Cybersecurity for Small Law Firms: Practical Protection for 10–50 Staff on a Realistic Budget

What You Must Have: The Non-Negotiables

If your firm does only these five things, you will prevent the majority of incidents that hit small law firms:

• 1. Multi-factor authentication on email: free with Microsoft 365 or Google Workspace. Turn it on. All accounts. This alone stops most credential-theft attacks.
• 2. Cyber Essentials certification: costs a few hundred pounds. Gives you insurance discounts, satisfies SRA baseline expectations, and forces you to fix the most common vulnerabilities.
• 3. Offsite, tested backups: your backup is only useful if you have tested that it restores. Backup to a location that cannot be reached by ransomware on your network.
• 4. Staff training on phishing and conveyancing fraud: a one-hour session, updated annually, covering how to spot phishing and what to do if they think they have been targeted. Record attendance.
• 5. A written incident response plan: one page is enough. Who to call, in what order, what not to do. The SRA and ICO both expect to see this.

What Gives You the Best Return for Limited Budget

Beyond the non-negotiables, the highest-value investments for small law firms in order of return:

• Endpoint security with EDR (Coro): the step up from basic antivirus that detects sophisticated attacks. Priced per device per month — affordable at any firm size.
• Email security gateway: advanced phishing protection and BEC detection that supplements the basic filtering in your email platform.
• DMARC enforcement: free to implement; prevents criminals from spoofing your domain. Your IT provider can configure this in an afternoon.
• Managed security service (Collective IP): if you cannot justify internal security expertise, outsource it. The economics work for firms of 10+ staff.
• Attack surface monitoring (Hadrian): know what attackers can see of your firm's internet presence. Particularly valuable for firms with client portals.

What You Can Defer

Small law firms should sequence investment pragmatically. The following can typically be deferred until the foundation is in place:

• ISO 27001 certification: valuable but expensive. Prioritise Cyber Essentials first. Revisit ISO 27001 when client or insurer requirements demand it.
• Full third-party risk management programme: important, but manual processes work at small scale. Use standard data processing agreement templates and do basic due diligence on your main IT suppliers.
• Security information and event management (SIEM): complex and expensive. A managed security service delivers equivalent monitoring value at a fraction of the cost.
• Penetration testing: important but can follow Cyber Essentials. Annual testing is appropriate once you have the baseline controls in place.

Free Resources Worth Using

Several high-quality free resources are available to small law firms:

• NCSC Small Business Guide: ncsc.gov.uk — practical, jargon-free, tailored for small organisations
• Law Society Cybersecurity Practice Note: published guidance on what law firms are expected to do
• SRA Warning Notice on Cybersecurity (2023): sets out the SRA's current expectations — read it
• Action Fraud reporting: actionfraud.police.uk — report any attempted or successful attack
• NCSC Cyber Essentials guidance: free technical guidance on implementing the five controls

Frequently Asked Questions