IT Checklist for UK Law Firms
Table of Contents
Executive Summary
- Law Firms Don’t Need “Enterprise Everything” But Require CONSISTENT, DOCUMENTED “Confidentiality-First” IT.
- Most Major Cyber-Emergencies Start With Email (Phishing, Mailbox Rules, or Fake Invoice Change).
- Weak Access Control is Also Harmful.
- A Baseline For Documenting Data Protection Needs To Protect The Confidentiality, Integrity, And Availability Of Client Data. It Needs To Show That You Have Taken Reasonable Steps In Protecting Data.
- Maintain Separate Admin Accounts, Multi-Factor Authentication (MFA), and Lock Down Email Domains (SPF/DKIM/DMARC), HIGH IMPACT, LOW DRAMA
- A Good Document Management Strategy Prevents Case Files From Being Scattered Across The World: Choose One System Of Record (DMS/SharePoint) And Enforce Permissions Discipline.
- Backups Are About Being Able To Restore An Environment, Not Just Having Backups. You Need To Assume You Will Have A Ransomware Attack, You Should Test Restores And Protect Backups From Ransomware Attacks.
- Prepare An Incident Pack That Includes Initial Steps And Evidence Checklist And A Contact Tree. It Will Reduce The Likelihood Of Action Panic And Mistakes.
- Create A Minimum Level Baseline In 30 Days, Then Quarterly Improvements.
Who this guide is for
This guide is designed for:
- UK-based law firms of all sizes ranging from one-person show to approx. 100 employees.
- All levels of leadership including: managing partners, compliance officers, operations leaders.
- Firms that utilise standard application stack systems such as: Microsoft 365, case/practice management systems; DMSs/e-Sign; Scanning; Dictation tools.
Who it isn’t for
- Large corporate multi-national law firms who have their own internal security teams managing a complex environment of multiple bespoke and in-house built applications.
- Law firms requiring legal opinions about the interpretation of regulations; What is the threshold for reporting and how long must retention take place.
- Very specialised sectors where the only compliance framework is specific to that sector and requires other forms of compliance advice.
Disclaimer (important)
This guide is for your reference and greater understanding of an operational approach. It should not be construed as a legal opinion or as an interpretation of SRA regulatory/operational rules or of Data Protection legislation in relation to your individual situation(s). If you are unsure of any regulatory issues affecting you or your organisation, you should obtain appropriate professional assistance (there is a general reference to confidentiality obligations/expectations that the SRA has for its members).
One-page “Minimum Secure IT Baseline for Law Firms”
If you need a yes/no answer here, start from this list.
| Accounts & Access | Devices |
|---|---|
|
✔ Use only named user accounts ✔ Enable MFA for all email accounts ✔ Create separate admin accounts ✔ Use a joiner/leaver checklist when adding a new employee |
✔ All laptops/desktops must be encrypted ✔ Only support currently supported operating systems ✔ Software updates must be enabled and documented at least once a year. ✔ Screen locks must be enabled, and there must be a strong password/PIN policy. |
| Email & Fraud Prevention | Data & Documents |
|
✔ Enable SPF/DKIM/DMARC to decrease the amount of email being spoofed. ✔ Enable anti-phishing protection, and ensure there is a user reporting button. ✔ Have an established process for changing payment details that involves a callback verification step. |
✔ All matter documents must be stored in one of the approved Document Management Systems. ✔ Access to document will be controlled by role and/or matter team. ✔ Each firm must not store client files on any uncontrolled, unmonitored, or unsecure local storage system. |
| Backup & Recovery | Monitoring & Incident Response |
|
✔ Backup critical systems and cloud data where necessary. ✔ Document the results of the annual restore test. ✔ Backup access protected from ransomware |
✔ Ensure there is a centrally managed endpoint protection / anti-virus solution in place. ✔ Create an incident checklist for the first 60 minutes of an incident occurring. ✔ Staff get basic cyber/confidentiality awareness refresh |
1) Governance & accountability
Why it matters for law firms
IT is an essential component of law firms that it does not just support the provision of services to clients; it is a vital aspect of maintaining the safety, integrity and confidentiality of client information, thus maintaining the firm’s service offering. The Security Regulatory Authority (SRA) requires firms to take adequate measures to both protect their client’s data and maintain confidentiality.
| Item | Minimum | Better | Best Practice | Owner | Frequency | Note |
|---|---|---|---|---|---|---|
| IT ownership | Manager | IT & risk owner pair | Board-level oversight | Practice Mgr | Ongoing | Someone accountable |
| Policies | Basic set | Reviewed annually | Tested + versioned | COLP / Ops / IT | Annual | Short & usable |
| Risk register | Informal list | Simple risk log | Reviewed quarterly | COLP / COFA | Quarterly | Include cyber/fraud |
| Documentation | Minimal | Central repository | Maintained run-books | IT | Quarterly | How to restore |
Common pitfalls
- No single owner for IT risk (especially in multi-partner firms)
- Policies exist but no one is following them
- No Written process for how to handle incidents/leavers
Quick wins
- Appoint an accountable owner (even if you have outsourced IT Support)
- Create a one-page “IT Risk Dashboard” (MFA, Backups, Patching, Incidents)
- Create a central documentation folder and password vault
2) Devices & endpoints
Why it matters for law firms
The use of lost or stolen laptops, outdated PCs and unmanaged devices are common causes of confidentiality breaches and systems downtime. The Guidance on Cyber Security published by the Law Society highlights the need to have measures in place to protect the client’s data from loss or unauthorised access.
| Item | Minimum | Better | Best Practice | Owner | Frequency | Note |
|---|---|---|---|---|---|---|
| Device standard | Any business device | Approved models list | Standardised fleet | IT / Ops | Annual | Easier support |
| Encryption | Recommended | Enabled | Enforced + escrow keys | IT | Ongoing | BitLocker / FileVault |
| Endpoint control | Local admin common | Limited admin | Managed device policies | IT | Quarterly | Reduce risk |
| Lifecycle | Replace on failure | 4–5 years planned | 3–4 years planned | Finance | Annual | Budget line |
Common pitfalls
- Utilising Personal Devices for Case Work with no safeguards in place
- Laptops with no encryption
- Devices have Run-Out-of-Support Operating Systems
- Old Hard Drives are being kept in cupboards.
Quick wins
- Turn on BitLocker / FileVault for All Laptop Hard Drives
- Remove Local Administrator Rights when possible
- Create an Asset Register (Owner, Serial Number, Encryption Status).