5 New Year resolutions to reduce cyber threats

Cyber threats today are more human-centric, technologically sophisticated, and deeply embedded in everyday work practices than ever before.

Recent trends indicate a decisive shift toward sharper social engineering tactics, artificial intelligence (AI) generated communications that feel authentic, real-time phishing attacks, and growing supply-chain vulnerabilities. These developments underscore an urgent need for independent assurance – rather than blind confidence in IT systems.

These aren’t theoretical risks – they are real incidents we are helping law firms to recover from. Cyber risk in the legal sector has evolved, and the way firms manage it need to evolve with equal pace.

Here are our top five threats firms face daily that shouldn’t be ignored.

1. Advancements in social engineering techniques

In 2025, social engineering techniques became more sophisticated, more personalised, and significantly harder for staff to detect. Social engineering is a form of cyber attack where threat actors manipulate and deceive staff into divulging sensitive information and granting them access to a network. Rather than exploiting technical system vulnerabilities, attackers exploit human psychology, using persuasion tactics like urgency, fear and authority to trick victims into making security mistakes.

Social engineering typically starts with the attacker researching the target using public sources like social media and company websites to create a believable scenario, often impersonating a trusted entity like IT support or a bank employee to build rapport and create a false sense of security.

Although phishing remains the most common entry point into legal practices, we have seen a significant rise in native-language vishing (malicious phone calls) and smishing (SMS messaging) where attackers increasingly collaborate with individuals who are culturally aligned with the target to sound credible and build trust. These attacks bypass defences and succeed by manipulating a staff member into trusting, clicking or responding.

For law firms handling sensitive data and client funds, this presents a critical and growing risk. Protection now requires more than technology – it demands consistent staff vigilance supported by training and policies to ensure a firm is protected.

2. Use of AI to breach firms

AI is lowering the barrier to entry for cybercriminals, enabling attacks that exploit both technical weaknesses and human trust.

One of the most pressing risks is the exploitation of multi-factor authentication (MFA). MFA remains a critical security control, but AI has made bypassing it easier than ever. Over-reliance on MFA can create a false sense of security, highlighting the need for broader, multi-layered protection.

Credential-stuffing and brute-force attacks aren’t new, but AI and automation allow attackers to scale and accelerate these efforts, rapidly cycling through breached credentials or targeting weaker second-factor methods like SMS codes. This dramatically increases the likelihood of unauthorised access to sensitive case files and client data.

AI has also revolutionised social engineering. Spear-phishing campaigns are now highly personalised, with AI tools analysing email traffic, writing styles, and metadata to craft convincing messages that impersonate trusted colleagues or clients. For law firms, this makes phishing one of the most dangerous AI-enabled threats.

Generative AI introduces a new level of risk – deepfake impersonation. Attackers can now create convincing audio, video or images of partners, clients or regulators, which can then be used to authorise fraudulent transactions, mislead staff or influence negotiations. In a profession built on trust and credibility, that poses a significant threat.

3. Supply chain risk

For our clients, supply chains are emerging as one of the most significant but least understood sources of cyber risk. Law firms are reliant on case management platforms, document repositories, cloud email, outsourced IT providers, and legal tech. When even a single supplier is compromised, the fallout can impact dozens of firms simultaneously, disrupting operations and exposing sensitive client data.

UK regulators have recognised this weakness. The National Cyber Security Centre has made supply chain security a national priority, issuing clear principles for managing supply chain cyber risk. For law firms, the message is clear: a contract and a data protection impact assessment are no longer enough. You must know how your providers secure their own environments, what independent assurance they can demonstrate, how they manage subcontractors, and how quickly they can contain and communicate an incident that affects your client data.

A single weak supplier can undermine the strength of the entire chain.

4. Insider threats

In our work with law firms, we’ve found that the most serious cyber risks don’t always originate outside the organisation. An increasing number of incidents stem from individuals with legitimate access – fee earners, support staff, contractors, or outsourced IT providers. The Information Commissioner’s Office data shows that nearly half of reported breaches in the legal sector involve insiders, with human error playing a major role.

Most cases are accidental: misdirected emails, documents saved to the wrong matter, or information shared more widely than intended. Yet there is also a malicious element – ‘bad leavers’ whose access was never removed, or disgruntled individuals who exploit their privileges. Once valid credentials are in play, the attacker is already inside the perimeter, and even the strongest technical controls can be sidestepped.

For law firms, managing insider risk requires more than technology. It means tightening joiner / leaver processes, enforcing privilege access, monitoring for suspicious activity, and fostering a culture where mistakes are reported quickly and transparently.

5. Lack of independent assurance

A recurring issue we encounter is the misplaced belief that “our IT team has it covered.” While technical support and infrastructure management are crucial, they are not a substitute for independent cyber risk assurance. Increasingly, professional bodies and governance frameworks emphasise the importance of assurance from qualified cyber specialists – separate from your IT provider - to provide true picture of risks and whether controls are genuinely effective.

For law firms entrusted with highly sensitive client data and funds, independent assurance delivers what partners need most. It provides a clear understanding of vulnerabilities across systems, people, suppliers, and governance; outlines actionable priorities for remediation; and offers documented evidence that stands up to scrutiny from regulators, clients, and insurers.

With attacks happening daily, and with greater sophistication, merely hoping you will be secure is not a credible strategy for senior leaders.

Conclusion

The message for 2026 is simple: be proactive, not reactive. Too many law firms come to us after a compromise – when fee-earners are offline, client confidence has been shaken, reputation is damaged, regulators must be informed, and recovery costs far exceed what preventative controls would have cost.

The alternative is infinitely better: get ahead of it. Build assurance, strengthen controls, challenge assumptions, tighten access and verify supplier resilience. Doing so will be far less disruptive, painful and costly – and will give you reassurance that your firm and client data is safe.