The human firewall: Why employees remain the critical link in law firm cybersecurity

We are in an era where cyber threats are evolving at lightning speed. The second Legal Operations and Administration Forum (LOAF) of the year brought together leading cybersecurity experts to explore the human element of cybersecurity in modern law firms.

James Edwards-Scott, Chief Information Security Officer (CISO) at Williams Lea, joined a panel of distinguished speakers including Georgie Cohen, Partner at IBM’s Cyber Security Practice; Allan Campbell, CISO at Withers; Perminder Jagdev, CISO at Taylor Wessing; and Ben Gibbins, Partner at Alvearium Associates. The session, moderated by Chris Bull of Edge International, delved into practical, people-centric approaches to cybersecurity, highlighting how human behavior remains both the greatest vulnerability and strongest defense in protecting sensitive legal data.

Here are the top takeaways from the event:

Understand the shifting threat landscape: How AI, credential theft, and human exploitation target your firm

The cyber threats targeting law firms are moving beyond traditional hacking towards methods that exploit human psychology, leverage stolen credentials, and increasingly utilize Artificial Intelligence (AI). This shift demands a corresponding evolution in cyber protection strategies.

Georgie Cohen highlighted the rise of credential theft, noting that 30% of breaches involve attackers simply logging in with valid credentials.[1] “They’re not necessarily now hacking into our networks. They’re actually stealing our credentials and just logging in is so much easier for them, and so much cheaper.” This tactic bypasses many technical defenses, making user awareness and robust identity management crucial. The financial stakes are significant, with the average total cost of a data breach now at $4.88 million (a 10% year-over-year increase),[2] even before considering reputational damage or regulatory fines.

AI adds another layer of complexity and sophistication to the threat landscape. As Georgie explained, AI enables attackers to overcome previous limitations, such as poor grammar or inaccurate logos in phishing emails. It also can create convincing deepfakes making verification essential. While AI offers immense potential for improving cyber security by detecting patterns and automating responses, it’s a double-edged sword. “As excited as we get about using AI for security, the bad actors are getting equally as excited, and they’re out there having a really great time thinking about how they can use tech for bad as opposed to tech for good,” she concluded. Introducing secure by design, so securing AI itself—the data, models, infrastructure, and users—is critical.

Ben Gibbins further illustrated the human targeting element, pointing to ransomware attacks disguised as legitimate documents aimed at junior lawyers. He emphasized understanding the methods of attackers: “Threat actors have been injecting malicious code into [innocuously titled] documents, such as ‘template confidentiality agreement,’ the goal here is to trick junior lawyers to click on these things.” Gibbins also highlighted sophisticated social engineering, including North Korean IT workers infiltrating companies as remote workers, emphasizing the need for collaboration between IT security and HR.

Trust your instincts: Build a security conscious culture to equip your workforce to be AI and cyber-aware

Technology alone, even advanced AI, cannot provide complete protection. Fostering a strong security culture, where every individual understands their role, the evolving threats (including AI-driven ones), and their responsibility, is paramount for law firms handling sensitive data.

Perminder Jagdev stressed moving beyond viewing security as a mere IT function or blocker. Rather, information security is there for the length and breadth of the business to provide essential risk awareness to protect the law firm. “There is a misperception that Information Security’s role is to always say “no”. I say Information Security is there in most cases to provide guidance and say if you undertake this action, this is what the risk or the impact will look like to our business. Then it goes down to the risk owner to decide on whether it’s an appropriate risk for the business to take and whether they are the right person to make that decision on behalf of the business.” Engaging stakeholders, particularly partners, requires clear communication about real incidents (including AI-related ones like deepfakes) and the value of security measures, connecting security efforts back to protecting the firm and its clients.

