The Cause of Data Security in Law Firms Amid Phishing, MFA Gaps, and Ransomware

We spoke with John Anthony Smith, Co-founder and Chief Security Officer of Fenix24, about cybersecurity in law practices, phishing, and the practical measures legal organizations can take to strengthen defenses.

With a 30-year human-centric cybersecurity career, Smith has served law firms since 1998. In this wide-ranging conversation, Smith discusses tools firms should prioritize to bolster detection and recovery.

He elaborates on extortion-only attacks, immutable backups, and how insurance and tabletop drills reshape strategies.

The following conversation offers Smith’s perspective on urgent steps law firms must take to close resilience gaps and more.

Vishwa:  With phishing overtaking ransomware, as detailed in your report, what specific human or process weaknesses allow these socially engineered attacks to succeed so often

John: As stated in Fenix24’s 2025 research report, Security at Issue: State of Cybersecurity in Law Firms, conducted in partnership with the International Legal Technology Association (ILTA), it is abundantly clear that law firms see double extortion incidents as a great risk as behind phishing law firms ranked data exfiltration, ransomware, social engineering, and user behavior as their greatest security threat. 

It is apparent that the risks, and the messaging at least, are known to law firm defenders, though they commonly do not seem to know where they should be investing necessary hardening.

As an example, though the survey did not tease this out specifically, law firms commonly require no identity verification at the help desk to reset credentials and MFA tokens. Unfortunately, most law firm cultures, in how partners in particular demand to be served by their IT departments, do not cultivate or dictate environments where it is appropriate and safe to require identity check steps at the help desk. 

Couple this truth with the fact that many law firms outsource help desk functions, and you have a situation ripe for threat actor manipulation. While IT leaders are concerned about phishing, social engineering, and user behaviors, they are commonly in the context of law firm users themselves, not the help desk. 

While firms are concerned with phishing, data exfiltration, ransomware, social engineering, and user behavior, they are commonly not blocking, by default, the functions that allow these behaviors to occur to begin with, such as:

• Less than 40% are blocking remote access tools (preferred tactic for persistent access by ransomware threat actors), unapproved file sharing platforms (preferred tactic for exfiltration), VPN tools (common method of obfuscation), and password vaults/personal e-mail/browser-based password caching (common method of phishing, social engineering, and password capture, see OKTA breach. Allowing personal e-mail and in-browser credential caching increases the likelihood of catastrophic credential capture.
• Only 60% block known hacking tooling sites (tools like Mimikatz, Bloodhound, etc. are common tools used by threat actors).
• Roughly, only 35% of responding law firms are performing outbound deep packet inspection on encrypted traffic, which means most malicious traffic would be permitted to cross the perimeter undetected. Therefore, users are much more likely to be phished and socially engineered.
• About 25% of law firms are limiting outbound port traffic on user segments to 80 (HTTP) / 443 (HTTPS) by default. This means that threat actors have many undetectable means to exfiltrate, socially engineer, and phish law firm users.

Couple all these factors with weak lateral movement defenses (about 32% have hypervisors domain joined, 30% have backup tools domain joined, 73% have no administrative segmentation, and 52% do not require MFA on RDP to servers) and destroyable recovery capabilities (52% do not have an immutable backup).

With this, it can be concluded that law firm concerns are well-founded. And there’s still much improvement to be made.

Vishwa: Are legal firms more often facing broad phishing or highly targeted campaigns seeking privileged data tied to state or litigation interests?

John: Law firms are increasingly facing both broad and highly targeted campaigns. This is especially true for law firms involved in sensitive or high-stakes litigation, government contracts, mergers & acquisitions, intellectual property, and/or politically exposed matters.

Threat groups have attempted, and been successful, in manipulating internal law firm accounting departments into inappropriately wiring funds or paying false invoices.  Additionally, law firms have had their email domains impersonated, such as with punycode or similar spelling. 

Individuals have been sent falsified documents, including invoices, seemingly from law firms, to attempt to get individuals to pay the threat actors, not the law firm. 

Worst of all, threat actors manipulate individual users claiming to be with the IT department to gain initial access to systems, exfiltrate data, and attempt lateral movement and ultimately destruction.

Vishwa: How are attackers finding ways to bypass multi-factor authentication, especially given inconsistent MFA coverage on production storage and other critical systems?

John: IT professionals are commonly managing infrastructure, leveraging old knowledge — doing what they have always done and been encouraged by Microsoft to do — put all systems and consoles in Active Directory. 

What we know from breach, and confirmed recently by Mandiant in this article, is that critical consoles should not be aligned with production Active Directory.  As the article states, “To effectively safeguard critical Tier 0 assets operating within the vSphere environment–specific systems like Privileged Access Management (PAM), Security Information and Event Management (SIEM) virtual appliances, and any associated AD tools deployed as virtual appliances, a multi-layered security approach is essential. 

