8 Reasons Why Law Firms Need Cyber Essentials Certification

It goes without saying that law firms carry a lot of responsibility on their shoulders.

Not only do they help their clients successfully navigate the ins and outs of the law but they also handle a lot of highly sensitive data, personally identifiable information, and private details.

With this in mind, it’s no wonder that the Solicitors Regulation Authority (SRA) advised firms that

it may be better to ask when, not if, you will be targeted by online criminals.

With this in mind, law firms need to be adequately prepared in the face of online risk factors. Gaining Cyber Essentials certification provides you with a highly resilient standard of security defences which have a proven track record of reducing organisations’ digital vulnerability.

Though Cyber Essentials is valuable across sectors, accreditation presents a number of benefits that are of particular importance to the legal industry.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification that has been developed to protect organisations and their clients from modern cyber risks. Becoming certified requires organisations to put 5 categories of cybersecurity protections in place and pass a self-assessment and technical audit process.

The five categories of security controls that are required by Cyber Essentials are as follows:

• User access control
• Secure configuration
• Security update management
• Firewalls and routers
• Malware protection

Companies can also become Cyber Essentials Plus certified. This is an advanced version of Cyber Essentials which demands the same levels of cybersecurity implementation, but requires a much more rigorous technical audit.

8 Reasons Why Your Law Firm Needs Cyber Essentials Certification

I believe that all organisations can benefit from officially adopting this standard, though highly regulated sectors like law potentially have the most to gain from it; chiefly because, in the wake of a breach, their data, reputational, downtime, and punitive losses could be particularly substantial.

1. Because Law Firms are a Lucrative Target

Law firms - as well as other professional services organisations - are an incredibly lucrative target for cybercriminals. Given all of the highly sensitive and highly confidential information that passes across a single fee earner’s desk every day, it doesn’t bear thinking about what would happen if that information were to fall into the wrong hands.

Now I’m not someone who likes to sell on fear, but this point needs to be made. Cybercriminals likely see law firms as prime targets for ransomware attacks, blackmail, or other means of extortion where private information may be at stake. Not only would such an attack cost your organisation money but it would also cause irreparable reputational damage. It could even threaten the personal privacy - and potentially safety - of your clients and their families. It really doesn’t bear thinking about.

Figures reported by the Law Society Gazette in August 2024 found that successful cyber attacks against UK law firms rose by 77% in the prior year. And worryingly, recent Cohesity figures indicated that 59% of ransomware-afflicted UK organisations (across industries) had paid a ransom, despite most having explicit internal rules against paying up.

Law firms even have specific threats in their orbit like Friday afternoon fraud, which hinges on how many people move house on a Saturday and are hurriedly (and distractedly) getting their affairs in order on a Friday in preparation.

It’s also worth mentioning the unique cyber risks that barristers face too. They often operate as sole practitioners, which can present its own cyber vulnerabilities due to lack of security oversight. Barristers also work both remotely and in shared spaces like Chambers; so if one barrister’s device is poorly secured, that could present security risks to the Chambers’ whole network.

In order to achieve Cyber Essentials accreditation, firms need to demonstrate adoption and ongoing use of crucial security controls that can dramatically improve any organisation’s security posture.

2. The Law Society Standards Strongly Recommend Accreditation

The Lexcel Quality Mark guidance for England and Wales (Ver 6.1) mentions Cyber Essentials by name. In point 3.2, the guidance states:

Practices must have an information management and security policy and should be accredited against Cyber Essentials.

So firms looking to achieve Lexcel accreditation “should” implement Cyber Essentials, though it is not a must.

However, the guidance that complements point 3.2 largely sums up much of what companies have to do to become Cyber Essentials accredited anyway. So our advice would be to aim for accreditation so you can both comply with the Lexcel guidance and have the public Cyber Essentials trustmark against your name. Speaking of which…

3. Accreditation Provides a Publicly Recognisable Trust Signal

Cyber Essentials is a very public certification. Whilst accredited, you can advertise that status within your marketing materials, on stationery, and via other highly visible touchpoints. All accredited organisations also benefit from being publicly listed on the IASME website (the organisation who administers the scheme) which also serves as proof of certification.

Now I’m sure I don’t need to tell you how important a factor trust is in the legal sector. But if a law firm were to suffer a breach; and putting data, punitive, and personal damages aside; the lasting effects of mistrust and reputational harm can ripple throughout your public brand perception for years.

