Pete Watson
Last month, my team at Atlas Cloud published a huge piece of research on the UK legal sector. Analysing over 5,000 law firms for cyber security competence, we believe it’s the largest cyber study ever conducted on the sector.
You can read the full report on our website or my analysis on this site.
The research looked at numerous technical elements but also considered Cyber Essentials accreditations across the industry. Cyber Essentials is a Government-backed certification scheme designed to help any UK-based organisation align with a minimum defined level of defence mechanisms.
To my surprise; for every 10 firms in the industry, fewer than two (15%) were Cyber Essentials accredited. Here are four key reasons why the majority of firms are missing out by not having it in place.
#1: Public sector supply chain requires it
If your firm provides services to the public sector, you are most likely required to have Cyber Essentials in place. This requirement has been in place since 2014, was reclarified in October 2023, and states in-scope suppliers through the handling personal data of Government employees or citizens.
Not specifically a current requirement, but there is speculation that this may in time distribute down the entire supply chain, meaning firms that supply legal services to any private organisation that supplies to the public sector would be considered in the scope of this requirement.
#2: A simpler insurance process, with possible reduced premiums
Insurance is vital for any organisation, not least a law firm.
If you want to cover cyber security, you’ll need to answer a host of due diligence questions about the protocols your firm already has in place. If you’ve achieved Cyber Essentials, that process is much easier – and some providers recognise the certification as a factor for reducing premiums.
#3: Strongly recommended for Lexcel accreditation
Section 3.2 of The Law Society of England and Wales’ prestigious quality mark specifically calls out “Practices must have an information management and security policy and should be accredited against Cyber Essentials.”
While it is not specifically required, the use of the word “should” is a clear indication of how important it is considered by the body.
#4: Reputation of a firm
Cyber security is becoming more of a conscious factor in the minds of buyers. With every event, including last year’s high profile event affecting multiple law firms and many end consumers, its awareness grows across the population and becomes an emotional factor for those affected.
Being Government-backed, Cyber Essentials is the number one way to demonstrate cyber security due diligence. It will put buyers in the general population at ease and be looked for by anyone directly affected by a cyber event.
With the cost of certification no more than £600, the barriers to achieving Cyber Essentials are extremely low. With so many reasons for a firm to have the certification in place, firms without it will increasingly start to miss out.
Atlas Cloud offers Cyber Essentials certifications and consultancy to make it easy for anyone process their application. Contact them now.