The Statistics Behind the Legal Sector Cybersecurity Problem
Like Constantinople in 1453 AD, law firms worldwide are under siege. Not by some global empire, but by an unknown, often independent entity whose sole purpose is to make money out of chaos.
So, why target legal firms?
Easy, because sensitive data is the new gold, and law firms are built on sensitive data: client records, contracts, case files, intellectual property, and financial disclosures.
For cybercriminals, that data makes firms attractive targets, and for the firms themselves, that makes breaches far more damaging.
In the past year alone, successful cyberattacks against legal practices surged by 77%, climbing from 538 incidents in 2022/23 to 954 in 2023/24, as reported by the Law Society Gazette.
That’s not fearmongering. It’s a fact.
The top 100 UK firms are now hit with an average of three cyberattacks every day. Yet, many still believe that running the same penetration test every year, getting the same results and ticking a box on a compliance checklist are enough to keep the wolves at bay.
It isn’t, and we have nicknamed this false sense of security: The Pentest Trap.
But before we explore the Pentest Trap, here are some more stats that will blow your mind:
- 7.9 million people were affected by legal-sector data breaches in 2023/24.
- The average breach cost for a UK legal firm is now around £4 million.
- 65% of firms experienced a cybersecurity incident last year.
- Yet just 35% have an incident response plan in place.
And with 95% of attacks linked to human error, firms that lack proper training and monitoring are leaving the door wide open.
What is the Pentest Trap?
Here’s the scenario: a law firm must conduct a penetration test to pass compliance regulations.
For some, this is the first time they’ve heard of a penetration test, and for others, they’ve heard the term but don’t fully understand it—and why should they? They’re lawyers.
They call up a penetration testing company and say, “One penetration test, please”.
The penetration test provider recognises that they don’t really know what sort of penetration test they want and recommends an external infrastructure test (one of the most popular and, as a first test, one of the most useful).
The law firm ticks its compliance box, and a year later, realising it needs to do it again, calls the same provider, asks for the same test, and gets the same results.
They repeat this process for several years, getting increasingly frustrated that they spend all this money on testing every year, and always get the same or similar results back.
That is the Pentest Trap.
Fundamentally, it comes from legal firms seeing cybersecurity as a means of compliance box-ticking rather than compliance being the outcome of proactive, top-quality cybersecurity.
Sadly, some penetration testing companies are content doing the same test every year, knowing full well that the returns will diminish over time.
We see this all the time from legal firms that come to us after several years of doing the same test with the same provider and getting increasingly frustrated.
They often felt their provider treated them like children because they did not understand the complexities of cybersecurity and penetration testing.
Pentest Trap Checklist: 5 Signs You’re in the Pentest Trap
Now that you understand what the Pentest Trap is, here’s a quick checklist of sure-fire signs that your legal firm is stuck in the Pentest Trap.
If any of these apply to you, get in touch with us cause we can help you escape.
1. You Repeat the Same Test Every Year
If your penetration testing schedule hasn’t changed in years, it’s likely become a ritual rather than a strategy. The threat landscape evolves constantly, yet many firms run the same external infrastructure test every 12 months, regardless of system changes, emerging threats, or actual risk level.
2. The Findings Rarely Change, and ROI Is Shrinking
Does your latest penetration test report look eerily similar to last year’s? If you’re in the Pentest Trap, repeating the same test every year, you likely get the same report year after year as well. This means, year on year, your annual pentest is becoming less useful and the ROI is diminishing.
3. You’re Focused on Compliance, Not Actual Risk Coverage
When the goal becomes “passing the test” to meet audit requirements, it’s easy to miss the bigger picture: uncovering real, exploitable risks. Compliance should be a byproduct of effective security, not the objective. A pentest passed without meaningful remediation or follow-up is just security theatre.
4. There’s No Long-Term Testing Roadmap
Security should be continuous. Most firms have no plan beyond the next test, no phased improvement, no ongoing monitoring, no red/blue team simulations. And it shows. Even as attacks soar, only 34% of UK firms have a formal incident response plan.
Check out our comprehensive guide on developing an incident response plan.
5. You Use the Same Provider, Same Methods, Year After Year
If your provider has happily delivered the same test, the same results, and the same remediation advice year on year, then it’s time to change providers because they clearly do not care about your business’s proper cybersecurity posture.
How to Escape the Pentest Trap?
Escaping the Pentest Trap is reasonably straightforward.
First and foremost, it’s a change in attitude. While cybersecurity compliance is essential, it should be a by-product of proactive cybersecurity testing, patching and re-testing.
Secondly, like anything else in business, there should always be a long-term strategy. If you conduct an external infrastructure test in your first year, why not run an internal infrastructure test in your second year? Then, a M365 test in your third?
After four years of changing the scope of your annual penetration test, you can re-do your original external infrastructure test without it feeling like a waste of money and time.
Finally, a quality penetration test provider should always feel like your partner rather than someone who only cares because you pay them.
At Fortifi, we work with you to ensure that your money is being spent testing the most critical elements of your business, and we will do this every year.
Why Escape the Pentest Trap?
Obviously, the primary goal of escaping the Pentest Trap is improving cybersecurity posture and getting a better ROI on pentesting; however, firms that evolve beyond basic testing don’t just improve security, they unlock measurable business benefits:
- Increased Client Trust: Proactive data protection becomes a competitive advantage.
- Regulatory Confidence: Faster response times reduce fines, legal exposure, and ICO scrutiny.
- Stronger Staff Culture: Well-trained employees are more confident and less likely to cause incidents.
- Enhanced Investment Appeal: Stakeholders back firms demonstrating risk resilience and long-term planning.
Conclusion
Cybersecurity in the legal sector is no longer optional, and it’s important that firms do things properly.
With cyberattacks increasing rapidly and the average breach costing millions, repeating the same test every year, getting the same results, and treating pentesting as a tick-box exercise for compliance is a dangerous game.
As we’ve already mentioned, law firms must stop viewing cybersecurity as a means of compliance and instead see compliance as a byproduct of outstanding cybersecurity. That means continuous improvement, cultural change, and strategic investment.
The firms that escape the pentest trap now will lead the sector in resilience, trust, and long-term growth.