Cyber Essentials is a UK government-backed scheme run by IASME on behalf of the NCSC. For solicitors it sits nicely alongside SRA duties and UK GDPR: it's the pragmatic floor of technical controls that stops the majority of commodity cyber attacks. And increasingly, it's the certification your clients, insurers and panels are asking to see.
Why solicitors should care right now
Three pressures are pushing the legal sector towards certification. First, professional indemnity insurers are asking pointed questions about controls at renewal, and Cyber Essentials is a short-cut answer. Second, larger clients - especially in financial services and the public sector - are making it a supplier requirement. Third, the SRA and Legal Ombudsman are increasingly treating avoidable breaches as regulatory issues.
Passing Cyber Essentials doesn't make your firm bulletproof. It does mean you've closed the doors attackers reach for first.
The five controls, translated for law firms
Firewalls. Every internet-connected device in your firm - office router, home routers for hybrid fee-earners, laptops - needs a properly configured firewall. Default admin passwords must be changed. Home workers count.
Secure configuration. No unused accounts, no default passwords, no unnecessary software. This is where firms with ageing on-premise servers or shared accounts on the DMS tend to trip.
User access control. Named accounts, least privilege, multi-factor authentication on all cloud services. Partners with admin rights "just in case" fail this control.
Malware protection. Managed antivirus / EDR on every endpoint, plus controls on what can be installed. Microsoft Defender for Business, properly configured, satisfies this for most Microsoft 365 firms.
Security update management. Patches applied within 14 days of release for operating systems, browsers and business software. Unsupported Windows or Office versions are an automatic fail.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials is a self-assessed questionnaire verified by IASME. Cyber Essentials Plus adds a hands-on technical audit of a sample of devices and your cloud tenant. Most law firms should aim for Plus - it's what insurers and larger clients actually recognise, and the delta in effort is modest if your baseline is already in order.
The trip-ups we see most often in legal firms
Home routers left on ISP defaults. Personal devices used for client email without MDM. Long-serving fee-earners with local admin rights on their laptops. Mac users left out of the patching regime because "IT doesn't cover them". Old case management servers that can't be patched because a bespoke integration will break. Every one of these is fixable, but you need to find them before the assessor does.
How to prepare in 30 days
Run a gap analysis against the five controls, fix the quick wins (MFA everywhere, admin rights review, patch backlog), scope the assessment boundary honestly (don't pretend the London office doesn't exist), then book the assessment. Most well-run firms on Microsoft 365 with managed endpoints can go from "we haven't thought about it" to Cyber Essentials Plus in six to eight weeks.
Our IT support for law firms covers Cyber Essentials readiness as standard - get in touch if you want a gap analysis for your practice.