Why Law Firms Can't Rely on Traditional DLP

That’s a fact reported in the Solicitors Regulation Authority’s 2020 cybersecurity review. The National Cyber Security Centre’s 2023 threat report confirms what every IT director in the legal sector already knows: you’re a target, you’ve likely been hit, and the attacks are getting worse.

Tuckers Solicitors had security measures in place. They still lost 60 court cases to data exfiltration and faced a £98,000 ICO fine. Simplify Group, the UK’s largest conveyancing firm, had systems and controls. The 2021 breach still cost them £6.8 million and caused massive delays to completions. 4 New Square chambers got hit with ransomware despite having protection.

Here’s what the legal sector is reluctant to admit – all these firms had strong security tools, including Data Loss Prevention, but they still got breached. And when they did, those firms couldn’t answer the three questions that determine whether you shut down completely or maintain operations.

Questions such as :

• • Which applications transmitted client data during the breach?
  • Where did that data actually go?
  • Was it legitimate or theft?

Without answers to these, your only defensible decision is to shut down vital user and customer-facing services. And shutdown destroys more business value than the breach itself.

I’ve spent 40 years in cybersecurity. I did my PhD on malware detection. Let me state what security marketing won’t: the legal sector’s approach to data protection is fundamentally broken. Not because firms lack investment. The PWC 2022 survey shows top-100 firms spending 0.46% of fee income on cybersecurity. But because you’re protecting the wrong 20% of data.

The NCSC report is blunt about why law firms are particular targets. You handle M&A data that’s valuable for insider trading. You transfer significant funds through complex transactions. You hold client information so sensitive that exfiltration can subvert the course of justice. And your reputation is critical to your business, making you a perfect target for extortion.

But there’s another reason the NCSC doesn’t emphasise: the nature of your work creates the exact conditions in which traditional security fails.

Legal work lives in Word documents. Client contracts, case files, due diligence reports, witness statements, and settlement agreements all sit in Word and Excel files. When you’re handling an M&A transaction, the crown jewels aren’t in your email archive. They’re in the financial models your analysts built in Excel. They’re in the draft contracts your solicitors are redacting in Word. They’re in the client intelligence sitting in your case management system.

DLP doesn’t monitor any of this. DLP was built for email and web data, such as preventing sales reps from emailing customer lists to their personal Gmail accounts or stopping marketing from posting sensitive slides to LinkedIn. Brilliant for accidental data leaks. Useless for deliberate theft of application data during security incidents.

When attackers breach your perimeter, and the NCSC is confident they will, they don’t exfiltrate via email. They target desktop applications. The 80% of business-critical data that DLP can’t see.

The Tuckers Solicitors case study from the NCSC report is particularly instructive. Not because they lacked security, but because they had it and it made no difference to the outcome.

Tuckers had endpoint protection. They had security measures. But when ransomware hit in August 2020, the attackers encrypted case data, encrypted backups, and exfiltrated 60 live court cases, which they published on the dark web.

The ICO’s investigation found the root cause was likely a known system vulnerability. Tuckers had patched it, but there was a five-month gap between patch release and application. The ICO specifically cited the absence of multi-factor authentication on key systems and failure to encrypt stored personal data.

All true. All necessary controls. But the case study doesn’t address how the attackers knew which data to steal. Or how they identified the 60 most valuable cases out of thousands. And how they were able to exfiltrate it undetected.

Because the attackers operated through desktop applications. Case management software. Document management systems. The tools solicitors use every day to do their work. And those application-to-application data flows are invisible to traditional security tools.

Tuckers couldn’t make selective operational decisions during the incident because they had no visibility into what data was being transmitted. Everything shut down while forensics teams spent weeks trying to establish the scope.

That five-month patch delay was a problem. But it wasn’t the fundamental vulnerability. The fundamental vulnerability was that business-critical application data had no theft prevention during the active security incident.

Think about what happened in your firm last week.

A partner drafted a settlement agreement in Word. An associate built a financial model in Excel for an M&A transaction. A solicitor accessed client records in your case management system. Your accounts team processed conveyancing funds through your finance application. Each one of those actions involved business-critical client data.

Now ask yourself: what monitored those data flows? Not your firewall – it sees IP traffic, not which application is transmitting. Not your endpoint protection – it’s defending the device from malware, not monitoring what data leaves it. Not your DLP – because DLP monitors email and web traffic, not desktop applications.

The NCSC report emphasises that legal practices handle “highly sensitive client information relating to ongoing criminal cases or mergers and acquisitions”. Absolutely correct. But it doesn’t address where that information actually lives during active work.

It lives in Word documents sitting on solicitors’ laptops. In Excel spreadsheets, analysts are updating. In CRM systems, tracking client intelligence. In finance applications, processing transactions. Desktop applications that DLP was never designed to protect.

When Simplify Group was breached in 2021, the £6.8 million cost came primarily from business interruption, such as delays to completions, reduced transaction capacity, and customer impact. They couldn’t restart systems quickly because they had no confidence in what data had been accessed.

That’s the application data protection gap in legal services. You have security monitoring 20% of your data risk, covering email and web. The other 80%, sitting in the applications where your actual work happens, walk out undetected during incidents.

DLP was built for a different problem. In the early 2000s, the regulatory fear was accidental PII exposure via email, such as leaking personal data, triggering GDPR fines. DLP solved that brilliantly. Email content inspection, web traffic monitoring, and data classification to catch accidental leaks before they become reportable breaches.

But deliberate theft of client data from desktop applications during active security incidents? Different problem entirely.

DLP operates at the network perimeter and email gateway. When attackers breach your infrastructure and operate through your own applications, DLP never sees them. They’re using Word to open files, Excel to access spreadsheets or your CRM to pull client records. These are all legitimate application behaviour that generates zero DLP alerts.

The NCSC guidance tells firms to implement MFA, patch systems, and train staff on phishing. All necessary. But all insufficient, because you can have perfect perimeter security and still lose M&A data when someone inside your network (attacker or compromised insider) opens Word and starts transmitting.

This isn’t theoretical. The NCSC report notes that 18 law firms were hit by ransomware in 2021 alone. Nearly three-quarters of the UK’s top-100 firms have been affected. The SRA published 278 scam alerts between January 2022 and January 2023.

The attacks aren’t stopping. They’re actually on the increase. And the firms getting hit aren’t the ones without security; they’re the ones with security tools that miss the application data gap.

The Knights of Old haulage firm survived 158 years. A single breach forced the business into administration. But it wasn’t the breach that ended them; it was because they shut down completely and couldn’t recover.

Legal firms face the same binary decision every time: keep everything running and risk ongoing data theft, or shut everything down and accept revenue destruction.

But here’s what changes when you have confidence in application data protection during incidents: you can make selective operational decisions.

Finance systems with M&A data? Yes, isolate those immediately. Case management with ongoing criminal cases? Definitely stop those. But client portals? Matter intake systems? Operational platforms that don’t handle sensitive client data? If you had confidence that application data from these systems wasn’t being stolen, you could make a strategic decision to keep them running.

That’s not just faster recovery. That’s maintaining client service during incidents. Competitive advantage when other firms are completely offline. Board confidence that you can handle security events without destroying business operations.

The FCA’s operational resilience requirements recognise this for financial services. They’re not asking firms to prevent all incidents; they’re asking firms to maintain important business services during incidents. The legal sector needs the same thinking.

But you can’t maintain services if you don’t know what data is being stolen from your applications.

Application data theft prevention fills this gap. Not as a replacement for DLP, as you still need email and web monitoring. But as the missing piece that gives you visibility into Word, Excel, CRM systems, and finance applications. Desktop application data flows that traditional security can’t see.

When you have process-to-destination visibility, i.e. knowing which application process is sending what data where, then everything changes. If attackers get past your perimeter, you immediately know if client data is being transmitted. You make selective shutdown decisions: isolate the compromised case management system, keep client-facing portals running.

You recover faster because you restart systems with confidence that M&A data wasn’t stolen. You maintain a reputation because clients see a measured response, not a panic shutdown.

The SRA requires you to report cyber attacks promptly. The ICO mandates data breach notification. But both assume you know what data is at risk. Most firms discover that during weeks of forensic investigation, while everything’s offline and revenue’s haemorrhaging.

Strategic incident response requires data protection confidence. You can’t get that confidence from DLP alone.

The NCSC report is comprehensive on prevention, including patch management, MFA, phishing training, and backup procedures. All essential. But prevention will eventually fail. The report’s own statistics prove it: 75% of firms targeted, 18 ransomware hits in a single year, nearly three-quarters of top-100 firms affected.

The question isn’t whether you’ll be breached. The question is what happens when you are.

Right now, the answer is a panic shutdown because you can’t distinguish legitimate application behaviour from data theft. Desktop applications transmitting client data? You don’t know if it’s solicitors doing their work or attackers stealing M&A files.

That gap is why firms stay offline for months after breaches. Why do the costs of £6.8 million mount from business interruption? Why do £98,000 ICO fines happen despite having security measures?

Application data theft prevention solves a different problem than DLP. DLP prevents accidental leaks via email and web. Application data protection prevents deliberate theft from desktop applications during active incidents.

You need both. Not one or the other. Both, because your client data doesn’t choose whether to live in email or Word documents based on what security tools you’ve deployed.

After 40 years in cybersecurity, building systems for enterprise organisations, I can tell you: the application data protection gap in legal services is solvable. The NCSC has given you the threat landscape. The breach examples prove the risk is real. And the regulatory requirements from the SRA and ICO mean you can’t simply hope it won’t happen to you.

You can wait until you’re the next case study in the NCSC’s report. Or you can fill the gap before attackers exploit it.

The choice, as always, is yours. But at least now you know the gap exists.

Q. Do I need to replace my existing DLP?

No. Application data protection complements DLP, filling the gap in desktop application security without disruption. Your email and web DLP continue to protect that data; application data protection monitors Word, Excel, and CRM systems. Defence-in-depth, not rip-and-replace.

Q. What about the NCSC’s guidance on MFA and patching?

Implement all of it. MFA, patching and phishing training are all important security controls. But the Tuckers case proves that’s not sufficient. They had security measures and still lost 60 cases. You need both prevention (which will eventually fail) and protection during active incidents (which continues working when prevention fails).

Q. Can I see this gap in my own firm?

Yes. A proof-of-value assessment shows actual application data flows from your devices, including Word, Excel, CRM systems, and case management. Real evidence from your environment, not theoretical risk. Most firms discover 15-30% of application traffic going to destinations they don’t recognise.

Q. What does the SRA require?

The SRA’s Code requires you to report promptly any facts that should be brought to their attention. The NCSC report notes a concerning decrease in incident reporting. Possibility because firms are reluctant to admit breaches. But reporting is mandatory, and you can’t report what you don’t know. Visibility into application data flows helps you meet SRA obligations with confidence.

Q. How does this relate to Cyber Essentials?

The NCSC recommends all legal firms assess against Cyber Essentials. Excellent baseline. But Cyber Essentials focuses on perimeter defences like patching, firewalls and malware protection. It doesn’t address application data theft during incidents when the perimeter is already breached. You need both: Cyber Essentials for prevention, and application data protection for resilience.