October is Cybersecurity Awareness Month. Which, for most lawyers, means…absolutely nothing. Until, of course, a client calls and says, “We think we’ve been hacked—and you’re named in the emails.”

Lawyers, after all, are the digital equivalent of Georgian townhouses: dignified façades, oak-panelled chambers, brass nameplates…and wooden doors with locks from 1843.

The paradox of clever people doing silly things

Cybersecurity isn’t about hackers in hoodies. It’s about partners forwarding documents to their personal Gmail “just this once”, juniors clicking on “DocuSign” links from princes, and firms using “JoeSoap123” because IT “made it too complicated”.

In fact, lawyers don’t behave rationally, they behave reasonably. And lawyers are very reasonable when they choose convenience over security. It’s not laziness—it’s behavioural economics. The perceived benefit of shaving two minutes off their day outweighs the invisible risk of catastrophic loss.

This month, try behavioural hacks, not just tech hacks

  1. Make it visible: Nobody’s motivated by abstract risk. Tell a partner that phishing is up 200%” and they’ll yawn. Tell them, “If you click this, opposing counsel gets your entire case strategy”—suddenly, attention.
  2. Shrink the ask: Don’t say: “Improve cybersecurity”. Say: “Enable MFA on your email.” Humans love small, one-click wins. Especially lawyers, who bill in six-minute increments.
  3. Exploit ego: Partners hate looking foolish. Run a simulated phishing campaign and publish anonymised results at the partners’ meeting. Nothing motivates like the fear of being “that guy”.
  4. Turn it into theatre: Put a big red “Report Phish” button in Outlook. It’s like a fire alarm: the drama of pulling it is half the incentive.
  5. Frame it as client service: Cybersecurity isn’t about IT. It’s about not losing your client’s trust (and their business). Put it this way: “You wouldn’t leave a sensitive documents on a café table. Why would you leave it in an unencrypted inbox?”

What lawyers should actually do this month

  • Run a tabletop exercise: Pretend you’ve been breached. See how fast chaos sets in. Spoiler: very fast.
  • Audit your data flows: Ask, “Where’s the client’s data, really?” (Answer: everywhere you don’t expect.)
  • Refresh policies: Nobody reads your Acceptable Use Policy. So make a one-page version in plain English.
  • Train like it’s improv, not school: Role-play scams. Get lawyers laughing. They’ll remember it longer than a PDF.
  • Upgrade the basics: MFA, patching, endpoint protection. It’s not sexy, but neither is explaining a breach to the regulator.

Final thought

Cybersecurity Awareness Month shouldn’t be about fear. It should be about reframing security as part of your brand. Clients don’t just hire you for your brains; they hire you for your ability to protect theirs.

Or, put otherwise, security isn’t a cost centre. It’s a signalling device. It says, “We’re not just clever lawyers. We’re careful custodians.”

And in a world where trust is the ultimate currency, that’s worth more than any billable hour.

Need support?

We’re running a “Cybersecurity for lawyers” online course with the first cohort starting 1 November 2025.

Otherwise, we don’t just hand you a 40-page policy and walk away. We design lawyer-proof cybersecurity frameworks that are behavioural, practical, and client-facing. From tabletop simulations that test your breach readiness, to plain-English policies your partners will actually read, to compliance-driven security toolkits that keep regulators off your back—we help you build trust, not just tick boxes. Because in today’s legal market, security isn’t just about avoiding risk. It’s about signalling to your clients that their most valuable asset—their data—is safe with you.