Overcoming the Risk of Relying on Email for Law Firms

Reliance on email is a standard business practice in order to effectively communicate both internally and externally. This has proven to be of utmost importance as a majority of workforces have transitioned to hybrid working, but this, in turn, has also increased the size of the threat landscape – with cyber attackers targeting vulnerable workers who are away from the immediate support from IT teams.

When sending many emails per day, the risk of human error also arises. Whether this is attaching the wrong document; or CC’ing an incorrect recipient; these mistakes are all too common – but for some industries, it can have devastating consequences.

Within the legal industry, sensitive and confidential data is being handled each day – including insurance claims, financial records and more. If this information were to fall into the wrong hands – it could have disastrous repercussions for the business. Andrea Babbs, UK General Manager, VIPRE, emphasises the importance of law firms prioritising their email defence, so that they don’t fall vulnerable to a cyber threat.

Legal Landscape

For law firms, in particular, legal professionals are handling sensitive and confidential data, which is subject to strict regulatory compliance rules. And, relying on email to share this valuable data with the relevant parties poses a risk in itself – making them a high target for cyber attacks. What if documents protected by legal professional privilege are accidentally emailed to the wrong person? This could constitute a breach of confidentiality, which in turn, can have numerous repercussions; such as short and long-term financial costs, to damaging the firm’s reputation – breaches of any kind can affect client trust and business success.

Over the past few years, law firms have been subject to all types of external cyber attacks, and this number continues to rise – with research finding that 73 of the UK’s top 100 firms are targeted. For example, criminal defence firm Tuckers Solicitors were fined £98,000 after sensitive court bundles were published on the dark web and held to ransom by organised cyber criminals. Even though human error causes security incidents that don’t receive as much media attention – they aren’t any less serious.

Human error was found to be a contributing cause in 95% of all breaches. Particularly in the legal industry, staff members are under significant pressure to work fast, hard and smart – and in demanding times, they may not have the time to double-check attachments, or that the correct recipients are included in an email. Therefore, today’s modern business landscape means mistakes are unfortunately more likely to occur.

The Crucial Double-Check 

With the potentially devastating consequences that can be a result of an email breach, in addition to the legal requirements around sensitive data, such as the General Data Protection Regulation (GDPR) and the Data Protection Act – law firms need to prioritise their email and data security. To do this, a layered approach is key to ensure that no gateways are left open for a cyber attacker to leverage. A multi-faceted security strategy should include encryption and authentication services to prevent a majority of unauthorised interceptions, as well as ongoing security training and strict policies in place regarding the circulation and storage of sensitive data. This reinforcement of security messaging ensures that the whole workforce is capable of spotting a potential attack, and understands the appropriate ways of handling valuable information as they are aware and often reminded of the role they play in protecting their client’s data and firm’s reputation.

Another fundamental part of a layered security strategy should include data loss prevention (DLP) solutions. Firms can implement security measures for the detection, control and prevention of risky email behaviours, allowing staff members to be alerted before they click send. For example, a lawyer sharing confidential reports with external contract clients means that there could be various contacts within the CC fields, as well as confidential attachments going back and forth. With extra precautions in place, the lawyer can be prompted to make sure the email addresses included are correct, and the attachments are appropriate for the intended contact. This chance to double-check is critical, as it ensures that the correct information is going to the right person – before it is too late.


Handling personal and confidential data makes law firms a prime target for cyber attacks. Therefore, investing in a layered cyber security strategy is crucial. Mistakes are easily made, but they can also be easily avoided by having a combination of key security solutions in place, including DLP solutions – to stop valuable information from falling in the wrong hands.

By Andrea Babbs, UK General Manager, VIPRE