Making it easier to grow your law firm


This section covers succession, specialisation, mergers, selling a law firm, becoming a partner, and business structure

How to plan and execute the process of starting up a new legal practice that is compliant and financially healthy

How to set up your firm’s systems to provide the information that enables you to improve profitability and cashflow

How to avoid professional negligence claims, with examples of common problems and suggested solutions. Plus FAQs on PII

This section only covers SRA Accounts Rules and GDPR at the moment. Compliance for start-ups is covered in the Starting up...

How to protect your law firm from cyber attacks. What steps to take if your systems are hacked

How to recruit and retain a team that is both happy and highly effective, dealing with the HR issues along the way

In marketing, like anything, you need to get the basics right. Otherwise the time and money you invest in marketing will be wasted

How to win new clients, make the most of existing relationships, encourage referrals and generate new leads

How to approach creating a law firm website that works, from agreeing your objectives to making sure you get the results you want

Why lawyers need to know about social media, how to make the most of the opportunities and how to avoid potential pitfalls

How to use PR to build your firm’s reputation; and how to create cost-effective advertising – traditional and online – that delivers results

Cyber attack – lessons for law firms from a veteran

Peter Wright

Peter Wright, managing director of Digital Law and author of the Law Society Cyber Security Toolkit, gives his tips for minimising the risks. (Updated 7 February 2023)

  1. Make security a priority, and even then don’t think it won’t happen to you. Even firms with top quality cyber capabilities aren’t invulnerable.
  2. Ensure that all staff are aware of your cyber security and data protection policies, with training at least annually.
  3. Provide regular refresher training on new threats and updated guidance on best practice. Make sure that staff are aware of the threats and how they need to modify their day-to-day behavior.
  4. Include cyber security and data protection training as part of the induction process for new starters.
  5. Understand the trade-off between the benefits and risks of integrated systems. Can you segment systems and data to limit the impact of a breach?
  6. Be alert to the potential security risks from third-party software and services. Implement strict policies for selection and use.
  7. Ensure that all software systems and operating systems are up to date. Look out for vulnerabilities in old ‘legacy’ systems using outdated software – if necessary, prioritise investment in up-to-date IT infrastructure.
  8. While your law firm may want to achieve a high profile for marketing purposes, be aware that this makes you more of a target for cyber attacks.
  9. Make responsibility and accountability clear – both within the firm and with any external suppliers.
  10. Document your systems and suppliers, so that you know where to look and who to involve if there’s a problem.
  11. Have a communication plan (including contact details) that you can use if your computer system is down.
  12. Make sure users are not daisy chaining passwords across multiple different systems.
  13. Mandate the use of either two-factor identification or multifactor identification on all business systems. This includes email accounts, business social media accounts, and any cloud business services – eg HR packages, compliance systems, and Office 365 subscriptions.
  14. Avoid providing an easy route for hackers to circumvent your cyber security systems by using instant messaging apps such as WhatsApp of LinkedIn messenger. These can enable hackers to contact your staff and directly send malware, infiltrating your systems despite secure email and business communication systems being in place.
  15. Have a breach response plan in place to deal with the immediate aftermath of an incident – including the need (under GDPR) to report breaches involving personal data to the regulator and the individuals affected.


If your systems are hacked, be ready to act quickly.

  1. Stay calm.
  2. Your best immediate option may be to take down the system that has been compromised until you can work out how to start putting things right.
  3. Find out exactly what has been done to your system. This may require the physical inspection of a server (even a server from an overseas office), passing it to forensic IT consultants who can identify the nature of the attack and what you need to do to regain control of your systems.
  4. Work out your priorities, so that you can focus your efforts on restoring key systems.
  5. Notify relevant insurers, such as cyber liability or professional indemnity insurers. Many insurers will want to see any breach response notification that has to be sent to a regulator.
  6. If necessary, notify the police of any third party intrusion onto the system. Obtain a crime reference number that can be included when notifying other third parties of the breach.
  7. If financial records have been compromised, it is crucial to notify banks and other financial service providers so that they can take the appropriate fraud prevention measures.
  8. Be open within the firm, so that everyone knows what has happened and how to respond to client enquiries.
  9. Decide what you will say to clients, including those who have and have not been affected.
  10. For very large scale breaches, consider issuing a press release to get your side of the story out before the news leaks anyway. Explain how the firm was doing everything required from a legal and regulatory perspective – and more – to safeguard personal, confidential and sensitive data.
  11. Get partner-level involvement in the recovery effort – don’t just leave it to the IT team.
  12. Get support from your suppliers. Consider bringing in an outside adviser.
  13. Find out what went wrong and address any weaknesses you find.
  14. Check carefully to ensure that any backups you use to restore systems and data don’t themselves include malware.
  15. If all of the above seems excessive, simulate what would happen if your organisation was hit by a major cyber-attack. The National Cyber Security Centre provides numerous exercises for teams, senior management and boards to check their level of cyber security awareness by simulating a cyber-attack.

See also: