Recent trends show growing numbers of attacks focused on data exfiltration as the primary objective. Multiple threat actor groups have been observed shifting their focus towards identifying and stealing critical or legally protected data recently.
Additionally, this new focus on data exfiltration can result in “double extortion” cases where victims are forced to make payments for decryptor keys, as well as to have the data not sold to a third party or publicly exposed. Both the speed and scale of such attacks are accelerating, and as confidential information becomes the main target of these threat actors, law firms and legal organizations are at particular risk due to the volume of sensitive, confidential, and regulated data they manage.
It is critical that law firms are prepared to adjust to these threats. To do this, technology professionals in the legal industry need to understand the data exfiltration risks their firms face. These risks are far from theoretical; survey data highlights several common gaps. Based on the 2025 Security Survey conducted in collaboration between ILTA and Fenix24, concerning data-exfiltration risks exist within an alarming number of legal organizations.
• 65% do not block unapproved file-sharing sites
• 65% allow access to personal email
• 45% allow removable storage devices
• 30% are not using Mobile Device Management on all mobile devices
• 72% do not enforce MDM on personally owned devices
• 47% do not require MDM on corporate devices
• 25% have no outbound port restrictions on the firewall
Relying on policy and governance alone to dissuade employees from exfiltration of data will not sufficiently protect an organization from the risk of data exfiltration. Technical controls that prevent both internal and external threat actors from accessing or extracting critical information are imperative.
There are a number of critical security improvements organizations should consider in preparation for this growing threat, including:
• Utilizing a 24/7/365 SOC/ SIEM with kill chain permissions on all systems with no sensor exclusions to ensure full visibility of the network.
Any activity will allow for thorough tracking and isolation of suspicious activity.
• Disabling web browsing on critical or risky network segments, such as server segments.
• Implementing inbound and outbound geo-blocking at the network perimeter.
• Limiting access to any critical storage or backup systems within your network.
The evolution of ransomware and cyber-attack strategies continuously highlights new technical gaps that can greatly impact the effectiveness, or ineffectiveness, of a firm’s security controls. While the legal industry has made significant progress in hardening its environments against traditional ransomware techniques, threat actors have also advanced their methodologies.
With the prioritization of sensitive data exfiltration, the stakes are particularly high for law firms. The nature of the data processed by firms during the course of normal business makes them incredibly attractive targets, and the survey demonstrated that many environments still contain gaps that can be leveraged for data exfiltration. Addressing these risks requires breach context and controls designed with threat intelligence in mind. By aligning security strategies against the current threat landscape and proactively reducing avenues for data loss, law firms can better position themselves to defend against these impactful attacks.