While most smaller law firms may believe themselves to be unlikely targets for a cyberattack, they could actually be the golden ticket for hackers who have an eye on the path of least resistance.

“Smaller practices are being targeted by hackers specifically because such firms believe themselves to be unlikely targets and thus often do not have the infrastructure in place to protect themselves,” said Anurag Bana, a senior legal adviser with the International Bar Association (IBA).

Last October, the London-based IBA launched a list of cyber guidelines that took pains to emphasize the risks that bad actors posed to small firms, drawing particular attention to the shallower pool of human and financial resources that allots for less aggressive security defenses.

Enterprising firms attempting to compensate for those shortcomings by taking advantage of the digital revolution can also wind-up creating more trouble for themselves without the right technological know-how in place.

“Small firms tend to be more entrepreneurial—looking at ways to do things more creatively—and normally sending their data into various cloud applications without considering the implications,” said Guy Golan, CEO and founder of the cybersecurity services company Performanta.

Hackers view law firms as the kid brother to bigger corporations more capable of defending themselves against attack. For small firms who have built the bulk of their business around one large client, the aftereffects of a breach can echo for a long time.

The IBM guidelines cite a 2015 study claiming that 60 percent of small businesses who suffer a severe cyber attack go out of business within six months. When it comes to law firms large and small alike, the immediate consequences may appear to be more or less the same—a damaged reputation and maybe a drop in clients. But enduring the long-term fallout could require deeper pockets than those found in the trousers of the average small or mid-size enterprise.

Larger organizations that are operating within the same industry at different points across the globe have begun sharing incident data, which Golan said drops attack probability much lower.

“Smaller companies do not do that for various reasons. The main one is the lack of organization and time,” Golan said.

Hackers generally tailor attacks that exploit those deficits. According to Bana, strategies that deploy ransomware—a type of malware that denies users access to a system or data until a ransom is paid—are becoming more common.

The classics aren't going out of style either. Spear-phishing attacks are still very popular when it comes to smaller firms, trading on the naiveté of untrained employees.

Golan provided the example of a doctored email that appears to come from the firm's owner and directs a large amount of cash be urgently transferred to a “supplier.”

“Since there is lack of governance and awareness, the financial person is often happy to fulfill the boss's request ASAP, not being aware that this money is stolen forever,” Golan said.

The question then becomes how these attacks can be safeguarded against without breaking the bank. Implementing a data protection policy is most likely the cheapest solution in addition to keeping software systems updated and securing web browsing and email functions.

“These are basic safeguards for the firm that should ideally not incur any significant financial or human resource challenge for securing this purpose,” Bana said.

Golan also suggested freeing up at least $10,000 a year to spend on strong endpoint detection and response software, which provides security teams with enhanced visibility to detect and investigate cyber threats.