Cybersecurity Checklist for Small Law Firms

Law firms concentrate exactly what attackers want: privileged communications, deal details, trust account access, and clients who cannot afford disclosure. Bar associations now treat data security as a professional-responsibility issue — meaning a breach can cost more than money. This checklist covers the essentials for firms without an IT department.

The threats that actually hit law firms

Wire fraud via compromised email

Attackers monitor firm inboxes for closing dates, then send altered wire instructions from the real thread. Real estate and trust accounts are the primary targets.

Client-data extortion

Modern ransomware exfiltrates first, encrypts second — threatening to publish privileged files unless paid. For a firm, publication is the true damage.

Vendor and cloud account takeover

Practice management, e-discovery, and file-sharing platforms hold the firm's crown jewels behind a single password if MFA is off.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade

The checklist

1.Enforce MFA on email, practice management, and file sharing

quick win

Email compromise is the root of most legal-sector incidents, including wire fraud; MFA is the single highest-value control.

2.Adopt a call-back rule for all wire instructions

quick win

Every wire-fraud loss involves instructions that were never verbally confirmed at a known number. Make the call-back mandatory, no exceptions — including for partners.

3.Encrypt laptops and phones firm-wide

quick win

Attorney devices leave the office daily; encryption turns a stolen bag into an inconvenience instead of a disclosure event.

4.Separate trust account banking credentials and add transaction alerts

an afternoon

IOLTA/trust accounts are fiduciary funds; unique credentials + instant alerts contain the worst-case scenario.

5.Back up matter files daily, off-site, with a tested restore

an afternoon

Court deadlines don't move for ransomware. A tested restore is continuity of practice.

6.Restrict matter access to the team on the matter

an afternoon

Least privilege limits both breach scope and conflicts exposure — and clients increasingly ask about it in security questionnaires.

7.Vet vendor security before moving client data into a platform

ongoing

The firm's confidentiality duty follows the data; a vendor breach is still your client conversation.

8.Run phishing awareness training twice a year

ongoing

Wire fraud and account takeover both start with one convincing email to one busy person.

Frequently asked questions

Do lawyers have an ethical duty regarding cybersecurity?

Yes. ABA Formal Opinions 477R and 483 establish duties of technology competence, reasonable security efforts, and breach notification to clients. Most state bars have adopted equivalents — security failures can become disciplinary matters, not just business losses.

What should a small firm do first?

MFA on email today, then the wire-instruction call-back rule. Those two controls address the two most expensive legal-sector attack patterns and cost effectively nothing.

Are client security questionnaires worth taking seriously?

Corporate clients increasingly require outside counsel to attest to security controls, and honest gaps can cost the engagement. A documented baseline — like this checklist plus a security grade — turns the questionnaire from a threat into a differentiator.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade