Cybersecurity Checklist for Small Law Firms
Law firms concentrate exactly what attackers want: privileged communications, deal details, trust account access, and clients who cannot afford disclosure. Bar associations now treat data security as a professional-responsibility issue — meaning a breach can cost more than money. This checklist covers the essentials for firms without an IT department.
The threats that actually hit law firms
Wire fraud via compromised email
Attackers monitor firm inboxes for closing dates, then send altered wire instructions from the real thread. Real estate and trust accounts are the primary targets.
Client-data extortion
Modern ransomware exfiltrates first, encrypts second — threatening to publish privileged files unless paid. For a firm, publication is the true damage.
Vendor and cloud account takeover
Practice management, e-discovery, and file-sharing platforms hold the firm's crown jewels behind a single password if MFA is off.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security GradeThe checklist
1.Enforce MFA on email, practice management, and file sharing
quick winEmail compromise is the root of most legal-sector incidents, including wire fraud; MFA is the single highest-value control.
2.Adopt a call-back rule for all wire instructions
quick winEvery wire-fraud loss involves instructions that were never verbally confirmed at a known number. Make the call-back mandatory, no exceptions — including for partners.
3.Encrypt laptops and phones firm-wide
quick winAttorney devices leave the office daily; encryption turns a stolen bag into an inconvenience instead of a disclosure event.
4.Separate trust account banking credentials and add transaction alerts
an afternoonIOLTA/trust accounts are fiduciary funds; unique credentials + instant alerts contain the worst-case scenario.
5.Back up matter files daily, off-site, with a tested restore
an afternoonCourt deadlines don't move for ransomware. A tested restore is continuity of practice.
6.Restrict matter access to the team on the matter
an afternoonLeast privilege limits both breach scope and conflicts exposure — and clients increasingly ask about it in security questionnaires.
7.Vet vendor security before moving client data into a platform
ongoingThe firm's confidentiality duty follows the data; a vendor breach is still your client conversation.
8.Run phishing awareness training twice a year
ongoingWire fraud and account takeover both start with one convincing email to one busy person.
Frequently asked questions
Do lawyers have an ethical duty regarding cybersecurity?
Yes. ABA Formal Opinions 477R and 483 establish duties of technology competence, reasonable security efforts, and breach notification to clients. Most state bars have adopted equivalents — security failures can become disciplinary matters, not just business losses.
What should a small firm do first?
MFA on email today, then the wire-instruction call-back rule. Those two controls address the two most expensive legal-sector attack patterns and cost effectively nothing.
Are client security questionnaires worth taking seriously?
Corporate clients increasingly require outside counsel to attest to security controls, and honest gaps can cost the engagement. A documented baseline — like this checklist plus a security grade — turns the questionnaire from a threat into a differentiator.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security Grade