Skip to content

Penetration Testing for Law Firms: What UK Practices Need to Know

UK law firms have data attackers want, so penetration testing for law firms is a must-have. Here’s what the test covers, how it supports Lexcel, and the cost.
Penetration Testing for Law Firms What UK Practices Need to Know

Contents

    Introduction: Penetration Testing for Law Firms in the UK

    Law firms sit on the sort of information criminals build entire business models around. From client records and commercial contracts to case files covering disputes that neither side wants aired, and conveyancing funds moving in six-figure sums, or intellectual property that a competitor would pay for.

    That combination makes legal practices highly attractive targets, and unusually exposed when something goes wrong. A manufacturer that loses production for two days has an operational problem, but a firm that loses privileged client material has a professional conduct problem, a regulatory problem and a reputational problem all at the same time.

    Penetration testing is how firms find out what an attacker could actually do before an attacker does it. This guide is a deep dive into penetration testing for law firms and will look at which type of test to start with, how testing supports Lexcel and ISO 27001, and what shapes the price.

    Cyber security carries as much jargon as conveyancing does. If any term here is unfamiliar, our A to Z cyber security glossary explains the language used throughout.

    Why Law Firms Are Targeted

    As with most things in cybersecurity, the numbers make uncomfortable reading.

    Successful cyber attacks against UK law firms rose by 77% in a single year, climbing from 538 to 954, according to research by chartered accountants Lubbock Fine reported in the Law Society Gazette in August 2024. The same article notes the National Cyber Security Centre’s finding that nearly three quarters of the UK’s top 100 law firms have been affected by cyber attacks.

    Unsurprisingly, breach volumes have followed suit. Analysis of Information Commissioner’s Office data published by NetDocuments in February 2025 found that reported data breaches in the UK legal sector rose 39% between Q3 2023 and Q2 2024, from 1,633 cases to 2,284. Data relating to 7.9 million people was compromised, roughly 12% of the UK population.

    Interestingly, the same ICO analysis is worth dwelling on, because it contradicts how most firms picture the threat. Insider incidents accounted for half of all reported breaches. Human error caused 39% of them, with a further 37% coming from data sent to the wrong person by email, post or in conversation. All in all, among external attacks, phishing accounted for 56%.

    On preparedness, the Law Society reports that 65% of firms have been the victim of a cyber attack while 35% still have no cyber mitigation plan in place. The same article cites Cyfor research finding that 90% of the top 25 UK firms have faced a threat, and PwC’s Annual Law Firms’ Survey 2023, in which 85% of top 100 firms said they were concerned that cyber threats would stop them meeting their objectives.

    Like most things, cost is harder to pin down for the legal sector specifically. IBM’s Cost of a Data Breach Report put the average UK breach at £3.4 million across all sectors in 2023. For a practice holding client money, the direct cost is rarely the worst part.

    And before any smaller firms start thinking they’re too small to be targeting, unfortunately, they are not spared any of this. Smaller law firms are frequently targeted precisely because they hold comparable data with a fraction of the security budget.

    The specific threats facing legal practices

    Four patterns come up repeatedly:

    • Conveyancing and payment diversion fraud. Attackers compromise or spoof an email account, wait for completion, then send revised bank details to the client. Within minutes, the money is gone. The UK’s largest conveyancing firm, Simplify Group, was taken offline by an attack in November 2021 at a reported cost of £6.8 million in lost business.
    • Ransomware with data theft. Modern ransomware operators exfiltrate case files before encrypting anything, then threaten publication. For a firm holding privileged material, publication is often the more serious half of the threat. For any law firms working on their cyber security, ransomware-as-a-service, or RaaS, is absolutely something you should be clued up on.
    • Business email compromise. Given that phishing drives more than half of external attacks on the sector, a single compromised Microsoft 365 mailbox is a realistic starting point. It gives an attacker months of correspondence, a writing style to imitate, and a trusted address to send from.
    • Supplier and third party compromise. Case management platforms, e-discovery providers, counsel chambers and outsourced IT all touch client data. Their weaknesses become the firm’s weaknesses, and as the JLR attack taught us, you’re only as secure as the weakest link in your supply chain.

    What a Penetration Test Actually Involves

    A penetration test is an authorised, scoped attempt to break into your systems, carried out by qualified testers who then document how they did it and how to stop it happening again. It differs from a vulnerability scan, which lists potential weaknesses without proving any of them can be exploited. Our comprehensive guide to penetration testing covers the methodology in full.

    Penetration testing for law firms has several relevant test types, but few practices need all of them at once, and you can see the complete range on our services page.

