The five IT support challenges every UK law firm is wrestling with

Client confidentiality isn't a value statement for a law firm; it is a regulatory expectation backed by the SRA Standards and Regulations. A single misdirected email, an exposed matter folder, or a phished mailbox can do more damage than a quarter of bad billing. 'We didn't realise' is not a defence the SRA finds persuasive.

That changes how IT support has to be specified. The provider needs to be able to talk credibly about access controls at matter level, audit trails, retention and the practical realities of supervising a hybrid workforce that handles confidential papers from kitchens and trains. A generic 'managed Microsoft 365' service does not, by default, give you any of that.

Completion fraud, Friday-afternoon BEC and impersonation of partners are common in the legal sector. Conveyancing firms see the worst of it, but commercial firms are not exempt. The classic pattern is a quiet mailbox takeover, a watch-and-wait period during which the attacker reads emails for context, then a single forged message redirecting a completion payment to a different account.

The defences that move the needle are unglamorous. MFA on every account with no exceptions. Conditional access in Entra ID that blocks impossible logins. DMARC enforced rather than monitored. Impersonation protection on partner mailboxes. Training that focuses specifically on the scams the sector sees. And a documented response for the moment a client phones to say their solicitor's email has gone strange.

A document in a law firm is never just a document. It lives inside a matter, with its own access list, retention rules and ethical walls. The same fee-earner might have full access to one matter, no access to another and a Chinese-walled view of a third. SharePoint at default settings doesn't model this. A DMS like NetDocuments or iManage does, but only if it is configured and maintained with that in mind.

Firms that get this right tend to commit to one model and stick to it. Either the DMS is the single source of truth and SharePoint is used carefully around it, or SharePoint is structured around matters with discipline. Hybrid arrangements where 'some matters are in the DMS and some live on OneDrive' are where most of the confidentiality risk sits.

Professional indemnity renewals increasingly ask explicit questions about MFA coverage, backup arrangements, security training and incident response plans. A 'yes' that isn't backed by evidence is a problem at claim time, when the insurer asks for the screenshots that show the control was in place on the date of the incident.

The work to satisfy a PII renewal is largely the same work that satisfies a Cyber Essentials renewal and an SRA spot check. Done as a calendar through the year, it is light. Done in a panic six weeks before the renewal date, it is painful and the answers tend to be optimistic. A partner who knows how PII brokers actually read these questionnaires saves a lot of time.

Security controls that get in the way of fee-earning will be worked around. A partner who can't access a document on the train will email it to a personal account and deal with the consequences later. That is the reality the IT team is designing against, not the policy document.

The trick is to tighten the controls without making document handling slower. Single sign-on across the practice management system, the DMS and Microsoft 365. Conditional access that distinguishes between the partner's managed laptop and a random hotel computer. A mobile experience that genuinely works on the device fee-earners actually carry. None of this is invisible to users, but it is acceptable to them when it is well thought out.

A legally-aware partner closes the obvious openings first: weak email controls, broad SharePoint access, and unmanaged personal devices. They work with the DMS rather than around it, and they can talk insurance and SRA expectations without flinching. Around lateral hires and team moves they handle joiner-leaver carefully: ethical walls, mailbox handover and matter access tightened in the same week, not the same quarter.

Tell us how many fee-earners, which DMS and which practice management system. We will introduce you to a UK partner who already supports law firms and understands that confidentiality is regulatory, not aspirational.