A law firm is, from an attacker’s point of view, close to the perfect target. You hold money in motion — completion funds, settlements, client account balances. You hold secrets people would pay to see or pay to bury. And your people work in a rhythm where a 9pm email from a partner saying “just push this through” is completely normal. That last part is what turns a technical problem into a business one.
This is what we actually put in place for the legal firms we look after. Not a generic checklist — the controls that matter when the data is privileged and the SRA is watching.
Start with the threat that’s actually hitting firms.
Forget the Hollywood hacker. The attack that empties a client account is almost always an email. Someone compromises a mailbox — yours, the other side’s, or the client’s — sits quietly reading the conveyancing thread for a fortnight, then emails “updated bank details” at exactly the right moment in the transaction. It’s called business email compromise, and conveyancing teams get hit with it constantly. The Friday-afternoon completion is the textbook moment.
Two things stop it, and neither is glamorous:
- The bank details never change by email. Make it a firm-wide rule that account changes are verified by a phone call to a known number, never one in the email. This is process, not technology, and it’s the single highest-value habit a firm can build.
- The mailbox doesn’t get compromised in the first place — which is most of the rest of this article.
Lock the mailbox down properly.
Microsoft 365 out of the box is not configured for a firm holding privileged data. The baseline we deploy:
- MFA on every account, enforced by policy — including, especially, the partners and the practice manager who think they’re too busy for it. Those are the accounts worth stealing. (If you’re worried about the disruption, we wrote about rolling MFA out without burying the helpdesk.)
- Block legacy authentication. Old protocols like IMAP and POP bypass MFA entirely. They’re how “but we had MFA on” breaches happen. Turn them off.
- Impersonation and anti-phishing protection tuned to flag when an email looks like it’s from a partner but isn’t — the display-name spoof that catches busy people.
- Mailbox audit logging on, so if something does go wrong you can see what was read and what rules were quietly set up to hide the attacker’s tracks. (The “auto-delete anything mentioning invoices” inbox rule is a classic compromise tell.)
- Mandatory encryption for genuinely sensitive outbound mail, so a misaddressed email doesn’t become a confidentiality breach.
Map the controls to what the SRA expects.
The SRA doesn’t hand you a list of firewall settings. What it expects is that you protect client confidentiality and client money, and that you can show you took it seriously. The 2019 Standards and Regulations put the duty squarely on the firm; the Accounts Rules put client money under a duty of care that a wire-fraud loss plainly breaches.
In practice that means being able to evidence:
- Access on a need-to-know basis — the trainee doesn’t have standing access to every matter. Role-based permissions in your DMS and file storage.
- A retention and disposal position you can defend, not “we keep everything forever on a share nobody’s looked at since 2014.”
- A breach response you’ve actually rehearsed, including the GDPR 72-hour reporting clock if personal data is exposed.
- Due diligence on your suppliers — your cloud DMS, your case management system, your IT provider. Their security is your security.
Cyber Essentials is the sensible floor here, and increasingly a requirement to be on a lender’s conveyancing panel. We’ve a separate piece on passing Cyber Essentials Plus first time; for a firm of any size it’s the cleanest way to prove the basics are genuinely in place.
The late-night email problem.
Here’s the bit the generic guides miss. Legal work doesn’t respect office hours. A partner reviewing a deal at 11pm from a hotel, on hotel wifi, on a personal iPad, is a completely normal Tuesday. The security model has to assume that and still hold.
That’s why the controls above are device and location independent. MFA, conditional access, and managed devices mean it doesn’t matter whether the work happens at the desk or in the back of a taxi — the same protections apply. The alternative — a firm that’s secure only between 9 and 5 inside the building — isn’t secure at all, because that’s not when the work happens.
The firms that get breached aren’t careless. They’re busy. The attack is built to land in the exact moment a sharp person is moving too fast to pause — so the protection has to be the kind that’s already on, not the kind that depends on someone stopping to think.
Don’t forget the people.
The best-configured tenant in the world still has fee-earners under deadline pressure clicking links. So the technical controls sit alongside short, specific staff training — what conveyancing fraud actually looks like, why the bank-details rule is absolute, who to call when something feels off — and a no-blame culture so that the person who did click tells you in the first ten minutes rather than the next morning. Those ten minutes are usually the whole game.
Where to start if you’re not sure where you stand.
If you can’t answer “is MFA enforced on every account, including the partners?” with a confident yes, start there — it’s the highest-leverage hour you’ll spend. After that, get an honest assessment of the tenant configuration and the conveyancing-fraud process specifically.
That’s what our posture audit for legal firms does: we look at the real configuration, the real email flow, and the real completion process, then hand you a prioritised list — what’s urgent, what’s housekeeping, and what the SRA would want to see you’d addressed.
