97% of UK law firms consider cybersecurity a high priority. But only 32% provide regular training to their staff[1]. The gap makes sense, when you consider the cost of trying to fit a generic training model into the day of teams who bill by the hour.
Cyberattacks on UK law firms surged by 77% in 2024[2]. Phishing accounted for 56% of attacks, making it the sector's dominant threat[3]. Law firms hold exactly the kind of information attackers want: financial records, intellectual property, privileged communications, and deal documentation.
But the reason training adoption lags so far behind firms' own stated priorities has less to do with awareness of the threat and more to do with the structural realities of how legal organisations operate.
The Billable Hours Problem
In most industries, taking an employee out of their workflow for six minutes of training is an inconvenience. In a law firm, it is a quantifiable cost. Every minute a fee earner spends on anything other than client work is revenue the firm does not recover. A six-minute training module is not a minor interruption. It is a payable slot, multiplied across every solicitor in the firm.
This single fact shapes almost everything about how legal organisations approach security awareness. Training must be short enough that it barely registers as an interruption, while still valuable enough to justify the time it takes.
Most generic platforms were not built with that constraint in mind. They were built for office environments where a 20-minute video once a year is treated as a reasonable ask. In a law firm, that same video represents a cost that is easy to calculate and hard to justify.
The result is resistance. Lawyers are on the clock, managing client relationships and active cases. When a training notification interrupts that, the instinct is to dismiss it and move on. It is not that the importance of security is lost on legal professionals. It is that the format of the training is fundamentally mismatched with how their time is valued.
Security awareness training also does not exist in isolation. Solicitors are already required to complete regulatory training, compliance courses, and continuing professional development on a near-constant basis. Adding more mandatory content to that load runs straight into a wall of fatigue.
In conversations with IT managers and compliance leads across UK law firms, it is not unusual to find less than half of staff completing a mandatory training video, not because they do not care about security, but because one more piece of mandatory content, delivered in the same format as everything else, gets the same low-priority treatment.
The Threats Are Outpacing the Training
Generic phishing simulations are unfit for purpose in the legal sector because the attacks targeting law firms have evolved well beyond generic templates. Security teams are reporting phishing campaigns that imitate genuine inter-firm billing relationships, where an attacker compiles a profile from a related firm and constructs an invoice request that mirrors a real working arrangement.
These attacks exploit precisely the kind of professional relationships that make legal practice function, and they are difficult to detect using training built around spotting spelling mistakes or suspicious sender addresses.
AI has accelerated this further. Phishing messages can now be constructed to mirror a specific firm's writing style and reference publicly available information about cases or clients, convincingly enough to bypass the instincts most generic awareness training tries to build. Training that has not evolved to reflect how attacks actually look today is preparing people to recognise threats that no longer exist in their original form.
Beyond format, there is a content fit problem. In conversations with IT and security leads across UK firms, training libraries are frequently described as generic, culturally mismatched, or geared toward other sectors entirely. Legal professionals also tend to engage differently with content, and many prefer concise written material to video, a preference at odds with how most security awareness platforms are built. And workforces spanning multiple generations need training that works across different levels of technical familiarity without becoming patronising to the most senior users.
Administration Nobody Has Time For
Even when firms find content that works, running the programme often becomes its own problem. IT and security teams report spending disproportionate amounts of time managing manual campaigns, particularly when something goes wrong. Some IT teams report spending more time recovering from a single poorly managed phishing exercise than on the rest of the firm's security programme over the preceding months. Platforms that require manual segmentation, rebuilding campaigns to target non-completers, or close ongoing oversight place a burden on teams that often do not have a dedicated person responsible for security awareness at all.
Reporting matters too. Law firms need to escalate persistent high-risk users to HR, document training completion for client audits, and demonstrate oversight to regulators. A platform that cannot produce that documentation without significant manual effort is adding work rather than removing it.
If Those Are the Constraints
If those are the constraints: time-poor professionals, training fatigue, sophisticated sector-specific threats, and overstretched IT teams, then security awareness platforms need to be designed around legal practice rather than adapted from generic corporate training.
Practice from Pistachio is built to fit that environment:
Designed around billable time. Training is delivered in short, focused bursts that do not interrupt client work. There are no lengthy modules, no mandatory video sessions, and no completion chasing by the IT team.
Built for legal phishing attacks. Rather than generic simulations, Practice delivers scenarios relevant to how law firms are actually targeted, including the kind of inter-firm impersonation and invoice fraud attacks used against the sector. Difficulty adapts automatically based on individual performance.
No ongoing administration. Campaigns run automatically from the point of deployment. No manual segmentation, no template maintenance, no chasing non-completers. Reporting for HR escalation and compliance documentation is built in and available on demand.
Most law firms do not have a cybersecurity awareness problem. They have an adoption problem. Staff are not refusing training because they do not care. They are refusing training that does not respect how legal work is done. As phishing becomes more targeted and impersonation more convincing, the firms that succeed will not necessarily be those that buy more training. They will be the ones whose lawyers actually complete it.
Most firms are fully deployed in under 10 minutes using Microsoft 365, with phishing simulations and training running automatically from then on.
See how Practice fits the realities of legal practice. Email contact@pistachioapp.com to book your 15-minute demo.

