IT Security

Law Firm IT Security: The Complete 2026 Guide (Controls, Costs, Checklist)

A practical, ABA-aligned guide to law firm IT security in 2026 — the 18 controls that actually matter, real budget benchmarks by firm size, a 90-day implementation roadmap, and the audit checklist underwriters and outside-counsel guidelines now expect.

Attorney Armor Security Team December 18, 2026 17 min read
Law Firm IT Security: The Complete 2026 Guide (Controls, Costs, Checklist)

Law firm IT security in 2026 is no longer an "IT problem." It is a Model Rule 1.1 and 1.6(c) competence problem, a malpractice-insurance problem, and — increasingly — a client-procurement problem. Corporate clients now send law firms the same security questionnaires they send SaaS vendors, and outside-counsel guidelines (OCGs) routinely demand MFA, EDR, encryption-at-rest, and SOC 2 alignment as conditions of engagement.

This guide is the field manual we wish every managing partner and firm administrator had: the 18 IT-security controls that actually matter for a law firm, what each one realistically costs, a 90-day rollout plan that doesn't break the practice, and the audit checklist you can hand to an underwriter or GC tomorrow.

Why law firm IT security looks different from "regular" IT security

A 25-attorney boutique handling M&A holds material non-public information that would move public markets. A 7-lawyer plaintiffs' firm sits on the medical records of every client. A solo immigration attorney holds passports, A-numbers, and family histories that put physical safety at risk if leaked.

Law firm IT security carries three burdens most other SMBs don't:

  • Privilege and confidentiality. ABA Model Rule 1.6(c) requires "reasonable efforts" to prevent unauthorized disclosure. Reasonableness is judged against current technology — what was reasonable in 2019 (a firewall and antivirus) is malpractice-adjacent in 2026.
  • Concentrated, high-value data. A single matter folder can contain board minutes, trade secrets, deal terms, settlement amounts, and personal data for hundreds of individuals.
  • Asymmetric leverage on attackers. Ransomware actors know firms operate on court deadlines. A 72-hour outage during a closing or trial is worth more in ransom pressure than the same outage at a manufacturer.

The result: the controls below aren't optional hardening. They are the baseline a 2026 law firm must hit to defend a "reasonable efforts" standard in front of a bar disciplinary committee, a malpractice carrier, or a class-action plaintiff.

The 18 controls that define law firm IT security in 2026

Group them into five layers. Each control includes what it is, why it matters for a firm, and the realistic 2026 cost band for a 10–50 lawyer practice.

Identity and access (the front door)

1. Phishing-resistant MFA on every account. SMS and app-push MFA are now bypassed routinely by attacker-in-the-middle kits (Evilginx, Tycoon). 2026 baseline is FIDO2/WebAuthn (hardware keys or platform passkeys) for email, DMS, billing, and remote access. Cost: $40–$60 per user one-time for YubiKeys, free for platform passkeys.

2. Conditional access. Block logins from countries you don't practice in, require compliant devices for sensitive apps, and step up auth for risky sign-ins. Comes free with Microsoft 365 Business Premium or Google Workspace Enterprise. Cost: included in tiers you should already be on.

3. Just-in-time admin access. No standing "Global Admin" accounts. Use PIM (Microsoft) or temporary role grants (Google) so admin rights expire after the task. Cost: included.

4. Quarterly access reviews. Every quarter, partners certify which staff still need access to which matters. Catches departed contractors and over-permissioned paralegals. Cost: 2 hours per quarter per practice group.

Endpoint and device

5. EDR/MDR on every device. Legacy antivirus is insufficient. Modern endpoint detection and response (CrowdStrike, SentinelOne, Defender for Business with a managed SOC) detects behavior, not just signatures, and gives you 24/7 human eyes on alerts. Cost: $8–$15 per device per month with MDR.

6. Full-disk encryption. BitLocker (Windows) and FileVault (Mac) enabled and key-escrowed to your MDM. Renders a stolen laptop a non-event under most state breach-notification laws. Cost: free; ~1 hour per device to deploy.

7. Mobile device management. Every phone with firm email enrolled in Intune or Jamf, with selective wipe, OS-version enforcement, and a passcode policy. Solves the "associate left for a competitor with email on their personal iPhone" problem. Cost: $4–$8 per device per month.

8. Patch management with SLAs. Critical patches within 7 days, high within 30. Track and report. Unpatched VPN appliances and email servers are the #1 ransomware entry point in 2026. Cost: included in most MSP contracts; otherwise $5–$10 per device per month.

Network and email

9. DNS filtering. Cisco Umbrella, Cloudflare Gateway, or DNSFilter blocks malicious domains before a click resolves. Stops most phishing payloads from ever reaching the endpoint. Cost: $2–$3 per user per month.

10. Email authentication: SPF, DKIM, DMARC at p=reject. Stops attackers from spoofing your domain to clients and opposing counsel. A firm without DMARC is sending wire instructions over an impersonatable channel. Cost: free; 4–8 hours of configuration.