These assets must be treated as independent, self-sufficient environments. This means not only isolating their network traffic and operational dependencies but also, critically, implementing a dedicated and entirely separate identity provider (IdP) for their authentication and authorization processes. 

For the highest level of assurance, these Tier 0 virtual machines should be hosted directly on dedicated physical servers. This practice of physical and logical segregation provides a far greater degree of separation than shared virtualized environments.”

What does this mean to the layperson? It means that administrative functions and critical consoles must be isolated from the identity platforms used by the larger user population. The credentials that provide access to the desktop and apps that are used by the user population every day cannot also provide access to backend administrative systems. What we see in the study is that this largely has not caught on. 

Law firms are not applying MFA to critical administrative functions, which is bluntly one of the easiest ways to obstruct threat actor lateral movement, and frankly, and most importantly, law firm IT professionals are still leaving significantly critical consoles within the production Active Directory identity plane (IdP) shared by the common usage basis:

• 50% of law firms do not apply MFA to the backup solutions’ consoles.
•  63% do not apply MFA to backup storage consoles.
•  82% do not apply MFA to production storage consoles.
•  52% do not enforce MFA on RDP.
•  63% do not enforce MFA on backup storage.
•  43% have some portion of key ransomware targets joined to the production Active Directory domain (backup consoles, backup targets, hypervisors, and production SANs).
• 33% have the chosen hypervisor joined to the production Active Directory domain

Active Directory membership for critical consoles coupled with the lack of MFA enforcement on server administrative functions such as Remote Desktop Protocol, PowerShell, WMI, Microsoft Management Console, etc., amplifies the ease of lateral movement and ultimate mass destruction.  

Sixty-seven percent of responding law firms do not apply MFA to administrative functions, such as PowerShell, Remote Registry, WMI, etc.

Vishwa: Based on your findings that unplanned responses and a lack of backups often escalate incidents, how exactly do these factors turn manageable breaches into full-scale crises?

John: Survivable, timely, and recoverable backups, the single most reliable recovery measure in a ransomware event, remain underutilized. Only 50% of firms reported having at least one immutable backup system, and many fail to back up critical infrastructure like domain controllers or data stored in SaaS applications. 

This leaves half of responding firms exposed to potential catastrophic data loss. Immutable backups are the single strongest indicator of post-ransomware recovery and, therefore, the best defense against the threats in the current zeitgeist. 

There is no way to conclusively determine if 50% of firms’ backup tools capable of immutability are actually properly configured for immutability, or what data they are backing up — a full set of all data in the firm, or merely a subset. 

Even if all these firms have flawless immutability practices and back up all firm data with these tools, that still leaves 50% of firms woefully underdefended against a ransomware event.

Because many vendors back up client data, they often have inadequate protection enabled to properly defend these backups. A firm may not be the target of a breach, but can still suffer consequences from one if a vendor loses firm data. The safest practice is to maintain a firm-controlled backup copy of all SaaS and cloud data. 

Destruction of backup data is a strategic and quite probable consequence of a ransomware attack. Without survivable backups, recovery of a law firm’s network becomes virtually impossible. 

Ransomware victims are then left with little choice but to negotiate payment for a decryption key. Survivable backups — those that are truly survivable and timely recoverable — are the top predictor of recovery after a breach. Even if a threat actor were able to gain access to the data, they would not be able to modify or destroy it because there are no administrative technical overrides to the retention lock, aka survivability.

Operations may be crippled until a ransom is paid for a decryption key or systems can be recovered from backups. Moreover, if backups are destroyed and data exfiltrated during a mass destruction event, the attacker has a powerful and likely intractable negotiating position.

Vishwa: Backups that cannot be altered or deleted, or immutable backups, are largely underused in the legal sector. What practical steps can help ensure these backups can be trusted to fully restore systems and data after a ransomware attack?

John: We know from breach recovery that recovery survivability is a factor of the number of backup copies, applied identity plans, hardening of the backup storage targets, segmented administrative infrastructure, segmented and isolated backup storage targets, and regular hardening of the backup tooling to what threat actors are commonly doing. 

Backups do not commonly survive largely because most organizations are not resourced to do this with excellence. To further complicate this, during a mass restoration event, organizations find themselves in a crime scene, meaning a forensics investigation is necessary to understand what was damaged or stolen and how the threat actors were able to do this. 

Thus, for physical environments, excess capacity is necessary to orchestrate timely recovery. Many organizations commonly do not have enough excess capacity.  Also, organizations commonly do not clearly understand the role of the breach counsellor and DFIR, and how their roles impact the recovery timeline. 

Without the forensic investigation being complete, it is impossible to commonly bring systems back online timely and safely. Thus, a priority must be placed upon complete forensic review while safely rehydrating workloads from survivable and timely recoverable backups.

Lastly, organizations that do have a survivable copy of backups, unfortunately, commonly store those in object-oriented cloud repositories, which complicate timely recovery because the WAN and the storage mechanism itself are commonly limiting factors.

