01604 261655

Do legal professionals need Cyber Essentials or is it just box ticking?

There is no getting away from the fact that if you are a Legal professional in the UK, you handle sensitive client information. That makes you a potential target for cyber-criminals. The Solicitors Regulatory Authority (SRA) are strongly suggesting that all solicitors, and I think we can assume all legal professionals, look at Cyber Essentials as part of their working practices.

What is Cyber Essentials?

Cyber Essentials, a government-backed, industry-supported, scheme to help organisations protect themselves against common cyber threats. It consists of a series of protection and prevention measures that should reduce your chances of a data breach or other attack. While nothing is guaranteed, implementing, and understanding Cyber Essentials is a UK standard measure of your effectiveness.

Where do the SRA stand?
Well, to be frank, it seems pretty clear that the SRA’s stance on cybersecurity is that it is a vital part of the operational procedures of a modern legal practice. Their guidelines seem to suggest that failing to protect client information from cyber threats could be seen as a breach of the SRA Code of Conduct . In short, there is an expectation that legal professionals must proactively manage and mitigate cyber risks. You also have an obligation under GDPR to ensure you make every effort to protect client data. The right way to demonstrate compliance is via Cyber Essentials. It is recognised, it is national, and it is effective.

So, it is all about ticking a compliance box?
Absolutely not. Thinking about Cyber Essentials as paying lip service to compliance is potentially a very dangerous stance. It only takes a moment of thought to realise that the damage done by a successful attack is significant and even disastrous.

Clearly you have a legal duty to meet the requirements of all applicable legislation. However, there are other significant issues to be considered in the aftermath of a problem with data security.

Reducing the risk to your reputation – Your clients will need to be informed of a breach should one happen. That can be devastating when it comes to client trust. By complying with the Cyber Essentials criteria, legal firms can prevent most common cyber-attacks. These preventive measures are vital because a data breach is both costly and damaging to firms’ operations and reputations.

The impact of an attack is significant – Cyber-attacks can lead to significant financial losses. They could result in fines, compensation, and remediation costs. Operationally you could be looking at extended downtime for IT systems and even the loss of critical infrastructures and data.

The numbers are against you – In 2022 almost 40% of businesses in the UK identified cyber-attacks and it is estimated that 31% of businesses in the UK are attacked every week. If you haven’t been attacked than it is likely that you will be at some point. The number of these incidents are increasing, and the criminals are also becoming increasingly sophisticated in their methods. While it may well be the large ransomware attacks that make the news, smaller businesses of all kinds are no less vulnerable. With the advent of increased use of AI, the challenges are growing daily.


The practicalities of Cyber Essentials for legal professionals

While there is obviously an investment in implementing Cyber Essentials, it is not onerous and the potential benefits are clear – as are the implications of non-compliance. The SRA’s emphasis on cybersecurity reflects its critical role in maintaining integrity and trustworthiness. By becoming Cyber Essentials certified, law firms not only protect themselves but also build on the existing foundation of trust with their clients.


Compliance comes down to just 5 core principles that are organised around areas such as secure connections, secure configuration, user access, malware protection, and security patch management. What these mean and how they are applicable to you is about meeting the standards in a way that is suitable for your particular circumstances.


I am happy to arrange a webinar on Cyber Essentials for the legal profession so please drop me an email at cybersmart@datasense.ltd to express interest.


If you have already decided to commit and would like to arrange a meeting to chat through how we can help you with training and IT services for Cyber Essentials, again, please get in touch and we will be happy to help.