poor email security configuration | Widespread — SPF, DKIM, and DMARC often misconfigured or absent | Enables attackers to spoof the firm's email domain, send phishing emails that appear to come from the firm, and intercept email threads with clients during transactions. |
For law firms commissioning penetration testing for the first time — or re-evaluating their testing programme — we recommend prioritising based on the specific threat model that applies to the legal sector.
A penetration test tells you where your vulnerabilities are today. It does not tell you about the phishing email that arrives tomorrow, the credential that appears on the dark web next week, or the configuration change that opens a new exposure next month. For law firms — where the consequences of a breach include client fund theft, regulatory investigation, and reputational destruction — annual testing must be complemented by continuous monitoring.
SOC in a Box for Law Firms provides 24/7 security monitoring, dark web credential monitoring, and data loss prevention — specifically designed for the threats that law firms face. Combined with regular penetration testing and Cyber Essentials certification, this creates a security posture that satisfies the SRA, satisfies your PI insurer, and — most importantly — actually protects your clients' data and funds.
Next week, we turn the microscope on financial services — IFAs, wealth managers, and accountancy firms. We examine the FCA's expectations, the specific threat actors targeting financial data, and the vulnerabilities we consistently find when we test organisations that handle other people's money.
We understand the legal sector's unique threat landscape, regulatory obligations, and client confidentiality requirements. Our testing is scoped to target the vulnerabilities that matter most to law firms — and our reports satisfy the SRA, your PI insurer, and your clients.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call