top of page
Homepage
Contact Us

Cyber Security for Hybrid Law Firms: What Every Law Firm Needs to Get Right in 2026

  • Darren Wild
  • Apr 11
  • 7 min read

TLDR


Cyber security is no longer just an IT issue for law firms. In 2026 it is a professional, regulatory, and business risk issue.


Hybrid working, cloud platforms, mobile devices, and AI tools have increased the number of ways client information can be exposed. The firms most at risk are not necessarily those with the least technology. They are the firms where technology has outpaced governance.


Every law firm should now have:


  • clear policies for security, BYOD, and AI use

  • multifactor authentication across all core systems

  • supported and fully patched devices

  • regular cyber awareness training

  • tested backups and an incident response plan

  • clear accountability for who makes decisions when something goes wrong


For UK firms, these controls support existing obligations under the SRA and UK GDPR. For Canadian firms, they align with the duties imposed by provincial law societies and privacy legislation.


Key Takeaways


  • Multifactor authentication is no longer optional. Every firm should require it for email, finance systems, case management, and administrator accounts.

  • Cloud platforms and Microsoft 365 improve resilience, but they do not remove the need for backups, retention policies, and recovery testing.

  • Personal devices and hybrid working can be used safely, but only if firms set clear minimum standards and enforce them.

  • Generative AI introduces new risks around confidentiality and supervision. Every firm should have an AI policy before staff start using these tools.

  • Most serious cyber incidents are still caused by a small number of avoidable failures: weak passwords, poor training, unpatched systems, and unclear processes.


Hybrid working is now normal in law firms. Lawyers access client data from homes, courts, trains, client sites, coffee shops, and personal devices. Firms increasingly rely on Microsoft 365, cloud practice management systems, mobile phones, collaboration tools, and AI-enabled applications.


The attack surface is larger, the expectations are higher, and the consequences of getting it wrong are more serious.


For UK firms, cyber security is inseparable from SRA obligations around confidentiality, client money, data protection, supervision, and risk management. For Canadian firms, the same applies through provincial law society obligations around competence, confidentiality, and practice management.


The firms most likely to suffer a serious incident are rarely those with no technology. They are the firms with technology that has grown faster than their governance.


Why Law Firms Are Attractive Targets


Law firms hold exactly the kind of information criminals want:


  • client identification documents

  • bank details and payment instructions

  • sensitive personal information

  • commercial contracts and intellectual property

  • litigation, employment, property, and family law files

  • privileged communications


Criminals also know that law firms often work to deadlines, handle urgent financial transactions, and rely heavily on email. That makes firms particularly vulnerable to:


  • phishing and business email compromise

  • interception of property transaction payments

  • ransomware

  • account takeover

  • accidental disclosure of confidential documents

  • misuse of generative AI tools


The question is no longer whether your firm will be targeted. It is whether the controls around your people, systems, and data are strong enough to prevent a mistake becoming a breach.


Start With Governance, Not Technology


Many firms still treat cyber security as an IT issue. It is not.


Cyber security is a business risk and a regulatory issue.


Before buying new software, every firm should have:


  • an information security policy

  • an acceptable use and BYOD policy

  • a clear incident response procedure

  • defined responsibilities for partners, management, IT, and staff

  • a process for approving new software and AI tools

  • a register of key systems, data, and suppliers


Employees cannot be expected to follow standards that have never been documented.

In many firms, staff use personal devices, forward work emails to private accounts, store documents locally, or use unsanctioned AI tools simply because nobody has clearly told them what is and is not acceptable.


Hybrid Working and Personal Devices


Bring Your Own Device can work, but only if the firm defines minimum standards.

If staff are using personal laptops, tablets, or phones to access firm information, the firm should require:


  • device encryption

  • a strong password or PIN

  • automatic locking after a short period of inactivity

  • up-to-date operating systems and software

  • approved antivirus or endpoint protection

  • multifactor authentication

  • the ability to remotely wipe the device if it is lost or stolen


The old assumption that a VPN alone makes remote access secure is no longer sufficient.

Some firms still use VPNs successfully. Others now use identity-based access, conditional access policies, browser isolation, virtual desktops, or zero-trust tools built into Microsoft 365 and modern cloud platforms.


The important point is not which technology is used. It is that remote access is secure, controlled, and appropriate to the sensitivity of the information being accessed.


Protect the Device First


The simplest controls are often the most effective.


Every device used to access firm information should:

  • lock automatically after five minutes or less

  • require a strong password, PIN, or biometric login

  • be encrypted

  • run supported software

  • receive automatic updates


Windows 10 is now out of support. Firms should ensure they are running supported operating systems such as Windows 11 and that security updates are enabled.


