Minimum Cyber Security Expectations for Law Firms

Introduction

Employee training and awareness are among the most effective defenses against social engineering and email compromise. Regular training ensures staff remain vigilant against evolving cyber fraud tactics, particularly as cybercriminals increasingly leverage Artificial Intelligence tools.

Law firms are frequent targets of cybercriminals, with business email compromise (BEC) being one of the most commonly reported incidents. In these cases, attackers gain unauthorized access to email accounts and impersonate either the firm or the client, deceiving parties into redirecting funds to fraudulent accounts.

To mitigate these risks, ongoing cybersecurity education is essential. Depending on where you practice law, you will be required to follow your own firm’s policies, and may also be obliged to comply with mandatory cybersecurity training. For example, in the state of Victoria, Australia, the Victorian Legal Services Board and Commissioner sets out its Minimum Cybersecurity Expectations, which requires law firms to provide all staff with comprehensive cybersecurity training relevant to their specific roles and responsibilities.

These minimum expectations serve as a guide to help law firms understand their requirements and implement cybersecurity training relevant to the specific roles and responsibilities of lawyers and support staff.

Law firms should implement critical, system, and behavioural controls to protect their firm from cybersecurity threats.

Critical system controls should be the top priority, as their absence leaves a firm highly vulnerable. Many measures, like enabling automatic updates, are easy to apply, but additional security steps may be necessary depending on the firm’s size, work type, and client needs.

System controls are technical safeguards that defend against external threats. Behavioural controls focus on secure practices to reduce human error. All three control sets work together to strengthen cybersecurity.

You can also access our YouTube video on this topic here.

Critical Controls

Security Updates

Keeping all work devices, applications, and software updated is critical for protecting client confidentiality and maintaining the integrity of a law firm’s operations. Cybercriminals actively exploit outdated systems to gain unauthorized access to sensitive legal data, putting both the firm and clients at serious risk.

To mitigate these threats:

  • Ensure all devices, including laptops, servers, operating systems, and network hardware, are regularly updated with the latest security patches.
  • Enable automatic updates wherever possible to prevent delays in applying crucial security fixes. If automatic updates are unavailable, conduct manual checks at least every two weeks.
  • Avoid using outdated or unsupported software, as it significantly increases the likelihood of a breach.
  • If legacy software is essential, it should only be used under strict IT supervision with additional security measures in place.
  • Failing to keep systems updated not only exposes firms to cyber threats but could also constitute a breach of professional and legal obligations.

Passwords and Logins

In the legal industry, weak passwords are a major security risk that can lead to unauthorized access, data breaches, and client confidentiality violations. Cybercriminals use sophisticated methods, including credential stuffing and brute-force attacks, to exploit weak or reused passwords.

To protect sensitive legal data:

  • Use strong, unique passwords or passphrases for all work devices and accounts.
  • Never reuse passwords across multiple accounts.
  • Utilize a secure password manager to generate, encrypt, and store complex passwords safely.
  • Immediately change any passwords that have been compromised or linked to an account that has been hacked.

Multi-Factor Authentication (MFA)

Even strong passwords are not enough to protect against sophisticated attacks such as phishing and credential theft. MFA adds an essential layer of security by requiring an additional verification step, such as a temporary code, security key, or biometric scan, making it significantly harder for attackers to gain unauthorized access.

To enhance security:

  • Enable MFA on all online accounts and services where available, including email, cloud storage, client management systems, and financial platforms.
  • Check account settings and enable MFA if the option is available—never ignore or disable it.
  • Encourage staff to use MFA on their work and personal accounts.

System Controls

Security Software

Law firms handle highly sensitive client data, making them prime targets for cyberattacks. Malware, ransomware, and phishing attacks can lead to financial losses, data breaches, and legal consequences. Installing and maintaining strong security software is essential to protect confidential information.

To keep systems secure:

  • Install and activate antivirus and security software on all work computers and devices.
  • Run a full antivirus scan when setting up or reconfiguring a work device and after any change in user access.
  • Schedule weekly virus and malware scans or set up automatic scans where possible.