These common limiting factors exist in law firms today. Many have not thought through the process and technologies through the lens of breach reality.

Vishwa: Do you see a shift from traditional ransomware encryption events toward stealthier data exfiltration and extortion attacks without encryption demands? Can you share any groups or cases that illustrate your perspective?

John: We have been seeing a decline in ransomware attacks involving data encryption. Meanwhile, extortion-only attacks are on the rise, especially among smaller organizations. Some threat actor groups have notably shifted toward encryption-less ransomware and transitioned completely to extortion-only attacks. 

As law firms become better at restoring data from backups, stealing data and exploiting regulatory or reputational fears have become a more profitable approach for attackers. And it’s less risk for them too. 

Additionally, attackers are making their moves with low visibility, using living-off-the-land tactics, abusing legitimate tools (e.g., PowerShell), and targeting infrastructure like VMware hypervisors to maximize impact and evade detection.

According to our report, legal firms no longer fear malware or drive-by encryption as much as they are increasingly worried about targeted attacks where a human agent maneuvers past weak points in the defenses, exfiltrates sensitive data for additional leverage and reputational damage, and then attempts to shut down operations and extract a ransom payment. 

Regulatory pressure and client expectations are driving encryption in the face of greater scrutiny for how firms manage sensitive data. Sometimes exfiltration is the end goal of a breach. 

Personal email, removable mass storage devices, and poorly configured MDM are avenues to data exfiltration, whether malicious or accidental. Attackers may use a double extortion tactic whereby they not only encrypt data but also threaten to release client information if a ransom is not paid. 

Given the highly sensitive nature of legal information, the firm comes under intense pressure to comply with ransom demands.

Vishwa: Cyber insurance providers are mandating MFA, EDR, security training, tested backups, and alignment with frameworks like Cyber Essentials or HITRUST. In sectors such as legal, healthcare, and finance, how are these requirements influencing cyber risk strategies?

John: New regulatory and insurance requirements are forcing firms to reassess their security posture, often revealing critical gaps in areas such as access controls, incident response, and data protection. 

Proposed federal (US) measures, including updated and/or considered HIPAA rules, specifically mandate MFA, IR recovery objectives, network segmentation, encryption, risk analysis, and audit trails to safeguard patient data. 

This comes with significant cost, as smaller providers struggle with the financial or logistical burden and thereby may find it hard to qualify for cyber insurance.

Cyber insurance requirements are prompting meaningful security investments and prioritization across operations. Meanwhile, insurers are shifting from annual underwriting to more frequent check-ins, making security posture monitoring a continuous process. 

Those entities adhering to recognized frameworks often secure better premiums and more favorable underwriting. However, frameworks commonly do not equal quality security or increased incident of recoverability.

Vishwa: When organizations run tabletop exercises — simulated, discussion-based incident response drills before attacks, how realistic are they in preparing for real incidents, and what scenarios do you believe are most often missing that could make them more effective?

John: We see a major trend shift with the sudden rise of assessments/tabletop exercises/penetration test results as a top driver of change. The activities are valuable for improving incident readiness, clarifying roles, testing response plans, and enhancing communications. 

Well-designed tabletop (Red/Blue/Purple teaming) exercises prepare teams strategically but must reflect real-world impacts to be truly effective.

Common gaps may include a lack of technical realism (no hands-on response), limited time pressure and ambiguity, lack of third-party or supply chain breach inclusion, overlooking insider threats and accidental data leaks, and not simulating long-term recovery or regulatory follow-up. 

We also commonly see that breach simulations and tabletop exercises assume survivable recovery. However, in our own experiences, this is a terribly faulty assumption. Backups do not commonly survive, or at a minimum, are not orchestrated to survive, whether the threat actor targets them or not.

Vishwa:  Looking at the past year’s most disruptive incidents, what is one emerging threat type you believe organizations across sectors are underestimating?

John: While AI will enhance the productivity of security teams and end users, it can produce new and novel methods of attack by threat actors. AI-powered attacks are becoming more sophisticated and can misclassify threats or miss them altogether. 

AI is only as good as the data it’s trained on and references. If that training data is biased, incomplete, or maliciously modified, it can lead to serious security vulnerabilities. Additionally, AI can be complex to protect, requiring skilled people and novel protection strategies.

Vishwa: Which cybersecurity tools or apps do you most often recommend for new and experienced professionals, and what specific capabilities make them most valuable for detection, recovery, and resilience?

John: There is no substitute for immutable data backups — those that cannot be encrypted, altered, or deleted. It is your primary defense against threat actors as well as those that come from inside the organization, either accidental or intentional. 

The proper configuration of backups will allow an organization to maintain the confidence that its information will be protected and retrievable, with a minimum of operational downtime should it be the victim of an attack.

Fenix24 has a platform, known as Securitas Summa, that is designed to assure recovery.