11. Advanced email threat protection. Microsoft Defender for Office 365 or Proofpoint Essentials with attachment sandboxing, link rewriting, and impersonation detection tuned for partner-name spoofs. Cost: $3–$7 per user per month.

12. Web isolation for risky links. Open unknown attachments and links in a remote browser container so malware never touches the endpoint. Often bundled with EDR or SASE. Cost: $3–$5 per user per month if standalone.

Data and backup

13. Immutable, off-site backups (3-2-1-1-0). Three copies, two media types, one off-site, one immutable, zero errors on restore tests. Tested monthly. The single most important control against ransomware existential risk. Cost: $0.02–$0.05 per GB per month plus backup software (~$5/device/month).

14. Encryption at rest and in transit. TLS 1.2+ everywhere, AES-256 at rest for DMS, email, and backups. Confirm with your DMS vendor in writing; many "encrypted" products encrypt only the database, not document blobs. Cost: included in modern SaaS DMS; verify don't assume.

15. Data loss prevention on outbound channels. Flag or block emails sending bulk PII, source code, or matter files to external addresses. M365 E5 includes Purview DLP; Google Workspace has it in Enterprise. Cost: $10–$20 per user per month for the licensing tier that includes it.

Governance and resilience

16. Written information security program (WISP). A 15–30 page document mapping each control to a policy and an owner. Required by Massachusetts 201 CMR 17, NY DFS 23 NYCRR 500 (for firms touching financial-services clients), and increasingly demanded by OCGs. Cost: $3K–$8K one-time if using a template + counsel review; $10K–$25K for a custom build.

17. Incident response plan + annual tabletop. A six-page IR runbook with named roles (breach coach, forensics, comms), pre-negotiated vendor retainers, and a simulated exercise every year. Firms with a tested IR plan resolve incidents 56% faster (IBM Cost of a Data Breach 2025). Cost: $5K–$15K for plan + tabletop facilitation.

18. Annual external penetration test + quarterly external attack-surface scan. A human-led pen test once a year, automated external scanning every quarter to catch exposed RDP, expired certs, and forgotten subdomains between tests. Many cyber insurers now require both. Cost: $8K–$25K for the annual test; free–$200/month for continuous external scanning.

Realistic IT security budgets by firm size

The single most common question from managing partners: "What should we actually be spending?"

Benchmarks below assume the firm already has core licensing (M365 Business Premium or Google Workspace Business Plus) and a competent MSP or in-house IT lead. They cover the security-specific spend on top of base IT.

Solo and 2–10 lawyers

  • Annual security spend: $8K–$25K total
  • Per-user per-month equivalent: $80–$200
  • Where it goes: MDR-backed EDR, MFA hardware keys, DMARC, immutable cloud backup, M365 Business Premium, an annual external pen test, and an outsourced vCISO 4–8 hours/month.

11–50 lawyers

  • Annual security spend: $40K–$150K
  • Per-user per-month equivalent: $120–$300 (including staff)
  • Add: dedicated security analyst or fractional CISO, formal WISP, annual tabletop, DLP, and SOC 2 Type I if pursuing institutional clients.

51–250 lawyers

  • Annual security spend: $250K–$1.2M
  • Add: in-house security lead, 24/7 SOC (in-house or MDR), SIEM, identity governance, vendor risk program, and SOC 2 Type II.

250+ lawyers / AmLaw

  • Annual security spend: $2M–$15M+
  • Add: full security team, threat intelligence, red team, IRM/GRC platform, ISO 27001 in addition to SOC 2, and compliance with sector-specific frameworks (HITRUST, CJIS, FedRAMP-adjacent for federal practice).

If a firm is spending under 6% of total IT budget on security in 2026, they are likely underfunded relative to peers. The 2025 ILTA Tech Survey median was 11%.

90-day implementation roadmap

If a firm is starting from "we have a firewall and antivirus," here is the sequence that gets to defensible-baseline fastest.

Days 1–30: stop the bleeding

  • Turn on phishing-resistant MFA for every email and DMS account. Issue hardware keys to partners and finance staff first.
  • Deploy DMARC at p=quarantine (move to p=reject in day 60).
  • Replace legacy AV with EDR + MDR on every device.
  • Verify immutable backups of DMS, email, and finance systems; run a test restore.
  • Inventory every account with admin rights and remove standing access.

Days 31–60: harden the perimeter

  • Roll out DNS filtering firm-wide.
  • Enable conditional access (block impossible-travel, require compliant device for DMS).
  • Enroll all firm-data-touching mobile devices in MDM.
  • Push DMARC to p=reject after monitoring reports.
  • Run an external attack-surface scan to find what attackers see.

Days 61–90: govern and rehearse

  • Draft and adopt the WISP.
  • Stand up the incident response plan, retain a breach coach and forensics firm on standby.
  • Run a two-hour tabletop exercise with the managing partner, IT lead, COO, and outside breach coach.
  • Schedule the annual external pen test.
  • Brief partners on results, residual risk, and the next 12-month roadmap.

