Every 39 Seconds
The most alarming number in cybersecurity…
Count to thirty-nine.
By the time you get there, a cyberattack has just been launched somewhere in the world. Not a vague, background threat. A real, targeted, often automated strike against a real organization: a business, a hospital, a law firm.
By the time you finish this paragraph, three more.
The, 39 seconds” figure is sourced from multiple independent research bodies: Forbes, Varonis, IBM, and represents the average global frequency of documented cyberattacks. It is one of the most cited statistics in cybersecurity. It is also one of the least truly understood.
Understanding it isn’t about being alarmed. It’s about grasping what it means operationally: for your firm, your clients, and the decisions you make about how seriously you take your defenses.
What 39 Seconds Actually Means
Raw numbers are easy to tune out. So let’s make it concrete.
- Right now, reading this:
~5 attacks have been launched - During a 1-hour meeting
~92 attacks globally - During a standard workday
~738 attacks - Today alone
~26,000 attacks (Forbes)
Those 26,000 daily attacks are not randomly distributed. They are targeted, triage-scored by automated tools that continuously scan for weaknesses. Law firms appear on those lists with alarming frequency, not because attackers have a grievance with the legal profession, but because the math works in their favor.
Law firms hold extraordinarily high-value data: privileged communications, litigation strategy, merger documents, client financials. And they have historically underinvested in security. That combination: high value, lower defenses, is exactly what automated tools are designed to find.
Who Is Launching 26,000 Attacks a Day
The majority of today’s attacks are not conducted by individuals at keyboards manually probing systems. Cybercrime has industrialized.
Organized criminal enterprises operate with the structure of legitimate businesses: development teams building malware, operations teams managing attack infrastructure, finance teams processing ransom payments. The average ransomware payout in 2025 reached $1,000,000 (Sophos). This is a mature, profitable criminal economy.
Nation-state actors add a different layer, their objectives are intelligence and disruption, not just ransom. For firms serving clients in sensitive industries, the relevance of state-sponsored hacking is not theoretical.
But the largest volume of attacks in the 39-second cadence comes from automated opportunistic tools. They scan IP ranges continuously, probing for unpatched software, weak passwords, and misconfigured systems. They don’t need a specific reason to target your firm. They just need to find a door that isn’t properly locked.
$1M
Average ransomware payout, 2025 (Sophos)
0.05%
Chance attacker is prosecuted (World Economic Forum)
That 0.05% prosecution figure is perhaps the most clarifying number in the entire threat landscape. Cybercriminals operate in near-total impunity. The deterrent effect of prosecution, which shapes behavior in almost every other crime category, is essentially absent. This is why the 39-second clock exists and why it will not slow down on its own.
The 88% Problem
Here is the statistic that matters most for law firms specifically: 88% of cybersecurity breaches involve human error (Stanford University).
Not sophisticated technical intrusions. Not nation-state zero-days. Someone clicking a link. Reusing a password. Uploading a privileged document to an AI tool. Wiring money after receiving a convincing phone call.
This is not a criticism of the people involved. They are operating in an environment precision-engineered to exploit their trust, their time pressure, and their instinct to be responsive. Attackers study legal culture specifically: the deadline urgency, the partner-staff trust dynamic, the expectation that requests from senior people are acted on quickly and quietly.
The implication is that technical defenses alone are not sufficient. A team that receives monthly, scenario-specific security training, not an annual checkbox exercise, but realistic simulations of the exact attacks they will face, is a fundamentally different security posture than one that doesn’t. Culture and habits are part of your security stack.
What It Costs When the Clock Finds You
The average cost of a US data breach in 2025 reached $10.22 million, an all-time high, according to IBM. That figure covers direct costs: forensic investigation, incident response, system restoration, ransom payments. For a 20-to-50-attorney firm, direct costs alone can run $150,000 to $500,000 before factoring in anything else.
Then come the dimensions unique to law firms. ABA Model Rule 1.6(c) requires reasonable efforts to prevent unauthorized disclosure of client information. A breach resulting from inadequate security can trigger bar investigations, disciplinary proceedings, and malpractice claims. The regulatory exposure compounds the financial exposure in ways that are uniquely devastating for professional services practices.
The Hiscox Cyber Readiness Report found that 43% of organizations lost clients following a cyberattack. For a law firm where client relationships are the firm’s primary asset, that loss is potentially the most lasting damage of all.
That 181-day detection average deserves emphasis. Attackers are frequently inside networks for six months before anyone knows — reading emails, downloading files, positioning for maximum damage. The breach you discover is rarely the breach that began.
What the Clock Demands of Your Firm
The 39-second clock is not a reason to panic. It is a reason to be clear-eyed and deliberate. Here is what an adequate response looks like.
- Know your actual posture: Most firms discover significant gaps between the security they believe they have and the security that exists when assessed professionally. Get an honest evaluation — not a vendor pitch, a real assessment against current threat standards.
- Upgrade email security: Modern AI-powered email tools detect anomalies in communication patterns rather than keywords. They sandbox suspicious links before anyone clicks. Traditional spam filters were not designed for AI-generated phishing.
- Deploy MFA everywhere: On email, case management, financial systems, cloud storage, remote access. MFA is the single most effective control against credential-based attacks. It should be considered non-negotiable.
- Move to EDR: Endpoint Detection and Response analyzes behavioral patterns rather than signature matching. It catches threats that traditional antivirus was never designed to see.
- Monitor continuously: Attackers don’t observe business hours. If your security posture goes dark at 5 PM, that is a gap automated tools will find. 24/7 monitoring is not optional in this environment.
- Train specifically and frequently: Scenario-based training, monthly. Phishing simulations against the exact attacks your team will face. A no-blame reporting culture where people feel safe flagging suspicious activity immediately.
The Question the Clock Is Asking
Every 39 seconds. 26,000 attacks today. 88% starting with human error. $10.22 million average cost. 0.05% chance of prosecution.
The question it keeps asking is simple: what does it find when it reaches you?
