
Rethinking Cyber Security in Law Practices
Trust Alone Is Not Enough!
Lawyers have always been among the most trusted professionals (despite the jokes and jibes I may have told legal friends at BBQ's). We all rely on their integrity, advice, and discretion. But does such trust mean law firms can ignore cyber security, or skip certifications? Many lawyers feel that unlike other sectors, their word should be enough.
This contrarian view is understandable. If your business is built on trust, why submit to external frameworks or tick-box exercises? Isn't this cyber security thing just another product that consultants sell, rather than a fundamental part of practice?
Is there a better way?
In my opinion (as a "trusted" Technology professional), cyber security is not a product you buy for compliance, but it's a mindset you develop—just like negotiation or advocacy. Turning cyber from “just more paperwork” into the way your whole organisation thinks and operates requires strategy, practical skills, guidance and understanding. Some of this will be internally available, some will need external influence.
The Challenge: Why Trust Isn’t a Cyber Defence
The trust that a handshake brings is irrelevant in the face of digital threats from unknown actors and locations. In fact, today, trust makes you a bigger target. If clients believe you’re secure and buy-in to this "trust" narrative, attackers see this as an opportunity:
- Cyber criminals exploit trust. They know clients trust your emails and instructions. A single compromised account can wreak a lot of damage before anyone realises there has been a breach.
- Client expectations are shifting. Even the most loyal clients expect data safety as a non-negotiable part of service.
- Business-as-usual is not enough. Relying on “the way we’ve always done it” leaves blind spots, especially as threats evolve.
So what’s the alternative?
In my opinion, it's really simple. STOP viewing cyber as something external! It must be part of your everyday professional conduct, your decision-making, your conversations. Security is not something you do, it's something you become.
Cyber Certification: The Wrong Mindset?
Much of the market frames cyber security as a “product” to buy off the shelf. Buy this software. Complete this certification. Get a badge for your website.
This approach has so many pitfalls (and gives me a major ick):
- Compliance fatigue: Lawyers and staff see cyber as a check-list, not a value-driver.
- One-and-done thinking: Passing an audit can create false confidence and complacency.
- Missed opportunity: You lose out on transforming culture and thinking, which is the true key to security.
(I am not against Cyber certifications - in fact we support, contribute to and actively work within the SMB1001 and Essential8 frameworks - they are the foundations upon which habits are built and businesses transformed).
My Way: Cyber as Professional Development
For 30+ years I have worked on becoming the business and technology leader that I am today - that hasn't come from "tick and flick" lists - it's come from building habits through continual development. Just as laws change, so do cyber risks. Skills must be maintained, practiced and refined, not purchased and sat on the shelf.
The three steps I recommend to internalise good Cyber Security practices:
- Make Cyber a Core Skill
- Just as professionals keep up with legal changes, they should keep up with digital risks.
- Cyber training must be contextualised and based on real situations affecting law practices.
- Internal conversations about recent, relevant matters should always factor in cyber risk.
- Embed Learning, Don’t Just Buy It
- Schedule regular, tailored Cyber Development sessions led by experienced advisors (not generic IT trainers).
- Incorporate scenario-based exercises into firm meetings - What would we do if…?
- Build cyber awareness into onboarding and career development for all staff.
- Lead by Example
- Firm leaders should be visible champions of good cyber practice.
- Managers and partners must see cyber as their responsibility - not just the IT team’s.
- Celebrate and share cyber “wins” (e.g., preventing a phishing attack) just as you celebrate legal victories.
Why Use Advisory Services Like Microsolve?
You don’t need a(nother) badge on your door. You need mindsets and behaviours that keep the firm, and clients, safe. That’s where experienced advisors make the difference.
Let me spell out the specific benefits of working with experts in this area bring:
- Contextual expertise: Advisors know common legal sector threats and can show their real-world impact.
- Ongoing learning, not (just) box-ticking: Sessions evolve with new risks and case studies, fostering curiosity and vigilance.
- Practical outcomes: Staff gain skills they use daily, not just for audit day.
- Stronger client trust: You can confidently explain how ongoing cyber learning protects their interests.
- Future-proofing: Technology changes, so do the firm’s capabilities. There's no need to “re-certify” every time, if your team mindset is 'right'.
Building A Cyber-Smart Business
Here are the top 9 tips we have found that deliver maximum value across professional service business:
- Quarterly briefing sessions on cyber risks relevant to your client base.
- Make cyber a standing agenda item at monthly meetings.
- Use real incident examples to prompt discussion and learning.
When the above become muscle memory, look to add the following: - Set up an annual plan for role-specific cyber learning (e.g. conveyancing teams, admin staff).
- Run scenario workshops—simulate incidents and practice responses.
- Track participation in advisory-led training as a measure of professional development.
For more advanced/larger Organisations: - Appoint 'cyber champions' in each team. They'll act as the contact person for cyber related tasks and inquiries.
- Partner with advisors for tailored, business-unit-focused learning.
- Link cyber awareness training to performance metrics.
Cyber Security is Professional Duty
Trust is the foundation of legal services, but it is not a shield against digital risks. Annual certification alone is not enough. Real security comes from making cyber awareness second nature. It needs to be an integral part of your professional duties.
With expert-led advisory sessions, firms can turn cyber from an obligation into a capability. Over time, this approach is far more valuable for clients, and for the enduring trust at the core of your profession.