Practical advice on growing your law firm, from Travelers and other expert suppliers to law firms. Watch this new site grow.


This section covers succession, specialisation, mergers, selling a law firm, recruitment and talent retention, becoming a partner, and business structure

How to set up your firm’s systems to provide the information that enables you to improve profitability and cashflow

How to avoid professional negligence claims, with examples of common problems and suggested solutions. Plus FAQs on PII

This is a new section and only covers SRA Accounts Rules and GDPR at the moment. More articles will follow

How to protect your law firm from cyber attacks. What steps to take if your systems are hacked

In marketing, like anything, you need to get the basics right. Otherwise the time and money you invest in marketing will be wasted

How to win new clients, make the most of existing relationships, encourage referrals and generate new leads

How to approach creating a law firm website that works, from agreeing your objectives to making sure you get the results you want

Why lawyers need to know about social media, how to make the most of the opportunities and how to avoid potential pitfalls

How to use PR to build your firm’s reputation; and how to create cost-effective advertising – traditional and online – that delivers results

Cyber attack – lessons for law firms from a veteran

Peter Wright

Peter Wright, managing director of Digital Law and author of the Law Society Cyber Security Toolkit, gives his tips for minimising the risks

  • Make security a priority, and even then don’t think it won’t happen to you. Even firms with top quality cyber capabilities aren’t invulnerable.
  • Ensure that all staff are aware of your cyber security and data protection policies, with training at least annually.
  • Provide regular refresher training on new threats and updated guidance on best practice. Make sure that staff are aware of the threats and how they need to modify their day to day behavior.
  • Include cyber security and data protection training as part of the induction process for new starters.
  • Understand the trade-off between the benefits and risks of integrated systems. Can you segment systems and data to limit the impact of a breach?
  • Be alert to the potential security risks from third party software and services. Implement strict policies for selection and use.
  • Ensure that all software systems and operating systems are up to date. Look out for vulnerabilities in old ‘legacy’ systems using outdated software – if necessary, prioritise investment in up-to-date IT infrastructure.
  • While your law firm may want to achieve a high profile for marketing purposes, be aware that this makes you more of a target for cyber attacks.
  • Make sure responsibility and accountability are clear – both within the firm and with any external suppliers.
  • Document your systems and suppliers, so that you know where to look and who to involve if there’s a problem.
  • Make sure you have a communication plan (including contact details) that you can use if your computer system is down.
  • Make sure you have a breach response plan in place to deal with the immediate aftermath of an incident – including the need (under GDPR) to report breaches involving personal data to the regulator and the individuals affected.


If your systems are hacked, be ready to act quickly.

  • Stay calm.
  • Your best immediate option may be to take down the system that has been compromised until you can work out how to start putting things right.
  • Work out your priorities, so that you can focus your efforts on restoring key systems.
  • Notify relevant insurers, such as cyber liability or professional indemnity insurers. Many insurers will want to see any breach response notification that has to be sent to a regulator.
  • If necessary, notify the police of any third party intrusion onto the system. Obtain a crime reference number that can be included when notifying other third parties of the breach.
  • If financial records have been compromised, it is crucial to notify banks and other financial service providers so that they can take the appropriate fraud prevention measures.
  • Be open within the firm, so that everyone knows what has happened and how to respond to client enquiries.
  • Decide what you will say to clients, including those who have and have not been affected.
  • For very large scale breaches, consider issuing a press release to get your side of the story out before the news leaks anyway. Explain how the firm was doing everything required from a legal and regulatory perspective – and more – to safeguard personal, confidential and sensitive data.
  • Get partner-level involvement in the recovery effort – don’t just leave it to the IT team.
  • Get support from your suppliers. Consider bringing in an outside adviser.
  • Find out what went wrong and address any weaknesses you find.
  • Check carefully to ensure that any backups you use to restore systems and data don’t themselves include malware.

See also:

Stay up-to-date with business advice and news

Sign up to this lively and colourful newsletter for new and more established small businesses.