The 2025 State of Information Security Report revealed the complex cyber challenges and opportunities that security leaders faced over the last 12 months. From addressing AI risk to improving employee security awareness, the shifting cyber threat landscape is forcing businesses to reassess security priorities and realign strategies.

This year’s State of Information Security Report respondents included security professionals working in the legal industry across the US and the UK. Their responses highlighted on the key information security threats the industry faces, the actions leaders have taken to address cyber challenges, and their priorities for building digital resilience over the next 12 months.

Discover the top 11 information security statistics every legal industry leader should know.

Key Information Security Statistics for the Legal Industry

The Cyber Landscape

  1. Legal organisations cited tasks being replaced by AI without human checks for compliance, and securing emerging technologies such as AI, ML and blockchain as their top two information security challenges (46%).
  2. AI-generated misinformation and disinformation is the top emerging threat concern for legal organisations (53%).
  3. 32% of legal organisations experienced phishing or vishing incidents and insider threats in the last 12 months.

Employee Awareness

  1. The top information security mistakes made by legal organisations’ employees are clicking on suspicious links or attachments and not keeping devices locked or secured when left unattended (both 42%).
  2. 64% of legal organisations plan to increase spend on employee cybersecurity awareness and training programs.

Supply Chain Incidents

  1. 42% of legal organisations have been impacted because of a cybersecurity or information security incident caused by a third-party vendor or supply chain partner in the last 12 months; 32% have been impacted multiple times.
  2. 68% of legal organisations have strengthened third-party and vendor risk management in the last 12 months.

Information Security Leadership

  1. 84% of legal organisations have improved visibility and reporting of security risks to leadership over the last 12 months
  2. 79% of legal organisations agree that every business should have someone responsible for information security at board level.

AI Investment

  1. Legal organisations ranked enhancing defences against AI-generated threats (e.g. phishing, deepfakes) as their top information security priority (53%).
  2. 68% of legal organisations plan to increase their spend on AI and machine learning security applications in the next 12 months.

Cyber Threats

Addressing AI-powered threats is a growing struggle for legal organisations. Our State of Information Security Report respondents cited two AI-related issues as their top information security challenges (46%). The challenges: tasks being replaced by AI without human checks for compliance, and securing emerging technologies such as AI, ML and blockchain.

AI also represented the biggest emerging threat concern for respondents in the sector – more than half (53%) said they were concerned about AI-generated misinformation and disinformation impacting their business. Additionally, nearly seven in ten (68%) agreed that AI and ML technologies are hindering their organisation’s information security capabilities.

AI technology took centre stage for respondents when it came to challenges and concerns, but many legal businesses were impacted by more traditional means of attack. Nearly one in three (32%) legal organisations experienced a phishing or vishing incident in the last 12 months, and the same percentage experienced insider threats – higher than that of any other sector we surveyed.

How can legal businesses address attacks from within, whether intentional or accidental? Implementing Zero Trust architecture (and its ‘never trust, always verify’ philosophy) and least privilege access control can go some way to mitigating the risk. This approach ensure users can only access what they need for their job functions. By employing these principles, organisations can minimise the attack surface and limit the potential impact of an insider threat or data breach.

Employee Information Security Awareness

The top two information security mistakes made by legal organisations’ employees were clicking on suspicious links or attachments and not keeping devices locked or secured when left unattended, both cited by over two in five (42%) respondents. Both issues reflect a broader lack of employee information security training and awareness, and both can be catalysts for significant cyber incidents.

Luckily, the majority (64%) of organisations are planning to increase spend on their employee cybersecurity training and awareness programs; enhancing employee security awareness and behaviour ranked second highest (37%) in legal organisations’ information security priorities for the coming year. As businesses battle increasing compliance challenges and regulatory scrutiny grows, building a culture of compliance is more essential than ever.

Supply Chain Security

Over two in five (42%) of the legal organisations we surveyed said they’d been impacted because of a cybersecurity or information security incident caused by a third-party vendor or supply chain partner in the last 12 months. Worse, 32% had been impacted by multiple incidents.

Impacted organisations faced repercussions ranging from financial loss or unplanned costs such as remediation, fines or legal fees (50%) to delays or disruptions across supply chains or service delivery (also 50%). 50% also experienced temporary system outage or operational disruption.

High-profile cyber incidents like the attacks on Jaguar Land Rover (JLR) in September evidence the disruption that supply chain incidents can cause. The incident is predicted to have cost £1.9billion in estimated losses and affected 5,000 businesses in total, with suppliers facing delayed payments and cash flow disruption. Reports from the UK’s Cyber Monitoring Centre and Office for National Statistics now suggest that the JLR incident impacted GDP growth.

As threat actors increasingly target the supply chain, legal organisations are treating supply chain and vendor security as a priority. Nearly seven in ten (68%) legal industry respondents said their organisation has strengthened third-party and vendor risk management in the last 12 months, and 21% said they plan to do so in the coming 12 months. 37% also plan to increase their spend on supply chain and third-party vendor security in the next 12 months.

Leading from the Front

Our respondents in the legal industry made it clear that information security must be an organisation-wide responsibility, and the onus is on leadership to model engagement and awareness.

While one in three (32%) legal respondents agree that senior leadership at their organisation doesn’t understand the importance of information security, more (37%) disagreed with the statement. And security leaders are taking steps to address the issue: 84% of legal organisations have improved their visibility and reporting of security risks to leadership in the last 12 months, while 11% plan to do so in the next 12 months.

Additionally, just under eight in ten (79%) legal organisations agree that every business should have someone responsible for information security at board level. An effective CISO can seamlessly translate information security risk into business risk and potential financial impact. In doing so, they can gain board-level backing that supports building a culture of information security compliance organisation-wide.

AI Threats and Opportunities

Legal organisations are well aware of the mixed blessing AI represents, and they’re ready to address potential pitfalls. While AI provides businesses with the opportunity to improve defences, streamline processes and reduce manual labour, it also strengthens the threat posed by malicious actors.

Respondents disclosed clear concerns around AI risks, but they also indicated that their organisations are planning to harness the technology to bolster their security efforts. 68% of legal respondents said their organisation plans to increase spend on AI and ML security applications in the next 12 months. Meanwhile, more than one in three (37%) respondents said their organisation had already adopted new technologies such as AI, ML and blockchain for security. A further 53% plan to do so in the next 12 months.

Navigating AI threats also takes precedence for legal organisations. Respondents ranked enhancing defences against AI-generated threats like phishing and deepfakes as their top information security priority (53%) for the upcoming year. In addition, 95% of organisations in the legal sector plan to invest in generative AI (GenAI) threat detection and defence, as well as AI governance and policy enforcement.

Building Resilience

Security leaders in the legal industry are facing a rapidly changing information security threat landscape.

However, their responses to this year’s Report show that they’re working strategically – identifying AI threats and opportunities, tightening supply chain security requirements, and working to improve employee information security awareness, from board-level to new starters. They’re investing in information security measures, AI threat management and, crucially, AI governance.

By building a culture of compliance and implementing information security best practices, legal businesses can more effectively manage risk, grow customer trust, and improve digital resilience. We look forward to seeing how businesses in the legal sector have adapted to the changing cyber landscape in next year’s Report.