On the other hand, Cyber Essentials is a practical, provable trustmark which demonstrates to potential clients and suppliers that you are actively taking your security responsibilities seriously. It’s an independently accredited standard that shows continual effort towards minimising your own online risks and those targeted at your clients.

Additionally, data indicates that Cyber Essentials certified organisations are 92% less likely to make a claim on their cyber liability insurance compared to non-certified organisations.

All in all, Cyber Essentials both proves your commitment to good cybersecurity, and actively gives you the tools to make good on that commitment.

4. It’s an Opportunity to Revisit Hardware & Access Policies

Cybercriminals frequently make their way into an organisation’s IT ecosystem via long-forgotten, poorly secured hardware or user credentials. Therefore, actively maintaining a log of your firm’s IT hardware and user logins is an essential cybersecurity practice - and one which is reflected in these standards.

Taking stock of all devices and logins within your organisation may seem like an intimidating task - even without taking team-owned (“BYOD”) devices into account.

Yet carrying out such an audit can be a great opportunity for an IT-spring clean! It can be your chance to upgrade older, slower tech; modernise your IT (such as moving from on-premise servers to the cloud); remove dormant user accounts; implement the “principle of least privilege” across all users; and optimise software license usage.

5. Cyber Essentials is Required for Some Public Sector Contracts

Many central and local government contracts mandate that tendering organisations be Cyber Essentials certified. So if you’ve got public sector contracts in your sights, you’ll likely end up needing accreditation sooner or later anyway.

Cyber Essentials is generally required for central government contracts where you will be expected to:

• Handle UK citizens’ personal data
• Handle government employees’ personal data
• Deal with day-to-day government business, finances. and service delivery
• Handle defence information within the Ministry of Defence supply chain
• Deliver IT or data services/products to the government (this one’s probably more relevant to us than to you!)

An increasing number of local government contracts are stipulating Cyber Essentials accreditation for similarly sensitive applications.

So aside from it being an essential trust signal, it can help you get more work from the public sector too!

6. It Can Encourage a Culture of Cybersecurity Awareness

Though certification doesn't require your team to undergo cybersecurity training, it can be a great opportunity to foster cybersecurity awareness within your organisation. After all, a cyber-aware team is a real asset in terms of business and digital resilience.

But there’s another benefit here too. Implementing Cyber Essentials requires security-focused changes to workflows such as implementing Multi-Factor Authentication (MFA) and securing access management practices. Any change to “the way things are done” can cause resistance within any team.

However, any change management practitioner will tell us that when a team understands and values the reasons why changes are being put in place, it can minimise friction and resistance to that change. Therefore, a cyber-aware team is more likely to be open to cyber-focused change and understand the benefits at stake.

Whether you ultimately opt to become accredited or not, any push towards creating a more secure workplace allows you to put your whole attitude to cyber defence under the microscope - both as individuals and as a collective whole.

7. Increasing Business Resilience

Good cybersecurity practices are now an essential part of overall business resilience - whether you’re Cyber Essentials certified or not. Maintaining good security controls doesn’t just shield you from punitive and reputational losses either. It protects you against downtime and remediation costs as well, which can sometimes be similarly substantial.

Yet Cyber Essentials provides a nationally recognised and government backed set of standards which afford you a robust and repeatable level of cyber and business resilience.

And because you’re using an externally verified benchmark, it ensures you’re not fudging the numbers or marking your own homework.

8. The Benefits of Cyber Essentials Vastly Outweigh the Costs

Now I can’t possibly comment on the costs that you may encounter in bringing your firm up to speed ready for certification. But given the significant reduction in cybersecurity risk, the opportunities to modernise your IT, and the strong trust signals at play, I would argue that Cyber Essentials would likely be an open and shut case for many of you reading.

It’s also worth noting that UK-based organisations with a turnover of under £20m who achieve Cyber Essentials get access to £25,000 worth of cyber liability insurance too.

Becoming Cyber Essentials Accredited with Penken Technology

Earning your Cyber Essentials or Cyber Essentials Plus certification is simple with Penken Technology. After a short briefing to understand your organisation, we’ll work together to install a lightweight management app on each of your devices.

Once set up, this app will help us both exhaustively flag issues that don’t meet Cyber Essentials requirements. It even serves to automate parts of the accreditation questionnaire for you. And of course, I will be personally available throughout the whole process to provide technical help and practical assistance.

Ready to take the first step towards Cyber Essentials accreditation with technical experts in your corner? Click here to book a free chat to discuss your needs today!