Contents

Related Content

Build Successful Habits
Osprey Solution
Grow your business

Cybersecurity best practices: How law firms can mitigate risk and stay protected

Category: Blog, Build a Digital-First Culture, Build Better Habits Webinar Series, Implement Continuous Improvement, Practice Management, Webinar / Video 29th January 2026

In the third episode of Series 4 of the Build Better Habits webinars, host Amy Bruce – Marketing Director at Osprey Approach – was joined by three cybersecurity experts to discuss how law firms can strengthen their defences and embed security into their culture.

Our panellists included:

  • Gary Hibberd, Founder of Consultants Like Us
  • Kerrie Machin, Director at Mitigo Cybersecurity
  • Jonathan Stock, Chief Information Risk Officer at Pure Cyber

Together, they explored the biggest misconceptions about cybersecurity, practical steps firms can take to reduce risk, and the habits that make security second nature.

This episode covered: 

  • Why law firms are prime targets for cybercrime
  • Common misconceptions that leave firms vulnerable
  • Practical best practices for mitigating risk
  • How to embed security awareness into firm culture
  • Habits every legal professional should adopt
  • What to include in a business continuity plan
  • Emerging trends and threats to prepare for

Why cybersecurity matters now more than ever

Law firms hold sensitive client data, making them attractive targets for organised cybercrime. According to the Law Society, cyber attacks on law firms increased by 77% in 2024, yet 35% of firms still lack a cyber mitigation plan.

Gary Hibberd warned against underestimating attackers: “Cybercrime isn’t a kid in a hoodie in a basement. It’s organised, well-funded, and strategic. Thinking otherwise leaves firms exposed.”

Kerrie Machin highlighted another misconception: “IT teams aren’t cybersecurity experts. They’re critical to operations, but asking them to manage cyber risk alone is like asking them to mark their own homework.”

Jonathan Stock added that security doesn’t have to be expensive or complex: “Most breaches start with simple mistakes. Basics like verifying callers or testing backups can prevent major incidents.”

Poll insights from the live audience

  • 64% of firms provide cybersecurity training annually – but is that enough?
  • Top barriers to better security: lack of time, reliance on IT, and resistance to change
  • Encouragingly, many respondents said “everyone shares responsibility” for security – a positive sign if true.

Best practices law firms can implement today

The panel shared practical steps that don’t require huge budgets or complex tech:

  1. Get independent oversight

Kerrie stressed the importance of external reviews:  “77% of antivirus systems we assessed had critical misconfigurations. Firms had the tech, but it wasn’t set up correctly. Don’t rely on hope – prove it works.”

  1. Separate awareness, training, and education

Gary advised creating three columns and mapping who needs what:  “Awareness is knowing policies exist. Training is knowing how to follow them. Education is deeper knowledge for specialists.”

  1. Understand your data

Jonathan emphasised data mapping: “You can’t protect what you don’t understand. Identify what data you hold, who has access, and what would happen if it was compromised.”

4. Embed security into culture

Make it relevant to your firm’s values and mission.

Praise staff for reporting phishing attempts rather than punishing mistakes.

Use bite-sized learning and real-life case studies to keep awareness fresh.

Habits every legal professional should adopt

  • Slow down – Most breaches happen when people rush. Take a moment before clicking.
  • Use strong, unique passwords – Stop duplicating passwords across work and personal accounts. Use a password manager or vault.
  • Simplify policies – If your security policies are boring or confusing, no one will follow them. Make them clear and concise.
  • Keep training continuous – Annual refreshers aren’t enough. Use lunch-and-learns, posters, and short updates to keep security top of mind.

Business continuity plans: What to include

  • Keep it short and actionable – “In case of emergency, break glass” should be page one.
  • List your incident management team and key contacts.
  • Include clear steps for invoking the plan.
  • Test it regularly with tabletop exercises.
  • Print a copy – if your network is encrypted, you’ll need a physical backup.

Kerrie noted:

“80% of businesses don’t have an incident response plan. You do not want to make your plan up in the middle of a breach.”

Emerging trends and threats to watch

  • Supply chain attacks – Criminals exploit third-party providers to bypass your defences.
  • Faster phishing campaigns – Attackers pivot quickly after major events (e.g., AWS outage).
  • AI-powered attacks – Lower barrier for entry; attackers use AI to craft convincing phishing emails.
  • Expanding sub-processors – As software integrates AI, your data may flow to new providers. Review regularly.

Jonathan warned:

“AI isn’t just a buzzword. It’s changing the threat landscape. Firms must review their systems and sub-processors continuously.”

Stay ahead of cyber threats to protect your firm

Cybersecurity isn’t just an IT issue – it’s a cultural and operational priority. By focusing on people, policies, and processes, law firms can significantly reduce risk without breaking the bank.

Watch the full episode on-demand now to hear the experts’ insights, real-world examples, and practical advice in full.

Explore all four habits in our Build Better Habits webinar series, available on-demand now.