Ask most attorneys or accountants whether they consider their firm a cybercrime target, and the answer tends to be measured. They understand risk in the abstract. They advise clients on it. But when it comes to their own practice, there’s often a quiet assumption that the real targets are bigger organizations, hospitals, banks, and government agencies.
That assumption is wrong. And it’s costing firms dearly.
The Data These Firms Hold Is Extraordinarily Valuable
Cybercriminals are not sentimental about their targets. They go where the valuable data is. And professional services firms sit on some of the most lucrative information that exists.
Law firms hold:
- Merger and acquisition details before public announcement
- Litigation strategy and confidential client communications
- Settlement terms and financial disclosures
- Immigration records and personal identification documents
Accounting offices hold:
- Tax returns with full financial profiles
- Business financial statements and payroll records
- Bank account and routing information
- Social Security numbers for individuals and entities
This data feeds identity theft, financial fraud, insider trading, and extortion. On criminal marketplaces, a single complete financial profile can sell for multiples of what a standard stolen credit card fetches. Professional services firms are not secondary targets. They are the primary ones.
The Access Problem Runs Deeper Than Most Firms Realize
Beyond what they hold directly, law firms and accounting offices often have privileged access to client systems, portals, and financial accounts. Compromising a firm doesn’t just expose that firm’s data. It opens a secondary path into every client they serve.
Attackers understand this. Targeting a mid-size accounting firm with forty business clients is more efficient than targeting each of those businesses separately. One breach, many victims.
Regulatory Exposure Adds Another Layer of Risk
Both professions operate under strict confidentiality obligations. A breach doesn’t just mean stolen data. It means potential disciplinary proceedings, bar complaints, malpractice exposure, and client notification requirements that can damage a reputation built over decades.
The regulatory dimension gives attackers additional leverage in ransomware scenarios. When restoring systems quietly isn’t an option and disclosure is legally required, the pressure to pay a ransom increases considerably.
Where the Gaps Tend to Live
Most firms that suffer breaches aren’t running their systems recklessly. The vulnerabilities tend to cluster in predictable places:
- Email accounts without multi-factor authentication
- Client portals using shared or weak passwords
- Staff using personal devices for work without security controls
- Outdated practice management software with unpatched vulnerabilities
- No monitoring to detect unusual access or data movement
These aren’t exotic weaknesses. They’re the standard gaps that appear when security hasn’t kept pace with how the firm actually operates day to day.
The Phishing Problem Is Particularly Acute
Professional services staff receive and respond to a high volume of external emails. Clients send documents. Courts issue notices. Vendors request information. This environment is fertile ground for phishing, because a convincing email from a fake client or opposing counsel fits naturally into the normal flow of work.
A single click that installs a credential harvester or opens remote access can compromise months of client work and years of firm reputation.
The Uncomfortable Truth
The size of a firm does not determine whether it gets targeted. The value of its data does. For law firms and accounting offices, that value is exceptionally high. The good news is that the most effective defenses, strong authentication, proper email filtering, staff training, and monitored endpoints, are achievable for firms of any size.
The firms that get breached are usually not the ones that tried and failed. They’re the ones that assumed it wouldn’t happen to them.