Large law firms experienced an average of 23 ‘cyber incidents’ in the past 12 months, lower than other sectors, a snapshot survey has found.
Law firms were also among the most likely to spend smaller amounts on cyber protection.
Researchers from IT managed services firm iomart and forecaster Oxford Economics gathered responses from managers at 25 large law firms responsible for their firm’s cyber security strategy.
They were part of a wider group of 500 executives from 12 sectors surveyed, most at firms employing over 1,000 people and all at firms with turnovers of at least £250m.
Law firms reported an average of 23 cyber security incidents in the past 12 months – ranging from 43 for one firm to five at another – the lowest number for any sector.
This compared with an average of 33.5 for the insurance sector, which topped the list, followed by finance (32) and government (31).
When it came to spending on cyber protection, almost half of law firms spent from £10-£25,000 a year, for example through vulnerability assessments or penetration testing. Not-for-profit organisations were the most likely to spend amounts of less than £10,000.
Despite these findings, the State of cyber security in the UK 2023 report also found that almost half of law firms agreed that internal security policies and procedures “struggle to keep up with the rapid pace of change”, while a majority reported “an increased frequency of threats from bad actors over the past two years”.
A significant minority, one in five, believed their cyber security budget was “inadequate to fully protect them from growing threats”.
Not surprisingly perhaps, most law firms noted a rise in their cyber insurance premiums over the last two years.
More than four in ten admitted that during the pandemic they were “forced to sacrifice cyber security to keep the lights on”.
The top cyber-threat for law firms was phishing, followed by distributed denial-of-service (DDoS) attacks, malware, ransomware and identity theft (in joint fourth place) and insider threats.
Almost half of law firms used artificial intelligence or machine learning “in some capacity” to defend themselves, particularly to support email screening.
Businesses of all kinds found that a lack of key skills remained one of the main challenges to tackling rising cyber threats, with three in 10 cyber staff admitting to facing burnout.
Lucy Dimes, chief executive of iomart, commented: “The legal sector has a history of high profile and sophisticated cyber-attacks, and perhaps it’s no surprise, as the volume and nature of sensitive data law firms hold is a gold mine for criminals.
“And while it is clear that the threat of cybercrime is rising, there’s a lack of confidence in organisations’ abilities to protect themselves against it.
“There are many factors at play that are influencing this, from rising energy costs and increased insurance premiums to skills shortages and staff burnout, which are causing huge challenges for businesses.”