Cybersecurity checklist for law firms: 8 things to verify today

1 Domain security: SPF, DKIM, and DMARC

Your domain is your professional identity. If an attacker can spoof it — sending emails that look like they came from your firm — your clients are at risk and your reputation takes the hit.

SPF, DKIM, and DMARC are three DNS records that protect your domain from being impersonated in email. Most small law firms are missing at least one of them. Many have DMARC but haven't set it to enforce — meaning it's tracking threats but not stopping them.

Action: Run a free scan at SentryScore to see your domain's current status. It takes 60 seconds and shows you exactly what's missing and how exposed you are. Then contact your IT provider to add what's needed.

2 SSL certificate — valid and up to date

Your website should be running on HTTPS, not HTTP. An expired or missing SSL certificate means your site isn't encrypting traffic between visitors and your server — and modern browsers display alarming "Not Secure" warnings that undermine client trust.

Action: Type your website address into a browser and check for the padlock icon. Click it to see the certificate expiration date. If it's expired or missing, contact your web host immediately. If you use Cloudflare, SSL renewal is typically automatic.

Also verify that your client-facing subdomains (billing portals, scheduling systems) are also covered.

3 Multi-factor authentication on email

Email is the single most targeted entry point for law firm breaches. Business Email Compromise (BEC) attacks cost law firms millions annually — and most start with a compromised email credential.

Multi-factor authentication (MFA) — where logging in requires both a password and a second verification step (an app, a text, a hardware key) — stops the vast majority of account takeover attempts cold.

Action: Enable MFA on every email account at the firm. Microsoft 365 and Google Workspace both support this natively and make it easy to enforce for all users. Make it mandatory, not optional.

4 Client portal vs. email for sensitive documents

Sending sensitive legal documents — contracts, settlement agreements, privileged communications — via regular email is a risk. Emails travel across multiple servers, can be intercepted, and sit unencrypted in inboxes indefinitely.

Action: If you're sharing sensitive client documents regularly, adopt a client portal with encrypted file sharing. Options include Clio, MyCase, NetDocuments, and others built specifically for law firms. At minimum, use password-protected PDFs for anything sensitive.

The bar ethics rules in most states require "reasonable measures" to protect client confidentiality. Relying solely on regular email for sensitive matters is increasingly difficult to defend.

5 Breach monitoring for your domain and staff emails

Credentials from your firm may already be circulating on dark web marketplaces from past data breaches — at services your staff use with their work email addresses. If attackers have valid credentials, they don't need to hack anything.

Action: Check HaveIBeenPwned.com for your firm's domain. For ongoing monitoring, services like Google Workspace's built-in alerts, Microsoft Defender, or dedicated breach monitoring tools can flag compromised credentials automatically.

If you find exposed credentials: change passwords immediately and enforce MFA everywhere if you haven't already.

6 Employee phishing awareness training

Technical controls catch a lot — but a motivated attacker with a convincing phishing email can still get a staff member to hand over credentials or click a malicious link. One untrained paralegal can undo all your technical safeguards.

Action: Run at least one phishing awareness training session per year. Document it. Free resources include Google's Phishing Quiz and SANS security awareness materials. Paid platforms like KnowBe4 or Proofpoint Security Awareness Training offer simulated phishing campaigns for more rigorous testing.

The key behaviors to teach: how to identify suspicious senders, not to click unexpected links, and what to do if they suspect they've been compromised.

7 Incident response plan

Most small firms have no documented plan for what to do if a breach occurs. This is a problem — not just for security, but for legal and ethical obligations. Many state bars require prompt notification of clients affected by a breach.

Action: Write a one-page incident response plan. It should cover:

• Who to contact first (IT provider, ethics counsel, insurance carrier)
• How to contain the incident (isolate affected systems, change credentials)
• How to assess what was exposed
• State bar and client notification obligations and timelines

You don't need a sophisticated playbook. You need something written down that people can follow under stress. Review and update it annually.

8 Cyber liability insurance

Cyber insurance has become as standard as malpractice coverage for law firms — yet many small firms still don't have it, or don't have enough of it. A single ransomware incident or data breach can cost far more than the annual premium.

Action: Review your current coverage. Does your general business liability policy include cyber? (Many don't, or coverage is minimal.) Talk to your broker about a standalone cyber policy. Most underwriters now require basic hygiene controls — MFA on email, endpoint protection, patched systems — before issuing coverage.

Having the controls above in place also helps you qualify for better rates and broader coverage.