Ten Cybersecurity Best Practices for Your Law Firm in 2025

by Jeff Lillibridge, vCISO - Strategic Operations

March 16, 2025

Key Takeaways:

According to the latest Integris survey of hundreds of law firm clients nationwide, 31% said they’d fire their firm if they’d had a cybersecurity breach. Forty percent said they’d be willing to pay more for a law firm they knew had good cybersecurity and IT compliance procedures. Here’s what law firms should do to harden their defenses against hackers, and attract a higher-end client:

Develop Comprehensive Cybersecurity Plans: Ensure your firm has detailed cybersecurity plans, policies, and procedures in place to guide your operations and compliance efforts.
Set Clear Cybersecurity Expectations for Staff: Implement written policies, such as Bring-Your-Own-Device (BYOD) and AI Acceptable Use policies, to train staff on safe practices.
Utilize Managed IT Services: Partner with a managed IT service provider to align your firm with current cybersecurity best practices and regulatory frameworks like HIPAA and GDPR.
Adopt a Responsible IT Architecture: Use powerful cybersecurity tools that work together seamlessly to create a robust IT infrastructure.
Regularly Update and Monitor Systems: Keep your systems updated with the latest patches and continuously monitor for potential threats to ensure ongoing protection.

Would your clients fire you over your cybersecurity hygiene?

According to our survey of 1,000 law firm clients across the US, the answer is definitely yes. In fact our 2025 Law Firm Cybersecurity Report, 39% of law firm clients said they’d fire their law firm if it had a data breach, and another 21% said they “weren’t sure.” If it’s been a while since you’ve hardened your cybersecurity defenses, those aren’t good odds.

It doesn’t help that 2024 was the biggest year in history for law firm data breaches. By mid-May last year, American Lawyer reported that there’d been nearly nearly as many law firm data breaches reported to state authorities as they’re been in the entire year of 2023. A breach at one law firm led to 6,000 people stealing their names, addresses, and social security numbers.

Don’t want this to happen to your firm? Fortunately, there are some simple strategies for leveling up your firm’s cybersecurity. The right managed IT service provider can help align your firm with current cybersecurity best practices for law firms. This includes recommendations all companies should follow, such as the US government’s Shields Up directive. It also includes the cybersecurity regulations your clients (and therefore you) must follow, such as HIPAA (for healthcare data handling), GDPR (for customer purchase data), CMMC (for Department of Defense Manufacturers), and more.

At Integris, we’ve built our business on helping law firms harden their IT infrastructure, serving more than 100 law firms across the nation. Here are our top ten cybersecurity best practices for law firms in 2025.

Cybersecurity Best Practices for Law Firms: Your Best Defense Against Data Loss

Some of the most critical decisions in firm leadership will revolve around your cybersecurity. It’s the platform on which you’ll build a successful firm. Is it complicated? Yes. Luckily, cybersecurity tools are powerful and designed to work together to create a Responsible IT Architecture for your firm.

Your managed IT service provider can collaborate with your IT staff to create the right cybersecurity protocols that can run seamlessly in the background of your operations. We recommend starting here.

#1—Develop Strong Cybersecurity Plans, Policies, and Procedures

It may seem counterintuitive to write down how your software works together on your system, but it’s a critical part of your compliance operations. Your cybersecurity plan should be integral to your overall IT plan and budget. Everything should be noted, including your patching protocols, monitoring reports, disaster recovery plan, service structures, and more.

This helps your firm in several ways. First, it provides clear instructions so that anyone working on your system understands where to go and what to do in the event of an emergency. Second, it provides proof of your secure cybersecurity operations, which you will need in the event of a regulatory review or request from clients. An MSP outfitted with a virtual Chief Information Security Officer can make light work of this large documentation job.

#2—Set Cybersecurity Expectations for Your Staff and Put Them in Writing

It may seem like a lot of work to produce written cybersecurity policies for your employees. Yet, they can be a critical training tool that helps prevent cyberattacks. According to the 2024 Verizon Data Breach Report, 68% of all data breaches involved human error on the part of an employee. A good place to start is a “Bring-Your-Own-Device policy,” which outlines how to safely use your own phone or tablet while working on firm business.

We also strongly recommend an “AI Acceptable Use Policy,” whether or not your firm currently uses AI programs as part of your official business.Why? Because AI tools are soon going to be in everything, and employees need to understand how to use them safely. AI comes standard now with programs for your phone like Apple Intelligence. The temptation to use free large language models like Chat GPT to speed up our work is strong. It can be hard to resist the latest AI-driven photo engine or video maker. But, the minute you work with these tools, there’s risk. For instance, if you paste a client meeting notes into ChatGPT and ask it to summarize, ChatGPT now has that data available to train its models. Downloading free AI software onto your phone can be just as risky, as they’re often stealing your data and harboring spyware, ransomware, and more.

A strong AI Acceptable Use Policy will help set rules to keep your client data from leaking onto these platforms unintentionally.

For advice on how to create a written AI policy for your firm, check out our free template.

Get our free AI policy template for your business Your team is using AI tools like Copilot and ChatGPT to handle work. Make sure usage is ethical and secure with our free AI Acceptable Use Policy Template.

#3—Invest in Multi-Factor Authentication

In layman’s terms, multi-factor authentication is like a bouncer standing at the doorway of your firm’s system. It demands not just a password but a secondary way of identifying yourself before access is allowed. Usually, the secondary password is entered through a special app on an employee’s phone, like Duo.

This kind of cybersecurity tool is absolutely critical, no matter your firm’s size. Yet, in a recent Bar Association member survey, an average of 33% of firms (only 33%!) said they use multi-factor authentication. It’s enough to make a cybersecurity expert hang his head and cry. Why? Because this one tool can eliminate the biggest portion of attacks coming at your company. Without it, you’re leaving your digital front door unlocked.

We also recommend you go a step further and add a Zero-Trust system, which will continuously authenticate users while they are working on your information platforms. Together, they form a reliable protection network. In our opinion, it’s a critical “cost of doing business” investment.

Download our 2025 law firm survey report

#4—Invest in Continuous Cybersecurity Training

If you have a small firm, structured cybersecurity training programs may seem out of reach. Fortunately, most cybersecurity awareness training programs have moved online and are available on a per-user basis that scales to the size of your business. Most programs are entertaining, based on late-breaking hack attacks, and take just a few minutes each month to complete.

Even better, they provide graded tests that allow you to track your staff’s completion and comprehension rates. This documentation comes in handy when you need to provide proof to a regulator, cyber risk insurer, or prospective client. With your monthly reports in hand, you’ll be able to prove your staff is up to date on all the latest breach prevention education.

#5—Tailor your Backup and Disaster Recovery Plan to Your Firm’s Needs

Most computer users have some kind of backup in place. But we urge you to think strategically about how much you back up, where you back up, and how fast you can retrieve your data in the event of a natural disaster, outage, or hack.

Specifically, you need to ask yourself 2 questions:

How much time can my firm be indoors and out before the business losses become unbearable? The answer will be your Recovery Time Objective. (RTO)
How much data can my firm afford to lose in the event of an outage? A half day’s worth? A half hour’s worth? The answer will be your Recovery Point Objective. (RPO)

A cybersecurity expert can then use this information to help craft and price out a disaster recovery plan that manages the right amount of backup storage and backup speed for your business.

We also strongly recommend doubling your backup. This means having an off-site cloud backup if most of your data is backed up on your own local servers. If you already have cloud backup, you may want to consider a secondary cloud backup solution for your most critical information.

#6—Invest in Cybersecurity Governance

In addition to your average IT spending, we strongly recommend hiring a qualified virtual chief information security officer (vCISO) or similar professional to handle your firm’s cybersecurity governance. They can work as a consultant on a retainer with your existing IT staff to ensure that monitoring, patching, and documentation are on point.

With regular reviews, they can flag cybersecurity problems at the first sign of trouble and recommend remediations immediately. They can also handle those cybersecurity administration headaches, such as applying for cyber risk insurance or filling out questionnaires from prospective clients. They can also help you vet any tools or software on your systems—a critical part of any third-party verification program.

#7—Purchase Cyber Risk Insurance for Your Firm

Every firm, no matter its size, should have cyber risk insurance. These plans help mitigate any losses you incur due to outages, disasters, or breaches. If you saw the damage created by the crowd strike outage, the need for this kind of protection should be clear. Even if your own cybersecurity setup is running perfectly, you never know when a third-party provider, vendor, or client can trigger a significant outage for your firm.

Cyber risk insurance policies can be scaled perfectly to your business. This budget-friendly tactic can also help protect your digital estate and bottom line.

#8—Ready Your Firm for Client and Regulatory Reviews

Nothing can have you running for the headache pills quicker than a client questionnaire asking for your cybersecurity documentation. It’s becoming a very common request, especially for larger firms with big clients.

In fact, in a recent report from the American Bar Association, 27% of respondents said clients had asked them for the firm’s security requirements document/guidelines. For firms over 100 lawyers, 50% were asked, with rates at 59% for 50-99 lawyers, 41% for 10-49 lawyers, and 15% for firms of 2-9 lawyers.

#9—Train Your Clients

Clients often demand that you communicate on the go. This can lead to risky behaviors like transferring sensitive documents over public platforms like Google Docs or text. If you haven’t done it already, create a safe and password-protected document vault for working with your clients. Train your clients to be careful about working with you over public Wi-Fi or any other spot that can be accessed by criminals doing man-in-the-middle attacks. Make sure they understand what your official e-mail and text communications look like and vice versa. Your clients will appreciate you looking out for the security of their data.

#10—Invest in a Full Suite of Cybersecurity Protections that Work Well Together

As your firm grows, you’ll probably be layering on one tool after another to keep up with the growing security demand. That’s great, but when did you last evaluate how well your cybersecurity tools work together?

At Integris, we recommend clients follow a Responsible IT Architecture framework. This includes a full array of highly specialized and interlocking cybersecurity tools. This means they work together to create a full dome of protection around your data. Monitoring, reporting, and documentation are all compatible with each other as well. This creates a harmonious and well-run cybersecurity operation that reduces headaches.

Interested in Cybersecurity Best Practices Tailored to Your Law Firm?

Integris can help. Let us do a full cybersecurity assessment and get your law firm up to speed with the industry’s best security and compliance standards. Contact us today for a free consultation.

Jeff Lillibridge serves as a vCISO at Integris.

Keep reading

Red Dot Security Roundup: The April Vulnerability Update

Check out the highlights from Red Dot Security, which rounds up key cyberthreats and vulnerabilities that could affect your IT environment. In April 2025, Red Dot Security— authored by Jan Broucinek, an Integris security services operations manager— provided several...

EDR vs. ITDR vs. MDR vs. XDR: Which Endpoint Security Systems Should You Chose for Your Company

In the world of cybersecurity, one rule rings true: If you control the endpoints/devices that link to your systems, you’re well on your way to controlling your cybersecurity risk. In fact, according to IBM’s 2024 Cost of a Data Breach Report, 90% of successful...

Law Firm Cybersecurity Audits: How to Prepare for Your Client Questionnaire

If you run a law firm, chances are you know the drill. You're about to get a new corporate client, and soon after you've signed your agreement, you get the dreaded cybersecurity questionnaire that's so thorough you're practically asked for your dental records. You...