“We'll need to check.”
The four most expensive words a law firm can say.
When a client, an insurer or the SRA asks whether your basic cyber controls are in place, there are only two answers. One is "Yes - we're certified." The other one loses you the work.
Friday. 4:47pm. Completion day.
An email arrives that looks exactly like the one your client is expecting. Same matter reference. Same tone. One changed bank account number.
By Monday, the deposit for their first home is gone - and it didn't take a genius hacker to do it. It took a weak password, an old account nobody closed, and a firm that assumed "IT had it covered."
This is not an IT story. It's a client-money story, a confidentiality story, a reputation story. Which makes it yours.
"Quick note before completion - our bank details have changed. Please send the deposit to the new account below."
Five people will ask about your controls. None will warn you first.
You can prepare the answer now, calmly - or assemble it later, under pressure, with the outcome already decided.
In a supplier questionnaire, before instructing you.
Mid-deal, while everyone waits on you.
At renewal - or worse, after an incident.
Asking why client data wasn't protected.
Asking what steps you took to protect client money.
The worst answer isn't "no."
A corporate client sends the security questionnaire.
"No" is recoverable. "We'll need to check" is not - because it tells the client you don't know your own firm. In a profession that sells certainty, clients don't wait to find out.
"They don't know their own firm."
"Safe. Instruct them."
Five questions. That's the whole thing.
Not advanced security. Not a magic shield. A government-backed baseline (NCSC) proving the basics are done.
Is anything exposed to the internet that shouldn't be?
Are devices up to date, or are known holes waiting to be used?
Does everyone have only the access they need?
Is there real malware protection when someone clicks the wrong thing?
Are old accounts and weak settings creating avoidable risk?
Using just 5 questions, we can tell you where you stand today.
This lands on a partner's desk, not IT's.
SRA
Firms must mitigate the risk - £4m+ already stolen from firms that didn't.
Confidentiality
A breach from a weak password is a duty-of-confidentiality question, not a helpdesk ticket.
ICO
Real fines for firms your size - £60k-£98k - for breaches traced to missing MFA and unpatched systems, and it names them publicly.
Insurance
Insurers now ask about controls before they pay. Certification is the answer they're looking for.
From call to verdict in 48 hours
Book a 20-minute call
No prep needed - a partner or practice manager is ideal.
We review your setup
Against the actual Cyber Essentials assessment criteria.
Verdict within 48 hours
Pass, or exactly what to fix first.
We're the advisor firms call before the questionnaire arrives
As an Assured Cyber Advisor, we review your setup against the actual assessment criteria and flag what would fail - before you apply, not after.
law and accounting firms taken through certification.
We know exactly what the assessor will ask - because we've answered it 80 times.
We'd always assumed our IT company had everything covered. The review found gaps none of us knew were there - and we all worked together to close them. No drama, just sorted.
Partner, Employment Law
"If a client asked us tomorrow to prove our basic cyber controls - would we be comfortable with the answer?"
If there's a pause before anyone answers, that pause is the risk.
Cyber Essentials isn't a certificate. It's never having to say "we'll need to check."
