In 2025, 29% of law firms reported a security breach, according to the ABA Legal Technology Survey Report. The average cost of a data breach across industries hit $5.08 million. For law firms specifically — where a single breach can expose attorney-client privileged communications, trust account data, and sensitive case files — the reputational damage often exceeds the direct financial loss.
More importantly: the ABA has made clear that reasonable cybersecurity is no longer optional. It is an ethical obligation under Model Rule 1.6, formalized through Formal Opinions 477R and 483. Inadequate security isn't just a business risk — it's a bar discipline risk.
This guide covers the minimum viable cybersecurity stack for a 1–10 attorney firm. No IT department required.
The Ethical Foundation: ABA Model Rule 1.6
ABA Model Rule 1.6(c) requires attorneys to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
ABA Formal Opinion 477R (2017) established that lawyers must "take competent and reasonable measures to safeguard information" including understanding "the nature of the threat." Opinion 483 (2018) added an affirmative duty to monitor for breaches and to notify affected clients when one occurs.
"Reasonable" is defined by the sensitivity of the information, the likelihood of disclosure, the cost of safeguards, and the difficulty of implementing them. For a firm handling criminal defense, family law, or M&A work, the bar for "reasonable" is higher than for a transactional firm doing routine contracts.
The Minimum Viable Stack: 5 Components
1. Multi-Factor Authentication on Every Account
MFA is the single highest-leverage security control available. It blocks 99.9% of automated account compromise attacks (Microsoft data). Every account a law firm uses — email, practice management, document storage, billing, bank — should have MFA enabled.
Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS-based MFA. SMS is vulnerable to SIM-swapping attacks, which are specifically targeted at professionals with financial account access. Authenticator apps are not.
Cost: Free. Time to implement: 30 minutes for a solo attorney, 2 hours for a 10-person firm.
2. Monitored EDR — Not Just Antivirus
Traditional antivirus detects known malware signatures. Endpoint Detection and Response (EDR) monitors behavior — it can identify ransomware that no one has seen before by detecting that a process is rapidly encrypting files.
The distinction matters because modern ransomware attacks targeting law firms use custom-built tools specifically designed to evade signature-based antivirus. The 2024 attacks on several US law firms used tooling with zero prior detection history.
Small-firm EDR options: CrowdStrike Falcon Go ($8.99/device/month), SentinelOne Singularity ($6/device/month), Malwarebytes for Teams ($5/device/month). "Monitored" means you receive alerts when something is detected — not that you're responsible for investigating them (most vendors include basic monitoring in the subscription).
Cost: $5–10/device/month. For a 5-attorney firm with 10 devices: ~$75/month.
3. Immutable Offsite Backups
This is where most small firms are critically exposed. They believe they have backups because they use OneDrive, Google Drive, or Dropbox. These are not backups — they are sync services.
When ransomware encrypts your local files, it also encrypts the versions synced to the cloud in real time. Within minutes of infection, every file in your "backup" is also encrypted. You have nothing.
Immutable backups cannot be modified or deleted for a defined retention period — even by a ransomware process running with administrator credentials. Options: Backblaze Business Backup ($99/computer/year), Acronis Cyber Protect ($5/GB/month), Veeam with immutable cloud storage.
The 3-2-1 rule remains valid: 3 copies of data, 2 different media types, 1 offsite. Test your backups quarterly — the only backup that matters is one you've verified you can restore from.
Cost: $50–150/month for a small firm.
4. Written Incident Response Plan
An incident response plan is a document that answers: what do we do in the first 4 hours after discovering a breach? Without it, firms in crisis mode make expensive mistakes — deleting logs that contain forensic evidence, failing to notify clients within required timeframes, or paying ransoms before determining whether decryption keys actually work.
A minimum viable incident response plan for a small firm covers:
- Who to call first (IT vendor, cyber insurance carrier, breach counsel)
- What not to do (don't reboot systems, don't delete anything, don't pay ransom without insurance approval)
- Client notification obligations under your state's breach notification law and ABA Opinion 483
- Evidence preservation steps
- Communication protocol (who speaks to the press, clients, bar counsel)
Cost: One afternoon with a cybersecurity attorney. $1,500–3,000 one-time.
5. Quarterly Phishing Simulation
85% of breaches involve a human element (Verizon DBIR 2025). Phishing — fake emails that trick staff into clicking malicious links or entering credentials — is the entry point for most law firm attacks. Technical controls reduce the risk; trained humans eliminate it.
Quarterly phishing simulations send fake phishing emails to your staff. Anyone who clicks gets immediate remediation training. Over 6–12 months, click rates typically drop from 25–35% to under 5%.
Tools: KnowBe4 (from $24/user/year), Proofpoint Security Awareness ($20/user/year), Cofense PhishMe. Many cyber insurance policies now require documented security awareness training as a condition of coverage.
Cost: $20–30/user/year. For a 5-person firm: ~$150/year.
The Cyber Insurance Requirement
Cyber insurance carriers have hardened their underwriting requirements significantly since 2023. Most carriers now require all five controls above as a condition of coverage. Firms that can't demonstrate these controls either pay substantially higher premiums or are denied coverage.
If you carry cyber insurance, review your policy for security requirements annually. Non-compliance can void your coverage at the moment you need it most. The most common denial reason in 2025 claims: "insured failed to maintain required MFA controls."
UK-Specific: SRA Requirements
UK solicitors operate under the SRA Code of Conduct, which includes obligations to protect client confidentiality and to maintain appropriate systems and controls. The SRA's 2024 cybersecurity report found that 75% of UK law firms have been targeted by a cyberattack.
The SRA expects firms to have: a documented data protection policy, a breach response procedure, staff training, and technical controls proportionate to the firm's risk profile. The ICO (Information Commissioner's Office) can impose fines up to £17.5 million or 4% of global annual turnover under UK GDPR for serious breaches.
The 1-Page Checklist
Use this to audit your current posture:
- ☐ MFA enabled on email (Google/Microsoft)
- ☐ MFA enabled on practice management software
- ☐ MFA enabled on banking/billing accounts
- ☐ EDR installed on all firm devices (not just antivirus)
- ☐ Immutable offsite backup configured and tested in last 90 days
- ☐ OneDrive/Google Drive understood as sync (not backup)
- ☐ Written incident response plan exists and is accessible offline
- ☐ Staff completed security awareness training in last 12 months
- ☐ Cyber insurance policy reviewed for current security requirements
- ☐ Vendor security reviewed: practice management, document storage, email
If you can check all 10 boxes, you are in the top quartile of small law firm security posture. If you can check 6–7, you have a reasonable baseline. Fewer than 6: address the gaps before your next client engagement involving sensitive data.
Total Cost for a 5-Attorney Firm
- MFA (authenticator app): $0
- EDR (10 devices × $8/month): $80/month
- Immutable backup: $100/month
- Incident response plan (one-time): $2,000
- Phishing simulation (5 users × $25/year): $125/year
Total ongoing: ~$200/month + $2,000 one-time. For context: the average ransomware payment in 2025 was $900,000. The insurance deductible alone typically exceeds three years of this security spend.