Making it easier to grow your law firm


This section covers succession, specialisation, mergers, selling a law firm, becoming a partner, and business structure

How to plan and execute the process of starting up a new legal practice that is compliant and financially healthy

How to set up your firm’s systems to provide the information that enables you to improve profitability and cashflow

How to avoid professional negligence claims, with examples of common problems and suggested solutions. Plus FAQs on PII

This section only covers SRA Accounts Rules and GDPR at the moment. Compliance for start-ups is covered in the Starting up...

How to protect your law firm from cyber attacks. What steps to take if your systems are hacked

How to recruit and retain a team that is both happy and highly effective, dealing with the HR issues along the way

In marketing, like anything, you need to get the basics right. Otherwise the time and money you invest in marketing will be wasted

How to win new clients, make the most of existing relationships, encourage referrals and generate new leads

How to approach creating a law firm website that works, from agreeing your objectives to making sure you get the results you want

Why lawyers need to know about social media, how to make the most of the opportunities and how to avoid potential pitfalls

How to use PR to build your firm’s reputation; and how to create cost-effective advertising – traditional and online – that delivers results

Cyber security checklist for law firms

Headshot of Jonathan AshleyBy Jonathan Ashley, co-founder of etiCloud. (15 January 2024)


  1. Achieve Cyber Essentials accreditation from the National Cyber Security Centre. It’s an accessible first line of defence and a great place to start if your security is lacking.
  2. Take a detailed look at where data enters and leaves your firm and put cyber security solutions in place in these areas (see 4-9, below). This enables more accurate detection in a cyber attack situation, to work out which systems must remain closed down.
  3. Analyse whether you can separate data and systems, to limit the impact of any breach. There are risks and benefits to integrated systems, so understand the implications.
  4. Use anti-malware software to protect your IT systems and devices against cyber attacks intended to harm or exploit them. It provides a basic level of cyber protection.
  5. Implement Multi-Factor Authentication (MFA) for every single user. (See Multifactor Authentication is a critical layer of cyber security.)
  6. Add Inline Email Security to your cyber security toolkit. This application blocks malicious emails or files before they enter a user’s mailbox, scanning every email and providing a high level of protection for every user.
  7. Use a different password for every different website you use and ideally change the passwords on a monthly basis.
  8. Consider Web Filtering. This technology prevents users from accessing certain websites or URLs and prevents the user’s browser loading any pages from such sites.
  9. If your software is not already hosted in the cloud, seriously consider it. A large element of your firm’s cyber security can be handled by the managed service provider — to whatever standard your budget allows.
  10. But be cautious when procuring and using third-party software and services, as these too can be the entry point for a cyber attack.
  11. Keep up-to-date with what latest technology is available and its cost-benefit, usually in liaison with your managed service provider.
  12. Document all your systems and suppliers, so full information is readily available and you know who to contact in an emergency.
  13. Diarise regular security reviews and tests and stick to them. It only takes one late patch or software update to potentially allow an attacker to enter your system.
  14. Invest in regular cyber security training, as employees are usually the number one point of vulnerability. Familiarise them with your firm’s security protocols and data protection policies.
  15. Include that training in the induction process for every new employee.
  16. Regularly test that training, or people will relax their guard. For example, see if anyone (including senior management) replies to dummy phishing emails.
  17. Consider holding ‘insight sessions’, to learn from the experiences of others. For example, the well documented Allen & Overy attack this year: how would your team respond?
  18. Consider cyber insurance, as professional indemnity insurance is not designed to cover cyber attacks (although it can provide cover in particular situations).
  19. Draft and agree a breach response plan to ensure you are fully prepared to deal with the aftermath of cyber security attack.
  20. The response plan must include reporting any breaches of personal data to the relevant regulators and any individual directly affected.
  21. You can outsource your firm’s cyber security, but your senior management team still has responsibility for it: responsibility for the return on investment and for the level of risk your firm is accepting by not investing more time and money into cyber security.


See also: