What are the top cyber security challenges facing law firms?

In today’s digital world, data protection breaches and cyber hacks are never out of the news. And, with an increasing amount of sensitive and personal information moving to the cloud, and more and more hackers targeting legal firms, it’s no wonder that lawyers are nervous.

Safeguarding business IP, medical records and financial information is a must if you want to uphold your reputation and protect your clients. As such, an awareness of the cyber challenges facing firms is crucial if you are to stand any chance of mitigating risk.


Online criminals have become increasingly sophisticated. So much so that it’s not just lone hackers we have to worry about. In 2018, existing criminal structures are evolving into cybercrime syndicates and even governments are getting in on the act. For law firms, this threat often comes via email. In fact, according to a recent study[1], 99% of UK law firms are vulnerable to email fraud and only 1% have adequate measures in place to protect against email scams.

In response, it’s vital that firms put robust security processes in place. For example, DMARC technology makes it easier to determine whether or not an email is legitimate, and sets out what to do if it isn’t. Lawyer Checker – which provides technology and products to help protect lawyers and consumers – has recently launched a DMARC service to help firms to secure their email effectively.

Human error

The greatest security threat facing law firms still comes from employees. Whether that’s a disgruntled member of staff looking to cause trouble, or someone who just doesn’t understand the necessary security processes and risks. To combat this, it’s vital that training is put in place to develop a vigilant “stop and think” culture, and ensure all employees are aware of common threats (e.g. phishing emails).

At the same time, stringent but straightforward security measures and controls such as using robust passwords must be enforced.

With human error the leading cause of data breaches, legal staff must be made fully aware of the potential consequences of losing sensitive information to ensure they take their responsibilities seriously.

Enhanced data protection requirements

Earlier this year, the GDPR came into force. But, while this legislation was necessary to meet the needs of our online world, the regulations have created cost and compliance headaches for legal firms.

However, there are some practical steps firms can take to aid compliance. These steps include:

  • Auditing and documenting the personal data you hold and all the stages involved in processing it (from client on-boarding processes through to the management, sharing and deletion of data)
  • Establishing stringent reporting processes (under the GDPR, firms need to make a notification of any breach within 72 hours of discovering it)
  • Evaluating any potential risks (e.g. device, network, process, human weaknesses, etc.)
  • Identifying where you need to make improvements
  • Putting necessary digital security measures in place (e.g.2FA, DMARC)
  • Undertaking staff cybersecurity training
  • Creating an acceptable-use policy and making sure all staff are aware of it
  • Establishing physical access controls
  • Making sure that cloud providers meet the necessary security standards
  • Investing in security accreditation (e.g. Cyber Essentials).

Success in our online world means capitalising on the opportunities new and evolving technology presents while managing the inherent risks. By developing a cyber aware culture, lawyers can protect what’s important and get on with the job in hand.