Training is also fundamental, but must be engaging, relevant, and address current threats. James Edwards-Scott shared Williams Lea’s strategy for moving beyond generic training, “We took a more creative and marketing-led approach and made bite-sized, 15-minute training modules. We made them very relevant. We took real-life examples, and we put them into the training to help our people understand and get more engaged.” These examples, such as a video of a malicious deepfake attempt on a senior leader at Williams Lea, drives home the reality of new threats. As the target of that attempt advised in the video, “Trust your instincts, and double check before taking any action.”

Allan Campbell also emphasized the underlying human factors, explaining how individual differences impact security outcomes, “It’s the behaviors of people that we’re actually up against which tends to be the problem… understanding how people work, how they think, their decision making, and how people handle risk is very different. If I gave each of you a scenario or even a phishing email, we wouldn’t get a consensus across the board of how you would handle that. Some might ignore it, some might delete it, some might raise it, but it’s that consistency in the behavior and approach which is difficult to manage.” He also noted that factors like misplaced trust and time pressure create vulnerabilities. Tailoring education to resonate with different roles and covering personal security hygiene is therefore essential.

Implement layered strategies: Strengthening proactive defense and resilience in a complex world

Given the persistent and evolving threats, including those amplified by AI, law firms need to combine a proactive, multi-layered defense strategy with robust resilience. Only 12% of organizations fully recover from a breach within 100 days,[3] underscoring the need for effective planning.

A “defense-in-depth” or “zero trust” approach remains crucial. Gibbins advised, “If you treat your IT environment as assumed to be compromised, that can really help you to prevent a significant attack.” Technical solutions like Multi-Factor Authentication (MFA) and managed detection and response are vital, but firms must combat “tool sprawl”—on average, organizations grapple with 83 security products from 29 different vendors.[4] This complexity is a major impediment for 52% of executives.[5] AI can help streamline defenses by automating repetitive tasks and improving threat detection.

Crucially, firms must invest in recovery and resilience. Jagdev highlighted the importance of tested business continuity plans and reliable backups. “When you finally need to lean on your recovery… that’s when you’re going to wish you had invested.” Being able to recover quickly significantly reduces the impact of an attack and strengthens the firm’s position.

Despite the challenges, there’s room for optimism

Research from IBM shows that 67% of organizations are now deploying security AI and automation (a 10% increase from the prior year),[6] embedding security early in the process. Furthermore, using AI and automation extensively can save organizations an average of 98 days in breach response time and yield cost savings of nearly $2.2 million compared to those not using these tools.[7] Collaboration within the legal sector also remains a powerful tool for sharing intelligence and enhancing collective defense.

Cybersecurity in the legal sector is not just an IT problem; it’s a fundamental business imperative deeply intertwined with human behavior and increasingly influenced by AI. As threats become more sophisticated and target individuals directly, law firms must cultivate a vigilant, security-aware culture, implement layered technical and procedural defenses incorporating secure AI, and prioritize resilience. By recognizing that their people are the crucial human firewall—supported by, but not replaced by, technology—firms can better protect their clients, their data, and their reputation in an increasingly challenging digital world.

Understanding how technology, including AI, impacts cybersecurity is just one part of a larger operational picture. As law firms adapt to these evolving digital challenges, examining the wider technological transformation occurring within legal support functions becomes essential for strategic planning. For broader insights on how technology is revolutionizing legal support and redefining roles, download our recent survey: The technology revolution in legal support: Redefining roles and enhancing value in modern law operations

[1] Source: IBM Research, via G. Cohen LOAF Presentation, 3 April 2025.

[2] Source: IBM Cost of Data Breach Report 2024, via G. Cohen LOAF Presentation, 3 April 2025.

[3] Source: IBM Research, via G. Cohen LOAF Presentation, 3 April 2025.

[4] Source: IBM Research, via G. Cohen LOAF Presentation, 3 April 2025.

[5] Source: IBM Research, via G. Cohen LOAF Presentation, 3 April 2025.

[6] Source: IBM Research, via G. Cohen LOAF Presentation, 3 April 2025.

[7] Source: IBM Cost of Data Breach Report 2024, via G. Cohen LOAF Presentation, 3 April 2025.