Firms should also review older software that is often overlooked, such as:


  • PDF readers

  • browser plug-ins

  • Java

  • remote access tools

  • mobile applications


Many breaches still happen because firms leave unsupported or unpatched software in place.


Multifactor Authentication Is No Longer Optional


a firm does not require multifactor authentication for email, cloud systems, remote access, and privileged accounts, it is taking an avoidable risk.


Most account compromise incidents begin with a stolen or guessed password. Multifactor authentication adds a second layer of protection and remains one of the most effective controls available.


At a minimum, firms should require MFA for:


  • Microsoft 365 or Google Workspace

  • case management systems

  • remote access tools

  • finance systems

  • administrator accounts

  • any AI or cloud platform containing client data


Firms should also review whether SMS-based authentication is still appropriate. App-based authentication or hardware security keys generally provide stronger protection.


Email Remains the Weakest Link


Phishing remains one of the most common causes of cyber incidents in law firms.

Modern phishing emails are more convincing than ever. They may appear to come from a colleague, a client, a supplier, or even from within your own firm. Increasingly, criminals use AI to improve the quality of language and personalise messages.


Law firms should train staff to pause before:


  • clicking links

  • opening attachments

  • sharing bank details

  • approving payments

  • sending confidential documents

  • trusting urgent requests that arrive by email alone


Property and conveyancing teams are particularly vulnerable to payment diversion fraud. Any request to change bank details should be verified through a known and trusted route.


Be Careful With Screen Sharing and AI Tools


Video meetings are now routine, but they create risks that did not exist when many firms worked primarily on paper.


Before sharing a screen in Teams, Zoom, or another platform:


  • close unrelated documents

  • turn off notifications

  • share a specific window rather than the whole desktop

  • check that confidential information is not visible


The same principle now applies to generative AI tools.


Many lawyers are already using tools such as ChatGPT, Claude, Microsoft Copilot, or other AI assistants. The risk is not the technology itself. The risk is that lawyers upload client data, privileged material, or commercially sensitive information into systems that have not been approved by the firm.


Every firm should have a simple AI policy that explains:


  • which tools may be used

  • what information must never be entered

  • whether outputs must be checked by a lawyer

  • who approves new AI tools


Train People Properly


Most firms provide annual cyber training and then assume the problem is solved.

It is not.


Good security awareness training should be short, practical, and repeated regularly. It should reflect the actual risks faced by a law firm, not generic examples.


Training should cover:


  • phishing and business email compromise

  • voice phishing and fake IT support calls

  • handling confidential information outside the office

  • password security and MFA

  • secure use of mobile devices

  • how to report a suspected incident

  • the safe use of AI tools

  • the specific fraud risks faced by property, private client, employment, and litigation teams


Firms should also test staff with phishing simulations and regular reminders.


Backups Still Matter, But They Are Not Enough


Tested backups remain essential, particularly against ransomware.


However, firms should not assume that because documents are stored in Microsoft 365 or another cloud platform, they are fully protected.


Cloud platforms improve resilience, but they do not replace the need for:


  • backup copies of critical data

  • retention policies

  • regular testing

  • recovery procedures


A backup is only useful if the firm can restore systems and files quickly when needed.

Every firm should know:


  • what is backed up

  • how often it is backed up

  • where it is stored

  • who is responsible

  • how long recovery would take


Have an Incident Response Plan Before You Need One


Every firm should assume that, sooner or later, something will go wrong.


A lost device, an email sent to the wrong client, a compromised account, a ransomware attack, or an employee using an unapproved AI tool can all become reportable incidents.

The worst time to decide what to do is during the incident itself.


An incident response plan should set out:


  • what counts as a security incident

  • who staff should contact

  • who makes decisions

  • how systems are isolated

  • when clients, regulators, insurers, and law enforcement should be informed

  • how evidence is preserved

  • who manages communications


For UK firms, this may include the SRA, the ICO, insurers, clients, and potentially banks.


For Canadian firms, it may include the relevant provincial privacy commissioner, law society, insurer, or regulator.


The plan should be tested at least annually.


The Real Risk is Complacency


The firms most at risk are not necessarily those with the fewest resources.


They are often the firms that believe:


  • they are too small to be targeted

  • cyber security is only the responsibility of IT

  • a cloud system means the problem has been solved

  • people know what to do without being told


In practice, most serious incidents still come down to a small number of avoidable failures:


  • weak passwords

  • no MFA

  • poor supervision

  • lack of training

  • no documented process

  • unpatched systems

  • unclear responsibility


The good news is that these are all fixable.


strongest law firms are not the firms with the most expensive technology. They are the firms that combine sensible controls, clear policies, regular training, and leadership attention.


Cyber security is no longer simply an IT issue.


It is part of running a competent, trustworthy, and professionally managed law firm.

Comments

bottom of page