Privileged information, case papers and client money. Few targets are richer, and few are less prepared.
It is worth being honest about what a set holds. Privileged client information. Sensitive case papers. Personal data. And, through client account and payment handling, money. From an attacker's point of view that is an unusually rich target, and the legal sector knows it has become one.
The exposure has grown for reasons that have nothing to do with negligence. Threats have become more sophisticated and more automated. Work is spread across more devices and more services. Much of a set's infrastructure was designed for a world with fewer of these risks. The gap between what a practice holds and how well it is protected has widened quietly.
What makes this difficult is that cyber security has often been treated as an IT matter, somewhere below the things chambers discuss at a senior level. That framing no longer fits. A serious breach is a regulatory event, a client-confidence event and a financial event at once. It belongs on the same table as any other material risk to the practice.
None of this calls for alarm. It calls for the same clear-eyed treatment a set would give any other obligation it takes seriously: understand the exposure, hold it at a senior level, and make sure the protection is real rather than assumed.
The information a set holds is exactly what makes it valuable to the people it serves, and exactly what makes it a target. Both are true, and only one of them is usually planned for.
A straight conversation about your set and whether VENTRiQ fits.