Access Control

Law firms handle confidential client information, making strict access control essential for protecting data and maintaining compliance with professional obligations. Implementing role-based access control (RBAC) ensures that staff only have access to the information necessary for their role, reducing the risk of insider threats and accidental data leaks.

To strengthen access security:

  • Implement a role-based access control system.
  • Limit access for contractors, interns, and temporary staff.
  • Assign individual logins or temporary guest access—never share credentials between employees.
  • Review access permissions regularly and immediately revoke access for departing staff or those changing roles.

Devices

Unprotected devices can be easily exploited by cybercriminals, leading to data breaches, unauthorized access, and compliance violations. To maintain client trust and legal obligations, firms must secure all work devices against theft, loss, and cyber threats.

To enhance device security:

  • Turn on full disk encryption for all devices that store or process confidential data.
  • Enable automatic device locking when inactive to prevent unauthorized access.
  • Store work and personal devices securely when not in use.

Information Security

Without proper encryption and secure data management, firms risk unauthorized access, data breaches, and legal non-compliance. Protecting client information is a fundamental ethical and legal responsibility.

To ensure data security:

  • Encrypt all sensitive data when storing it or transferring it to other organizations.
  • Securely erase or destroy old hard drives and devices before disposal.
  • Regularly review client files to determine if continued retention is necessary.

Backups

Cyberattacks, system failures, or accidental deletions can all result in permanent data loss if backups are not in place. A robust backup strategy is essential to ensuring business continuity and data protection.

To protect firm data:

  • Select a reliable backup solution (cloud backup service or external storage devices).
  • Back up files regularly and encrypt backups.
  • Test backup restoration at least once a year.

Behavioural Controls

Training

Human error remains one of the biggest cybersecurity risks, making ongoing staff training essential for preventing breaches, phishing attacks, and data leaks.

To strengthen security:

  • Provide cybersecurity training to all staff, tailored to their specific roles.
  • Ensure cybersecurity training is part of new staff induction and require annual refresher training.
  • Regularly share cybersecurity updates with staff to keep them informed of new risks and best practices.

Client or Bank Verification

Law firms are prime targets for financial fraud and email scams, particularly trust account fraud and business email compromise (BEC). Cybercriminals use sophisticated tactics to intercept payments and manipulate client transactions. To prevent financial losses and protect client funds, strict verification procedures and staff training are essential.

Best Practices for Securing Trust Accounts:

  • Daily Monitoring: Conduct daily oversight of trust account transactions by a senior staff member.
  • Client Verification: Confirm all client details (account numbers, email addresses) before processing requests.
  • Scrutinize Communications: Watch for red flags like urgent demands, unexpected changes, or inconsistencies in emails and payment instructions.
  • Secure Payment Confirmation: Always verify payment details via a separate, pre-established communication method (e.g., phone or video chat). Never rely solely on email.
  • Client Education: Inform clients about cybersecurity risks and advise them to avoid sending confidential details via email.
  • Fraud Prevention Training: Ensure all staff are trained to recognize and report suspicious activity.

Failing to enforce strict verification processes can lead to fraud, data breaches, and reputational damage. Prioritizing secure transaction practices is crucial for safeguarding both your firm and its clients.

Incident Response and Reporting

Cybersecurity incidents can happen at any time, and law firms must be prepared to respond quickly and effectively to minimize damage and protect client data.

To ensure an effective response:

  • Develop and implement a formal incident response plan.
  • Train all staff on the incident response plan.
  • Test and update the incident response plan regularly.
  • Immediately report cybersecurity incidents in accordance with legal obligations.

Conclusion

Cyber threats continue to evolve, and law firms are prime targets due to the sensitive data they handle. Without proactive cybersecurity measures, firms risk financial losses, reputational damage, regulatory penalties, and legal liability.

Understanding cybersecurity is not optional—it is essential to protect client confidentiality, ensure compliance, and uphold professional obligations.