Two of every three law firms experienced a data breach in the last year, much of it due to malicious attacks, according to a survey by the firm Logicforce.

The report, based on surveys and assessments of 200 law firms in the US, found evidence of lax data security practices and an epidemic of cyber-attacks targeting firms of every size – many of them successful.

Every law firm assessed by Logicforce was “unwantedly targeted for confidential client data” during the last year. But 40% of those targeted firms did not know they were breached, the company said.

Law firms have long been a target of sophisticated cybercriminal and nation state hacking groups for years. Hacking groups linked to the Chinese government and military are believed to be responsible for attacks on prominent law firms in the US, EU and Asia.

In some cases, the attacks are politically motivated. China, in particular, has arrested lawyers and detained family members in recent months as part of a wide scale crack down on lawyers working on human rights and environmental issues. Other hacks are focused on sensitive information that resides on law firms’ systems, including data on mergers and acquisitions, intellectual property and “general business information.” A hack of prominent U.S. law firms in 2015 was focused on confidential information that could be used for insider trading.

And while it might make sense for large, high profile firms to be targeted, those firms aren’t the only targets of hackers. According to the Logicforce survey, attacks against law firms were irrespective of the size of the firm, with small law firms also targeted.

Given that, you’d think law firms would emphasize information security… but you would be wrong if you did. Indeed, the epidemic hacks and attacks on law firms take place amid endemic insecurity at those firms. Among the findings: 95% of assessments conducted by Logicforce found law firms were not compliant with their own data governance and cybersecurity policies. Eighty percent of law firms surveyed are not vetting their third-party service providers’ data security practices, despite the fact that 63% of breaches are linked to third parties. Also: more than half of the law firms surveyed (53%) acknowledged they had no data breach incident response plan in place, while more than three quarters of firms (77%) admitted that they did not maintain cyber insurance coverage in the event of an adverse incident.

Data loss prevention is a critical tool for preventing breaches and theft of sensitive data. Alas, just 27% of surveyed firms had deployed a DLP solution.

The consequences of this insecurity are already real and material for companies. Successful breaches and incidents make headlines, including one Rhode Island firm that was held hostage for three months by ransomware scammers. The bigger issue is that clients and would-be clients are increasingly interested in the security of law firms with whom they will be sharing sensitive data. According to the survey, 18 of the firms admitted to losing a client as a result of a failed IT audit. One firm said it lost an entire practice group because of a failed audit.

The solution for law firms is clear enough: implement standard security measures, including technologies like DLP, multi-factor authentication and full disk encryption to protect data at rest. The bigger change is cultural, however. Just 34% of surveyed firms said they had documented information security policies and practices. Only 18% said they conducted penetration tests and vulnerability scans. Sixty percent admitted to not having a security and compliance manager.

Security starts at the top. If nothing else, the Logicforce survey suggests that law firms need to embrace cybersecurity from the top down and then invest in the people, processes and technologies to secure the reams of sensitive data they manage as well as the IT assets that are critical to the work they do.