The past few weeks have seen a number of worrying headlines around cybersecurity risk, including the fact that threat actor Silent Ransom is deliberately targeting US law firms, according to an FBI statement shared on 23 May.
Cybersecurity concerns are far from new, but the risks presented by AI, plus the clear targeting of the legal sector, means that cyber risk dominates the list of strategic tech priorities, with law firms needing to up their game accordingly.
What ‘up your game’ means in practice, of course, is very organisation-specific and it’s difficult to generalise about the percentage spend and type of technology that’s required. But what can be said without any doubt, and regardless of organisation size, is that firms need to build security awareness into the fabric of their organisation, so that it becomes a lived and breathed part of the culture.
Speaking to Legal IT Insider in May on a webinar, Arctic Wolf’s UK&I sales director Graham Holt said: “Cyber risk isn’t an IT challenge, it’s a business risk issue. It’s a board level discussion. The key thing is creating a workforce where security is top of
mind.” He added: “It’s not about being draconian and forcing things on people, it’s about creating a culture where people feel comfortable that they can be a first line defence for the firm.”
The first big must is tone from the top. If your leadership isn’t living and breathing cybersecurity, why should the workforce?
Other top priorities include training, which should be mandatory. Standard training often doesn’t work, and persuading people to change their working practices is hard. But the science supports short burst micro learning that sits within the cracks of an individual’s day. It doesn’t hurt to create competition around which teams are excelling in completing their training, given that most people in our industry are highly competive.
Vulnerability management is a must as is identifying and choosing to focus on your top 10 vulnerabilities rather than being overwhelmed by the risks.
It is also key to have a culture of transparency. Speaking on the webinar with Arctic Wolf in May, Christian Toon, the former CISO at Pinsent Masons and now founder and chief security strategist of Alvearium Associates, said: “Reporting and security should not be a backroom function with a kind of confidentiality all over it. People need to know what’s going on. You should be up front with your employees and your teams, whether they be fee-earners or operational staff, and be clear on how your firm is dealing with the threats, creating a narrative that you can share from senior management to junior personnel.”
Talking about failure can be empowering – people sometimes hesitate to report problems over fears that their careers may be impacted, but a culture in which failings are discussed and accepted is more likely to encourage people to come forward.
Talking about cybersecurity with your customers is also key and can be leveraged as a competive edge, done well.
As of March 2025, The Silent Ransom Group’s modus operandi changed to calling individuals and posing as an employee from their company’s IT department. SRG then direct the employee to a remote access session, either through an email or navigating to a web page. Once the employee grants access to their device, they are told that the work needs to be done overnight. The FBI warns that a SRG attack quickly pivots to data extraction conducted through ‘WinSCP’ or a renamed version of ‘Rclone’. If the compromised device doesn’t have administrative privileges, WinSCP portable is used to exfiltrate victim data, sending them a ransom email threatening to sell or post the data online.
Sharing these stories is important to gain individual buy in. The bottom line is that cyber security is not a backroom conversation, nor a plug-in bit of tech. It needs to be acknowledged, shared internally, and even celebrated to create a workforce where security is top of mind and part of an organisation’s DNA, not an afterthought.