    External infrastructure testing

    External infrastructure testing examines everything facing the internet: firewalls, VPN endpoints, remote access portals, mail servers, the public website. It answers the question of what someone with no access and no credentials could achieve from outside. Most firms commission this first, and for good reason. It maps closely to how opportunistic attacks begin.

    It’s worth knowing that an external infrastructure test is scoped around IP addresses you already know about. An attack surface assessment goes further by identifying and mapping every internet-facing asset first, which tends to matter for firms that have grown through merger or acquired offices with their own IT history.

    Internal infrastructure testing

    Here the tester works from inside the network, simulating a contractor with a laptop, a compromised user account or an attacker who has already got a foothold. Internal infrastructure testing exposes the problems that matter most once someone is through the door: excessive user permissions, weak segmentation between departments, servers running software that stopped receiving patches years ago, and paths from a junior user account to the case management system.

    Given that insider incidents account for half of all reported legal sector breaches, this is more relevant to law firms than the usual assumptions suggest.

    Microsoft 365 and cloud configuration review

    Most legal practices now run on Microsoft 365, and most breaches involving mailboxes trace back to configuration rather than software flaws. A Microsoft 365, Entra and SharePoint assessment looks at conditional access rules, multi factor authentication coverage and enforcement, legacy authentication protocols left enabled, mailbox forwarding rules, and how much a compromised account can reach across SharePoint and Teams.

    Web application testing

    Client portals, document exchange platforms and matter tracking systems handle sensitive material directly. If your firm has built or commissioned any client facing application, it deserves web application penetration testing in its own right rather than being folded into an infrastructure test. Firms offering a client app should also consider mobile application testing.

    Phishing and social engineering assessments

    Given how many incidents begin with a person rather than a system, a phishing assessment gives a firm real data on how staff respond under realistic conditions, and on how quickly the IT function detects and contains a click. Larger practices with an in-house security function sometimes go further with red or purple teaming, which tests detection and response rather than vulnerabilities alone.

    Which Test Should Your Firm Start With?

    For a firm that has never commissioned testing, external infrastructure is the sensible starting point. It is the smallest sensible scope, it covers the ground an untargeted attacker would cover, and it produces findings a firm can act on quickly.

    That said, starting somewhere beats waiting for the perfect scope. Practices routinely delay testing until they feel their security is in better shape, which is roughly like postponing a health check until you feel healthier. We have written about that instinct in more detail in The Jekyll and Hyde Approach to Penetration Testing.

    A reasonable multi year progression for a mid sized practice looks like this:

    Year Focus What it tells you
    One External infrastructure What an attacker sees from the internet
    Two Internal infrastructure and Active Directory How far a foothold could spread
    Three Microsoft 365 and cloud configuration Whether your most likely breach path is defensible
    Four Phishing simulation and client portal testing How your people and client facing systems hold up

    By the fifth year, repeating the external test is genuinely useful again, because the environment underneath it has changed substantially.

    Penetration Testing, Lexcel, ISO 27001 and Cyber Essentials

    Penetration testing rarely happens in isolation from compliance obligations, and several frameworks either require it or make it very difficult to avoid.

    Lexcel requires firms to identify and manage information security risks as part of the risk management and information management sections of the standard. It does not prescribe penetration testing by name, but an assessor asking how you validate your controls will want evidence stronger than an internal opinion.

    ISO 27001 expects technical vulnerabilities to be identified and evaluated, and expects the effectiveness of controls to be measured. In practice, most certified organisations use penetration testing to satisfy that, and most auditors expect to see it.

    Cyber Essentials Plus involves a hands on technical verification, which is narrower than a penetration test but overlaps with it. Passing Cyber Essentials is a useful baseline rather than an endpoint, a point we cover in Cyber Essentials vs Cyber Resilience.

    The SRA expects firms to protect client confidentiality and client money. Neither obligation is framed in technical language, but both are difficult to demonstrate after an incident if the firm never tested its defences.

    UK GDPR requires appropriate technical measures and, under Article 32, a process for regularly testing and evaluating their effectiveness. Penetration testing is the most direct way of meeting that wording.

    Client Due Diligence Is Now Driving Demand

    Something has shifted in the past few years, and firms increasingly commission testing not because a regulator asked, but because a client did.

    Corporate clients now send security questionnaires to their legal advisers as a matter of routine, particularly in financial services, technology and government work. Panel appointments and framework agreements ask directly whether the firm carries out annual penetration testing, whether it holds Cyber Essentials or ISO 27001, and how it handles incident notification.

    A firm that can answer those questions with a current report and a clear remediation record wins work, whilst a firm that cannot gets filtered out at the procurement stage, often without ever being told why.

    What Does Penetration Testing Cost for a Law Firm?

