Cyber security for solicitors
Learn how to protect yourself from hacks, scams and cyber attacks. Understand the risks facing solicitors and make sure your data is secure and protected.
Why cyber security is important
Cyber crime is getting more sophisticated, so it’s important to know how to protect your information and systems.
‘Cyber security’ is the measures you should have in place to protect your critical assets from cyber crime and digital attacks.
Critical assets can be both digital and physical. They include:
- data
- networks
- software
- computers
- mobiles and smart devices
Having the right cyber security measures in place will help you maintain client trust. It will also ensure you comply with your legal and regulatory requirements.
Risks and threats
Legal professionals hold sensitive, confidential and valuable data. For example, client names, addresses and banking information.
Law firms and in-house legal teams also manage commercially sensitive information. For example, client contracts and financial data.
Legal professionals depend on computer systems to interact with clients, business partners and financial institutions.
This makes solicitors particularly vulnerable to cyber criminals or scammers attempting to:
- steal confidential and valuable data or intellectual property
- extort ransom demands
- disrupt your business
Firms of all sizes, sole practitioners and in-house legal teams are all vulnerable to cyber crime.
Common cyber security risks include:
- weak passwords
- outdated systems and software
- lack of employee training
- poor access controls
- using unsecured devices
It’s important to remember you are part of a chain of organisations and individuals communicating with each other.
A vulnerability in your part of the chain also makes everyone connected to you vulnerable.
Cyber attacks on law firms
The Solicitors Regulation Authority (SRA) published 278 scam alerts in response to reports from the public and profession between January 2022 and January 2023, according to the UK Legal Sector Cyber Threat Report.
The report found nearly three-quarters of the UK’s top 100 law firms have been affected by cyber attacks.
In 2021, a City law firm reported it had lost client data because of a cyber attack.
It was reported that almost 8% was wiped off the firm’s share value within an hour of it issuing a statement.
In 2024, a solicitor was fined £26,000 for failing to spot a cyber scam.
The SRA said there were many ‘red flags’ that the solicitor missed.
This highlights the importance of professional conduct as well as technical cyber security measures.
The risk of incidents like malware attacks is also increasing for smaller firms that have little or no dedicated cyber security or IT support.
For more information on different types of cyber attacks, read our guide on how to identify a cyber attack.
How to protect yourself
- Use strong passwords and change them regularly
- Enable multi-factor authentication
- Avoid using USB sticks or external hard drives. These are common entry points for attackers
- Keep software and devices updated
- Back up your data securely and regularly
- Be wary of emails from unknown senders, particularly if they contain attachments or external links
- Be careful when working remotely. Use secure wifi and avoid discussing cases in public or shared spaces
How to protect your organisation
Follow these steps to protect your firm, team or organisation from data breaches and cyber attacks.
Get certified
Achieving cyber certification is one of the best ways to make sure your organisation or team is secure.
Cyber certification often includes training and policy development.
It can help you:
- meet your regulatory requirements
- lower insurance premiums. Some insurers offer discounts for certified organisations
- show clients, regulators and partners that you take cyber security seriously
Certification options
- Cyber Essentials is a government-backed certification scheme
- Lexcel is our legal practice quality mark for client care, compliance and practice management
- ISO 27001 is a standard for managing and protecting information assets
Our cyber security partners can help you get certified:
Decide who is responsible
You may want to assign cyber security leads. Leads are responsible for implementing, managing and monitoring all aspects of cyber security.
This includes:
- responding to threats
- complying with regulations
- coordinating staff training
If you do not have capacity or expertise internally, you may want to consider hiring an external supplier to take on some of these responsibilities.
Law Society members can access discounts from our cyber security partners Fourtify and Mitigo.
In larger organisations, IT teams will usually lead on cyber security.
Senior leaders are responsible for embedding cyber security in the organisation’s risk management processes and governance.
General safety
- Use a firewall to secure your internet connection
- Protect all devices with antivirus software
- Keep IT systems up to date with regular patching
- Encrypt mobile devices and install a system that wipes them if they are lost
- Back up important information regularly
- Avoid giving out payment system access or admin accounts unless staff need them to do their jobs
Review your assets
You should regularly review:
- financial and information assets, such as payment systems and IT equipment
- who has access to assets
- how assets are stored
- your cyber security policies. You should also appoint someone to oversee these policies
Introduce safety measures. For example, make sure there are clear processes and reporting lines across your organisation for handling money.
Check regularly that your measures are working as expected.
Make a response plan
It’s good practice to have a plan in place for cyber attacks.
Your plan should include:
- who staff should alert if there is an attack (likely your IT team or cyber security leads)
- actions to take to stop the attack if it’s still happening
- how to reduce damage afterwards
For more tips and advice, read our guide on what to do after a cyber attack.
Train your staff
Make sure your staff understand how to:
- follow your response plan if there is a cyber attack
- create secure passwords
- recognise common cyber attacks
- safely store and dispose of confidential documents
Staff should also understand the added risks of working outside the office.
For example, connecting to public wifi that may not be secure or having conversations that can be overheard.
Staff should avoid:
- changing payment details or making payments without thorough checks
- opening email attachments if they don’t know who or where they’re from
- connecting personal devices to your network. For example, USB sticks
- downloading unsafe apps or browsing unsafe websites
DG Legal offer data protection and cyber security training.
Write a cyber security policy
It is best practice to have a dedicated cyber security policy, even if cyber security is mentioned in other policies.
This is particularly true for sectors handling sensitive data like legal services.
Your policy should cover:
- roles and responsibilities
- asset management
- access control
- data protection
- use of technology
- threat prevention
- responding to incidents (also covered by your response plan)
Purchase cyber insurance
Cyber insurance covers your costs and losses if you experience a data breach or cyber attack.
Cyber insurance can supplement your professional indemnity insurance (PII) cover.
Some insurers will ask about security in your firm as it may lower PII premiums. Your firm should already have appropriate security.
Regulation and compliance
Under the UK General Data Protection Regulation (UK GDPR), you must process personal data securely.
The SRA also requires solicitors to take appropriate steps to protect client data against loss, damage or unauthorised access.
Personal data is information that can be used to identify people. All solicitors hold personal data.
You must protect personal data against:
- unauthorised or unlawful processing
- accidental loss
- destruction
- damage
You must consider data protection:
- at the start of any processing activity – for example, collecting client data through a web form
- during the processing – for example, storing the client data on your systems
Read our guide on GDPR for solicitors.
Reporting data breaches
If you experience a cyber attack, you need to check if personal data has been lost.
If it has, you may need to report the breach to the Information Commissioner.
You must report a personal data breach within 72 hours of first finding out – even if it’s outside working hours.
Read our guide on reporting a data breach.
Learn what to do after a cyber attack.
If there has been serious breach of the SRA’s Standards and Regulations, your firm also has an obligation to report it to the SRA under Rule 3.9 of the Code of Conduct.
Training and resources
Read our guidance on:
- cyber insurance for law firms
- how to identify a cyber attack
- what to do after a cyber attack
- cloud computing
Read the UK government’s cyber toolkit for small businesses.
Take your first steps towards cyber certification with:
Browse our upcoming cyber security training courses.
DG Legal also offer data protection and cyber security training.
Join our risk and compliance member community.
Explore offers from our cyber security partners:
Action Fraud also has a list of free cyber security services for organisations.