A practical checklist for managing partners, firm administrators, and legal operations teams that want to reduce client-data risk, improve Microsoft 365 security, and prepare for a confidential technology review.
How to use this checklist
Use this checklist as a working document before a technology assessment, cyber insurance review, vendor review, or managed IT transition. The goal is not to create a perfect security program in one sitting. The goal is to identify the gaps that create the highest risk to confidentiality, uptime, recoverability, and attorney productivity.
For a guided review, request AKAVEIL's free Law Firm IT & Cybersecurity Assessment: https://akaveil.com/law-firm-it-assessment/.
1. Identity and access controls
- Confirm every user has multi-factor authentication enabled, including attorneys, paralegals, administrators, shared mailbox delegates, and remote workers. - Review all global administrators, privileged accounts, legacy admin users, and vendor accounts. - Remove inactive users and disable accounts for departed employees on the same day they leave the firm. - Require conditional access policies for risky sign-ins, unmanaged devices, and external locations. - Confirm shared accounts are eliminated or tightly controlled with named-user accountability. - Document who approves new access to mailboxes, SharePoint sites, matter folders, finance systems, and practice management software.
2. Email and phishing protection
- Confirm SPF, DKIM, and DMARC are configured for the firm's domain. - Review anti-phishing, impersonation, malware, and safe-link policies in Microsoft 365 or the firm's email security platform. - Confirm external sender warnings are active and clear enough for staff to understand. - Train users on wire fraud, fake invoice requests, credential harvesting, and spoofed client communications. - Review mailbox forwarding rules and suspicious inbox rules at least quarterly. - Confirm attorneys know how to report phishing attempts without delaying billable work.
3. Endpoint and device security
- Maintain a current inventory of laptops, desktops, mobile devices, servers, and remote endpoints. - Confirm every endpoint has managed antivirus or EDR protection. - Enforce disk encryption on laptops that may store or access confidential data. - Patch operating systems, browsers, Adobe, Microsoft Office, and common legal productivity tools. - Require remote wipe capability for mobile devices that access firm email or documents. - Separate personal devices from firm-managed devices wherever possible.
4. Microsoft 365 and SharePoint governance
- Review Teams, SharePoint, and OneDrive permissions for sensitive client or matter data. - Remove stale external sharing links and unknown guest users. - Define naming conventions for Teams and SharePoint sites. - Confirm the firm knows where active matters, closed matters, templates, intake files, and administrative records live. - Apply retention and deletion rules only after the firm reviews legal, operational, and client requirements. - Test whether a new attorney or paralegal receives the correct access without manual guesswork.
5. Backup and recovery readiness
- Confirm backups cover Microsoft 365, endpoints, servers, file shares, databases, and practice management systems where applicable. - Review backup frequency, retention period, encryption, and offsite storage. - Test recovery for a mailbox, SharePoint file, endpoint, and critical business dataset. - Document who can authorize a restore and how quickly the firm expects recovery. - Confirm backups are protected from ransomware or unauthorized deletion. - Keep a written disaster recovery plan that leadership can understand.
6. Legal software and vendor risk
- Maintain a list of practice management, document management, billing, e-signature, phone, accounting, and cloud vendors. - Document vendor support contacts, account owners, renewal dates, admin portals, and escalation paths. - Review whether each vendor supports MFA, audit logs, SSO, and role-based permissions. - Confirm vendor access is removed when a project ends. - Identify which vendors store confidential data and which vendors only support workflow tools. - Create a process for coordinating incidents across vendors and the firm's IT partner.
7. Policies and user behavior
- Maintain written policies for password management, acceptable use, remote work, mobile devices, incident reporting, data retention, and client document handling. - Train new employees before granting broad access to firm systems. - Run recurring awareness refreshers focused on the real threats law firms face. - Document who approves exceptions and when exceptions expire. - Confirm staff know how to escalate suspicious emails, lost devices, failed backups, or accidental data sharing.
8. Executive reporting
- Ask your IT provider for a quarterly summary of open risks, resolved issues, recurring ticket categories, backup status, endpoint health, Microsoft 365 findings, and recommended projects. - Maintain a technology roadmap that separates urgent fixes, security improvements, productivity projects, and future budget items. - Review cyber insurance requirements before renewal, not after an incident or questionnaire deadline. - Align technology decisions with firm growth plans, new practice areas, remote work expectations, and client confidentiality obligations.
Priority scoring worksheet
| Area | Green | Yellow | Red | Owner | | --- | --- | --- | --- | --- | | MFA and administrator access | All users and admins protected | Some exceptions exist | MFA missing or unknown admin accounts | Managing partner / administrator | | Email security | SPF/DKIM/DMARC and phishing controls active | Basic spam filtering only | Spoofing and phishing controls unknown | IT provider | | Endpoint protection | All devices managed and patched | Some unmanaged devices | No complete inventory | IT provider | | Backup and recovery | Backups tested and documented | Backups active but rarely tested | Backup coverage unknown | Firm leadership / IT provider | | SharePoint permissions | Access reviewed and documented | Some external links remain | Matter access is unclear | Administrator / IT provider | | Vendor risk | Vendor list and escalation paths documented | Vendor list incomplete | Admin access and data storage unknown | Firm administrator |
Recommended next step
If several areas above are yellow or red, your firm should not wait for a crisis to review its technology posture. Start with AKAVEIL's free assessment so you can prioritize what matters most: Microsoft 365 security, endpoint protection, backup, vendor coordination, document workflows, and the first 30 days of remediation.
Request the Free Law Firm IT & Cybersecurity Assessment
Related resources: Managed IT Services for Law Firms, Cybersecurity Audit for Law Firms, and Microsoft 365 Security Assessment.