The IT security audit checklist underwriters and GCs now ask for

This is the consolidated questionnaire we see across cyber underwriting submissions and Fortune 500 outside-counsel security reviews in 2026. If a firm can answer "yes" to all 22, it is in the top quartile.

Identity

  • Is phishing-resistant MFA enforced for 100% of users on email and DMS?
  • Are there zero standing global-admin accounts?
  • Are access reviews documented quarterly?

Endpoint

  • Is EDR with 24/7 MDR deployed on 100% of endpoints and servers?
  • Is full-disk encryption enforced and key-escrowed?
  • Are critical patches applied within 7 days, with evidence?

Email and network

  • DMARC at p=reject, SPF and DKIM aligned?
  • Is advanced email threat protection (sandboxing + impersonation) enabled?
  • Is DNS filtering deployed firm-wide, including remote workers?

Data

  • Are backups immutable, off-site, and test-restored monthly?
  • Is encryption at rest verified in writing with the DMS vendor?
  • Is DLP enabled on outbound email for PII and matter files?

Governance

  • Is a written WISP adopted and reviewed annually by leadership?
  • Is there a documented incident response plan with named roles?
  • Was a tabletop exercise run in the last 12 months?
  • Is there an annual external penetration test with a current report?
  • Is continuous external attack-surface monitoring in place between tests?

Vendor and people

  • Is there a vendor risk program reviewing SOC 2 reports for material vendors (DMS, eDiscovery, payroll)?
  • Do all staff complete annual security and confidentiality training?
  • Is phishing simulation run at least quarterly?
  • Is there a documented offboarding checklist that revokes all access within 24 hours?
  • Is there cyber insurance with coverage aligned to the firm's revenue and data exposure?

Common law firm IT security mistakes (and how to avoid them)

Treating the MSP contract as the security program

A general-IT MSP is not a security program. They keep the lights on. Ask specifically: who is responsible for tuning EDR alerts at 2 a.m.? Who reviews DLP findings? Who owns the WISP? If the answer is "us, we guess," the firm has IT, not security.

Confusing "we use Microsoft 365" with "we are secure"

M365 Business Standard does not include Defender for Office 365 Plan 2, conditional access, Intune, or Purview DLP. Business Premium does. The license tier *is* the control set. Audit yours.

Skipping the tabletop because "we don't have time"

A two-hour tabletop the year before an incident saves 50+ hours and 6-figure losses during the incident. It is the highest-ROI security activity a firm can do.

Buying tools without process

Three EDR vendors, two MFA platforms, and no one assigned to review alerts is worse than one well-tuned stack with an owner. Buy the program, not the logo.

How Attorney Armor helps

Attorney Armor runs a continuous external attack-surface scan against your firm's domain, surfacing the exposures attackers see — expired certs, exposed admin panels, missing DMARC, leaked credentials, and ransomware-precursor footprints — and maps each finding to the Model Rule 1.6(c) and underwriter-checklist items above.

Frequently asked questions

What is law firm IT security?

Law firm IT security is the combined set of technical, administrative, and physical controls a law practice uses to protect client confidential information, work product, and firm operations from unauthorized access, disclosure, or disruption. In 2026, it is governed by ABA Model Rules 1.1 and 1.6(c), state breach-notification statutes, and increasingly by client outside-counsel guidelines and cyber-insurance underwriting requirements.

How much should a law firm spend on IT security?

In 2026, well-run firms spend roughly 8–14% of their total IT budget on security-specific tools, staff, and services. In per-user terms, a 10–50 lawyer firm typically spends $120–$300 per user per month on security (inclusive of MDR, licensing, and a fractional CISO). Solos and very small firms can reach defensible-baseline for $8K–$25K per year.

What is the most important IT security control for a law firm?

If a firm can do only one thing, it should be phishing-resistant MFA (FIDO2 hardware keys or platform passkeys) on email and the document management system. The majority of law firm breaches still begin with credential compromise, and modern MFA prevents almost all of them. Immutable, tested backups are a very close second.

Does ABA Model Rule 1.6(c) require specific IT security controls?

No — it requires "reasonable efforts" to prevent unauthorized disclosure of client information. Reasonableness is judged against current technology, threat landscape, the sensitivity of the data, and the cost of safeguards. In 2026, the controls in this guide (MFA, EDR, encryption, backups, IR plan, WISP, training) collectively represent the prevailing reasonable standard for most firms.

Do small law firms really need a written information security program?

Yes. A WISP is required by statute in Massachusetts (201 CMR 17.00) for any firm holding personal information of a Massachusetts resident, and is increasingly demanded by corporate clients, cyber insurers, and bar-association risk programs regardless of firm size. A template-based WISP reviewed by counsel can be implemented in two weeks for under $10K.

How often should a law firm get penetration tested?

External penetration tests should be performed at least annually by an independent third party, with continuous external attack-surface scanning between tests to catch newly exposed assets. Internal pen tests are appropriate every 18–24 months for firms with significant on-premise infrastructure or self-hosted applications.

Free Assessment

See what an attacker sees.

Run a no-obligation external attack-surface scan on your firm's domain in under two minutes.

Start the assessment

Continue reading