What is Cyber Essentials - and why your law firm needs it | Workplace Connect
Client
Are you cyber secure?
Your firm

“We'll need to check.”

Client
Then we can't instruct you. We're not sharing sensitive files without seeing your accreditation.

The four most expensive words a law firm can say.

When a client, an insurer or the SRA asks whether your basic cyber controls are in place, there are only two answers. One is "Yes - we're certified." The other one loses you the work.

Cyber Essentials
Certify and get free Cyber Liability Insurance included
Available to eligible UK firms with turnover under £20m, subject to the scheme rules and eligibility.
£60,000
ICO fine for a law firm with an old account and no MFA (DPP Law)
8,000+
Clients' data leaked when a Hampshire firm was breached (Levales)
92%
Less likely to make a cyber insurance claim once certified (IASME)
5
Basic controls that stop the most common attacks
The moment it goes wrong

Friday. 4:47pm. Completion day.

An email arrives that looks exactly like the one your client is expecting. Same matter reference. Same tone. One changed bank account number.

By Monday, the deposit for their first home is gone - and it didn't take a genius hacker to do it. It took a weak password, an old account nobody closed, and a firm that assumed "IT had it covered."

This is not an IT story. It's a client-money story, a confidentiality story, a reputation story. Which makes it yours.

INBOX
From: Your client <completion@client-firm.co.uk>
Subject: Re: Completion - Matter 4471-C

"Quick note before completion - our bank details have changed. Please send the deposit to the new account below."

One changed detail
Account no: ••••   7741 → 9208
£4m+
stolen across 40 law-firm incidents in the SRA's thematic review. Behind the number: clients who lost houses, and firms that didn't survive what followed.
You don't choose the moment

Five people will ask about your controls. None will warn you first.

You can prepare the answer now, calmly - or assemble it later, under pressure, with the outcome already decided.

The client

In a supplier questionnaire, before instructing you.

The counterparty

Mid-deal, while everyone waits on you.

The insurer

At renewal - or worse, after an incident.

The ICO

Asking why client data wasn't protected.

The SRA

Asking what steps you took to protect client money.

The questionnaire moment

The worst answer isn't "no."

A corporate client sends the security questionnaire.

SUPPLIER SECURITY QUESTIONNAIRE
Q › Do you hold Cyber Essentials certification?
Q › Is multi-factor authentication enforced?
Q › Are devices patched?
Q › Can you evidence your controls?

"No" is recoverable. "We'll need to check" is not - because it tells the client you don't know your own firm. In a profession that sells certainty, clients don't wait to find out.

What the client hears

"They don't know their own firm."

What the client hears

"Safe. Instruct them."

In plain English

Five questions. That's the whole thing.

Not advanced security. Not a magic shield. A government-backed baseline (NCSC) proving the basics are done.

01

Is anything exposed to the internet that shouldn't be?

02

Are devices up to date, or are known holes waiting to be used?

03

Does everyone have only the access they need?

04

Is there real malware protection when someone clicks the wrong thing?

05

Are old accounts and weak settings creating avoidable risk?

Using just 5 questions, we can tell you where you stand today.

The partner-level case

This lands on a partner's desk, not IT's.

SRA

Firms must mitigate the risk - £4m+ already stolen from firms that didn't.

Confidentiality

A breach from a weak password is a duty-of-confidentiality question, not a helpdesk ticket.

ICO

Real fines for firms your size - £60k-£98k - for breaches traced to missing MFA and unpatched systems, and it names them publicly.

Insurance

Insurers now ask about controls before they pay. Certification is the answer they're looking for.

How it works

From call to verdict in 48 hours

01

Book a 20-minute call

No prep needed - a partner or practice manager is ideal.

02

We review your setup

Against the actual Cyber Essentials assessment criteria.

03

Verdict within 48 hours

Pass, or exactly what to fix first.

Why Workplace Connect

We're the advisor firms call before the questionnaire arrives

As an Assured Cyber Advisor, we review your setup against the actual assessment criteria and flag what would fail - before you apply, not after.

Assured Cyber Advisor Cyber Essentials
Pass Promise

If you don't pass first time, we fix the gaps with you - no matter what - and cover your reassessment fee.

That's not bravado - it's because we check everything the assessor checks, before you ever apply. If we say you're ready, you're ready.

Applies where our recommended fixes are in place before assessment.

80+

law and accounting firms taken through certification.

We know exactly what the assessor will ask - because we've answered it 80 times.

We'd always assumed our IT company had everything covered. The review found gaps none of us knew were there - and we all worked together to close them. No drama, just sorted.

K
Kevin
Partner, Employment Law
The question for your next partner meeting

"If a client asked us tomorrow to prove our basic cyber controls - would we be comfortable with the answer?"

If there's a pause before anyone answers, that pause is the risk.

Cyber Essentials isn't a certificate. It's never having to say "we'll need to check."