Making it easier to grow your law firm

Search

  1. Home
  2. Cyber security

Strategy

This section covers succession, specialisation, mergers, selling a law firm, becoming a partner, and business structure

Starting up

How to plan and execute the process of starting up a new legal practice that is compliant and financially healthy

Finance and accounting

This section covers finance, cash flow management, accounting and audit issues, cashiering, tax, pensions, MI, lock-up, mergers, legal costs...

Avoiding claims. Insurance

How to avoid professional negligence claims, with examples of common problems and suggested solutions. Plus FAQs on PII

Compliance

This section only covers SRA Accounts Rules and GDPR at the moment. Compliance for start-ups is covered in the Starting up...

Cyber security

How to protect your law firm from cyber attacks. What steps to take if your systems are hacked

Managing people

How to recruit and retain a team that is both happy and highly effective, dealing with the HR issues along the way

Marketing basics

In marketing, like anything, you need to get the basics right. Otherwise the time and money you invest in marketing will be wasted

Winning more clients

How to win new clients, make the most of existing relationships, encourage referrals and generate new leads

Your website

How to approach creating a law firm website that works, from agreeing your objectives to making sure you get the results you want

Social media

Why lawyers need to know about social media, how to make the most of the opportunities and how to avoid potential pitfalls

PR and advertising

How to use PR to build your firm’s reputation; and how to create cost-effective advertising – traditional and online – that delivers results

Cyber security checklist for law firms

Headshot of Jonathan AshleyBy Jonathan Ashley, co-founder of etiCloud. (Updated 4 April 2025)

 

  1. Achieve Cyber Essentials accreditation from the National Cyber Security Centre. It’s an accessible first line of defence and a great place to start if your security is lacking.
  2. Take a detailed look at where data enters and leaves your firm and put cyber security solutions in place in these areas (see 4-9, below). This enables more accurate detection in a cyber attack situation, to work out which systems must remain closed down.
  3. Analyse whether you can separate data and systems, to limit the impact of any breach. There are risks and benefits to integrated systems, so understand the implications.
  4. As a basic level of cyber protection use anti-virus, anti-malware software and firewalls.
  5. Implement Multi-Factor Authentication (MFA) for every single user. (See Multifactor Authentication is a critical layer of cyber security.)
  6. Add Inline Email Security to your cyber security toolkit. This application blocks malicious emails or files before they enter a user’s mailbox, scanning every email and providing a high level of protection for every user.
  7. Use a strong, unique password for every different website you use and change them ideally on a monthly basis.
  8. Consider Web Filtering. This technology prevents users from accessing certain websites or URLs and prevents the user’s browser loading any pages from such sites.
  9. If your software is not already hosted in the cloud, seriously consider it. A large element of your firm’s cyber security can be handled by the managed service provider – to whatever standard your budget allows.
  10. Be cautious when procuring and using third-party software and services, as these can also be entry points for a cyber attack. Consider including cyber security requirements in vendor contracts.

Headshot of James Doswell"The Law Society recommends that all law firms achieve Cyber Essentials accreditation if they wish to apply for the Lexcel legal practice quality mark."
James Doswell, risk management consultant, Travelers

  1. Keep up-to-date with what latest technology is available and its cost-benefit, usually in liaison with your managed service provider.
  2. Document all your systems and suppliers, so full information is readily available and you know who to contact in an emergency.
  3. Diarise regular security reviews and tests and stick to them. It only takes one late patch or software update to potentially allow an attacker to enter your system.
  4. Invest in regular cyber security training – starting with their induction training – as employees are usually the number one point of vulnerability. Familiarise them with your firm’s security protocols and data protection policies.
  5. Include that training in the induction process for every new employee.
  6. Regularly test that training, or people will relax their guard. For example, see if anyone (including senior management) replies to dummy phishing emails.
  7. Consider holding ‘insight sessions’, to learn from the experiences of others. For example, the well documented Allen & Overy attack 15 months ago: how would your team respond?
  8. Consider cyber insurance, as professional indemnity insurance is not designed to cover cyber attacks (although it can provide cover in particular situations).
  9. Draft, agree, and regularly test and update a breach response plan to deal with the aftermath of cyber security attack. It must include reporting any breaches of personal data to the relevant regulators and any individual directly affected.
  10. You can outsource your firm’s cyber security, but your senior management team still has responsibility for it: responsibility for the return on investment and for the level of risk your firm is accepting by not investing more time and money into cyber security.

 

See also: