Osprey’s Build Better Habits series four: Cybersecurity best practices

Cybersecurity best practices: How law firms can mitigate risk and stay protected

In the third episode of Series four of the Build Better Habits webinars, Amy Bruce, marketing director at Osprey Approach, was joined by three cybersecurity specialists to discuss how law firms can strengthen their defences and embed security into everyday working practices.

The expert panel featured Gary Hibberd, founder of Consultants Like Us; Kerrie Machin, director at Mitigo Cybersecurity; and Jonathan Stock, chief information risk officer at Pure Cyber.

Together, they explored why law firms are such attractive targets for cybercrime, the misconceptions that leave firms exposed, and the practical steps that can reduce risk without requiring significant investment or complex technology.

This episode covered:

• Why law firms are prime targets for cybercrime
• Common misconceptions that leave firms vulnerable
• Practical best practices for mitigating cyber risk
• How to embed cybersecurity into firm culture
• Habits every legal professional should adopt
• What to include in a business continuity plan
• Emerging threats firms should prepare for

Why cybersecurity matters now more than ever

Law firms hold large volumes of sensitive client information, making them high-value targets for organised cybercrime. With attacks continuing to rise across the sector – The Law Society found cyber-attacks on law firms increased by 77% in 2024 – the panel stressed that cybersecurity can no longer be treated as a technical issue sitting solely with IT.

Gary warned that too many firms still underestimate the scale of the threat: “Cybercrime isn’t a kid in a hoodie in a basement. It’s organised, well-funded, and strategic. Thinking otherwise leaves firms exposed.”

Kerrie highlighted a common and costly assumption within professional services: that internal IT teams can automatically cover cybersecurity risk. “IT teams aren’t cybersecurity experts,” she said. “They’re critical to operations but asking them to manage cyber risk alone is like asking them to mark their own homework.”

Jonathan added that while cybersecurity can feel complex, many breaches still start with simple errors and preventable oversights: “Most breaches start with simple mistakes. Basics like verifying callers or testing backups can prevent major incidents.”

Poll insights from the live audience

The webinar audience shared their firms’ current approach and perceived barriers, with results showing:
• 64% of firms provide cybersecurity training annually
• Key challenges include lack of time, reliance on IT and resistance to change
• Many attendees said “everyone shares responsibility” for security — an encouraging view, if reflected in practice

The panel noted that annual training alone is rarely enough to shift behaviour, especially when cyber threats evolve daily and pressure on legal teams is constant.

Best practices law firms can implement now

The panel shared a set of practical steps that can strengthen resilience without requiring major budgets or significant technical change.

  1. Get independent oversight
    Kerrie emphasised the importance of external testing and assessment, warning against assuming systems are working simply because they exist. “77% of antivirus systems we assessed had critical misconfigurations. Firms had the tech, but it wasn’t set up correctly. Don’t rely on hope – prove it works.”
  2. Separate awareness, training and education
    Gary encouraged firms to treat cybersecurity learning as three distinct areas, rather than a single annual compliance exercise. “Awareness is knowing policies exist. Training is knowing how to follow them. Education is deeper knowledge for specialists.”
  3. Understand your data
    Jonathan emphasised data mapping: “You can’t protect what you don’t understand. Identify what data you hold, who has access, and what would happen if it was compromised.”
  4. Embed security into the culture
    Firms make the biggest gains when cybersecurity is treated as part of daily practice. Suggested approaches included:
    • Linking cybersecurity to the firm’s values and client care standards
    • Encouraging reporting of mistakes and near-misses without blame
    • Delivering learning in small, regular formats using real-world examples
Habits every legal professional should adopt

Alongside systems and policies, the panel highlighted the behaviours that prevent common attacks from succeeding:
• Slow down – rushing increases the risk of clicking links or replying to requests without verifying
• Use strong, unique passwords – avoid repeating passwords across accounts and use a password manager
• Simplify policies – unclear or overly complex documentation is rarely followed
• Continuous training – supplement annual sessions with short refreshers, reminders and bite-sized updates

Business continuity plans: what to include

Key recommendations from the panel included:
• Keep the plan short, practical and easy to follow
• Clearly name the incident response team and key contacts
• Set out simple steps for activating the plan
• Test it regularly using tabletop exercises
• Keep a printed copy in case systems are inaccessible

Kerrie warned: “80% of businesses don’t have an incident response plan. You do not want to make your plan up in the middle of a breach.”

Emerging threats law firms should prepare for

The session also explored the shifting risk landscape, with the panel highlighting several areas firms should keep under review:
• Supply chain attacks, where cybercriminals exploit third-party suppliers
• Faster phishing campaigns, particularly around major news events or outages
• AI-enabled attacks, making phishing emails quicker to produce and more convincing
• Expanding sub-processors, as AI tools and integrated platforms introduce new data flows

Jonathan noted that firms will increasingly need to take a proactive approach to reviewing suppliers and systems: “AI isn’t just a buzzword. It’s changing the threat landscape. Firms must review their systems and sub-processors continuously.”

Build better cybersecurity habits

The panel agreed that cybersecurity is not just a technology challenge: it’s a cultural and operational priority. By focusing on habits, awareness and resilience, law firms can reduce risk significantly without major disruption or unnecessary spend.

Watch the full episode on-demand now to hear the experts’ practical insights, real-world examples and advice in full.

Explore all four habits in the Build Better Habits webinar series, available on-demand now.

Kindly shared by Osprey Approach