Why is cyber security training important for the legal sector?

The size of your business and the industry that your business is within are not factors that cybercriminal use to specifically target businesses for cyber-attacks. However, as a law firm you handle sensitive customer data and regularly process large financial payments which does make you more of an appealing target.


In 2020, the Solicitors Regulation Authority (SRA) published the following report, Cyber Security – A thematic review. One of the focus areas in the report was cyber security training and the link between having basic knowledge of cyber security and mitigation against cyber-attacks.


Cyber security is not just a responsibility for a business’s IT department. To enable the mitigation and prevention of cybercrime, everyone within a law firm must have a general level of knowledge about the topic. With cyber and technology evolving on a daily basis, keeping up with the latest training provisions is one way that law firms can mitigate the risk that cyber-attacks pose.


Different employee roles present different risks, the SRA report asked senior figures and fee earners for their understanding of some common cyber security terms. Of the senior figures, over 50% of those asked said they understood the following terms Phishing, Ransomware and Malware. However, of the fee earners 55% said they didn’t understand the term ransomware or virus.


Ill informed employees can be a critical flaw for legal firms, one firm revealed that around £150,000 of billable time was lost due to a ransomware attack initiated accidentally by a fee earner, which is unsurprising when the understanding of the term is so low. Despite this, the report’s findings on when specific cyber training was last provided, revealed that 26 firms had provided training in 2019, only 5 in 2018, 1 in 2017 and shockingly, 20% of firms had never provided specific cyber security training.


27 attacks had resulted in firms losing office or client money. All but one firm introduced mitigation that they believed would prevent a similar event from occurring. On 62% of these occasions, the cost of the mitigation was less than the initial loss incurred by the firm highlighting the need for cyber security to be a regulatory requirement.


At The Cyber Resilience Centre for the South East, we offer Security Awareness Training that provides an introduction into cyber security, why it’s difficult and who it can affect. The training can be delivered virtually or onsite by our experts. The modules are delivered to suit the knowledge levels of those attending the training, with the content being simple and easy to follow for all knowledge levels.


The training is designed to be easily implementable in all aspects of your life so that you can transfer the behaviours to both personal and business activities. If an attack has happened to your business previously, we can help further educate your team to better understand how protecting your organisation and its people to minimise the risk of this happening again.


Security Awareness Training not only features prevention techniques, but also includes how to manage the situation if you do suffer an attack.


We recently delivered this training to a charity based in the South East region, who work with organisations operating within the Criminal Justice system and allied services to provide long-term solutions to the problems of crime and social exclusion.

A representative from the organisation said: “Just a short note to say a massive thank you to Chris, who delivered a great training session to our staff this week. I have to say, mostly they find IT deadly boring and probably groaned when they saw my email to book into the training session! However, we got some really positive feedback and they all stayed engaged right to the end.
“Chris has great delivery as a trainer and made it interesting and relevant. I definitely think they all went away feeling much more in control and better placed to identify security risks, for the work and their personal IT security at home – which is really important now that more of them are working remotely too.”

If you feel our Security Awareness Training could benefit your legal firm or a business from another sector, please do to get in touch with us so we can discuss how we can support you.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the South East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South East is not responsible for the content of external internet sites that link to this site or which are linked from it.