    Price varies considerably, and any provider quoting before understanding your environment is guessing, but here are a few different things to keep in mind.

    In penetration testing, cost is driven by a handful of factors:

    • Scope size. The number of external IP addresses, internal hosts, applications or user accounts in the test.
    • Test type. An external infrastructure test on a small estate is a fraction of the cost of a full internal assessment or a red team exercise.
    • Depth. A standard test differs from an engagement that includes exploitation chains, lateral movement and detection testing.
    • Number of sites. Multi office firms with separate networks need more coverage.
    • Retesting. Some providers include verification of fixes, others charge separately, and it’s worth clarifying before you sign anything.

    For a single office practice with a modest external footprint, testing is a smaller line item than most firms expect, and considerably smaller than the excess on a cyber insurance claim. The mistake we see most often is buying on price alone, which reliably produces a scan output relabelled as a penetration test.

    Avoiding the Pentest Trap

    There is a failure mode that catches firms who are doing everything right on paper.

    A practice commissions an external infrastructure test to satisfy a compliance requirement. A year later it calls the same provider, orders the same test, and receives a near identical report. They repeat that for four years, which means the firm is spending real money to confirm things it already knew, while the parts of its environment that changed most go unexamined. We call this the Pentest Trap, and it is worth understanding in full: see What is the Pentest Trap? for the complete picture.

    Four signs your firm has fallen into it:

    1. The scope has not changed in years, but your environment has. Things like new cloud services, new starters, a case management migration, an office move, a merger. If the test did not move with any of that, it is measuring an environment that no longer exists.
    2. The findings look familiar. When this year’s report could be mistaken for last year’s, either the recommendations are not being implemented or the test is not looking anywhere new.
    3. The objective is passing rather than learning. Compliance should be the by-product of good security rather than the reason for it. A test passed without meaningful remediation is paperwork.
    4. There is no plan beyond the next test. Nobody in the firm can say what this year’s engagement is meant to reveal that last year’s did not.

    Fixing this costs nothing extra in most cases. All it requires is deciding what you want to learn before you buy, and choosing a provider willing to have that conversation rather than simply re-quoting last year’s job.

    Choosing a Provider

    A few things separate a useful engagement from an expensive PDF, and here are our recommendations:

    1. Look for CREST accreditation, which means the provider’s methodology and testers have been independently assessed.
    2. Ask who will actually perform the test and what qualifications they hold, since some firms sell on the strength of senior staff and deliver with junior ones.
    3. Ask to see a sample report, and check that it explains business impact rather than only listing CVE numbers, because the report has to be readable by a managing partner as well as an IT manager.
    4. Ask about retesting too, because finding a vulnerability is only half the work, and confirming a fix actually worked is the half that gets skipped. We have written about why that matters in The Importance of Retesting.
    5. Finally, judge how a provider handles your questions. Legal professionals are not expected to be security specialists, and any provider who treats that as an inconvenience will be equally unhelpful when you are in the middle of an incident.

    Where to Start

    Cyber security in the legal sector stopped being optional some time ago, as attack volumes rose, breach costs ran into the millions, and clients started asking harder questions than some regulators.

    The practices that handle this well are not the ones spending the most, but the practices that decide what matters, test it properly, fix what they find, and change the focus as the firm changes.

    If you would like to talk through what a first test should cover, or you have been running the same engagement for years and suspect you are getting less from it each time, get in touch with our team. We will tell you what is worth testing before we tell you what it costs.

    Frequently asked questions

    Neither standard is satisfied by testing alone, but testing provides the evidence that your risk assessments and technical controls have been validated rather than assumed.

    Annually is the common baseline, and it is what most client questionnaires and insurers ask about. Test again after significant change, such as a migration, a merger or a new client portal going live, rather than waiting for the anniversary.

    No, a scan automatically identifies possible weaknesses, while a penetration test confirms which of them are genuinely exploitable and how far an attacker could get, which is the part that informs your decisions.

    Network penetration tests should ideally be carried out as often as possible or after significant updates or changes to the internal or external infrastructure; however, this isn’t always feasible, so we recommend testing at least annually.

    The purpose of penetration testing is not to break anything, so minimal disruption should be expected. If necessary, we can work with you to schedule testing during low-usage periods.

    To learn more about network penetration testing, click the link below.

    Learn More

    Recent posts

    The Cybersecurity Industry Has Let You Down

    Read more

    Cybersecurity for Law Firms in 2026: Which Threats Are Most Likely to Breach Solicitor-Client Confidentiality

    Read more

    ICS & SCADA Penetration Testing: How to Test Live OT Systems Safely

    Read more

    OT Penetration Testing: A Complete Guide to Securing Operational Technology

    Read more