By LELAND SMITH
Director of Assessments, Fenix24
Security is imperfect. Gaps in perimeter defenses — deliberate or unknown — can allow threat actors to access corporate systems and gain a toehold in the network. Weak lateral movement controls, inconsistent MFA, and domain-joined tools allow threat actors to quickly expand a breach. No prevention system is foolproof, and all security tooling has inherent weakness by design. Without gaps in security, a business cannot function.
Let’s be realistic. No organization can be completely secure. Operating a business requires risk. Data must move between systems, tools must interface with clients, users must have access to sensitive resources, and all of this necessitates a level of risk that most organization deem acceptable. Risk is a reality, and that is okay. What matters is how an organization manages this risk.
Understanding that gaps in network security are inevitable makes keeping multiple backups of data — and locking them away — all the more important to surviving an attack and minimizing operational downtime.
Threat actors are crafty and constantly evolving their tactics. That doesn’t mean companies should stop educating the workforce on practicing sound cyber hygiene, nor that information security teams should give up and accept a breach as inevitable. However, it’s time for the IT team (and, ultimately, the boardroom) to embrace reality and face these risks head on.
It’s no wonder that confidence in network security is decreasing despite a trend toward increasing cybersecurity budgets. Let’s take a look at one particularly vulnerable and commonly targeted industry — legal — for supporting data.
Budgets not closing security gaps
According to the 2025 research report, Security at Issue: State of Cybersecurity in Law Firms, 82% of law firms believe their security budgets are adequate. However, 40% acknowledge security gaps — 23% with known gaps and 17% saying they are “secure where it counts,” implying gaps but believing the biggest risks are covered.
The report, produced by Fenix24 in cooperation with the International Legal Technology Association (ILTA), found that the top-three challenges to improving security are:
- Cost of tooling
- Concern over user impact
- Lack of staffing/expertise to deploy and manage new tools
In other words, even an “adequate” budget leaves security gaps — gaps that are either accepted or expected. Logically, this supports Fenix24’s position that data backup technology is your most critical security tool. That only means something if the backups are properly configured.
Gaps are the reality in every organization, even those that Fenix24 would rate as very secure. There is always a path to breach, however narrow it may be. However, only 27% of respondents to the Fenix24-ILTA survey rate backups as a top-three security tool. Alarmingly, only 50% of law firms have any form of immutable backup — those that cannot be encrypted, altered or deleted.
Even if we assume that these backup tools are protecting all of an organization’s data with flawless immutability (neither scenario is likely) that still means that 50% of firms will likely be unable to recover their data after a ransomware event. They will have to yield to the attacker’s demands and pay the ransom to recover operations and data.
Internal Fenix24 statistics indicate that 84% of backup data believed to be immutable do not survive a breach. Simple math here indicates that only about 8% of law firms would be able to rely on their immutable backups.
While backups are a critical security tool, third-party audits and assessments can be major drivers of change. Internal IT teams may struggle to get traction and funding for new initiatives, while the same advice from a trusted consultant may open the pocketbook or catch the attention on firm leadership.
Ransomware: a crime that pays
Between known gaps in the perimeter, ever-increasing security costs, and lack of survivable backups, it is no wonder ransomware attacks are on the rise. Ransomware is a lucrative business with nearly endless ripe targets, with minimal risk to the attackers who are essentially performing a work-from-home job.
Most firms are still allowing password caching in browsers (78%) and access to personal email (65%), according to the report. This is a dangerous combination because cached passwords can often sync back to a personal cloud account, such as Google or iCloud, which will place them on uncontrolled and vulnerable devices. If these credentials are captured from those external devices, they can be used to cause a breach.
Outbound blocking and scanning on firewalls is often overlooked. Outbound controls are critical because they guard against threats that originate from within the organization, such as users clicking links in phishing emails.
Destruction of backup data is a likely outcome of a ransomware attack. Without survivable backups, recovery of a compromised network becomes virtually impossible. Removing critical consols like backups, storage, and hypervisors from the production domain dramatically increases security.
Remember, survivable backups — those that are truly immutable — are the top predictor of recovery after a breach. Even if a threat actor gains access to the data, they would not be able to modify or destroy it because there are no administrative technical overrides to the retention lock.
Our data shows that 50% of law firms do not have a single backup copy that meets this standard of immutability. Also, 47% of firms do not take snapshots of production storage systems. These snapshots are the fastest path to restore production storage after a ransomware event.
A silver lining
The good news, at least for law firms, is that while cost challenges remain at roughly the same percentage year over year, perceived user inconvenience as an antagonist to security improvements dropped from 80% in 2023 to 60% in 2024. Either leadership or users are recognizing that security is worth the inconvenience, IT teams are treating security enhancements as non-negotiable, or a bit of both. It may be a long road to fully compliant users, but there is significant progress.
About the author
Leland Smith is the Director of Assessments at Fenix 24. He is a 20-year industry veteran who has held IT roles in the legal, hospitality, and non-profit sectors before transitioning to security consulting. His stance on security orchestration evolves through understanding each past breach to help clients predict how to prevent the next one.
About Fenix24
As the world’s leading breach recovery company, Fenix24 has an unparalleled understanding of the tactics used by modern threat actors. Backed by the most comprehensive, end-to-end cyber resilience program in the industry, our team stands ready to defend — and rebuild — your business at a moment’s notice. Fenix24 and its battalions were founded as part of the Conversant Group and continue to operate under its legal entity.
