Security-First IT Checklist for Law and Accounting Firms

Law firms and accounting firms handle some of the most sensitive information in any business: privileged attorney-client communications, tax returns, financial records, payroll data, and personally identifiable information for clients, employees, and their families. A security incident at a firm this size does not just cause downtime. It can trigger regulatory obligations, damage client trust, and create real liability.

The good news is that strong IT security for a 10 to 75 person firm does not require a massive budget or a dedicated security team. It requires the right foundations, applied consistently. This checklist covers the areas that matter most.

1. Identity and access

Compromised credentials are the most common entry point in cyberattacks against professional services firms. Identity controls are your first and most important layer.

• Require multi-factor authentication (MFA) for every user, including partners, executives, and IT administrators. No exceptions.
• Use separate admin accounts for anyone who manages your Microsoft 365, Google Workspace, or other cloud platforms. Daily work should happen from a standard account.
• Disable accounts immediately when someone leaves the firm. Do not wait until the end of the week or the next billing cycle.
• Where your licensing supports it, enable Conditional Access policies to block sign-ins from unexpected locations, unmanaged devices, or high-risk conditions.
• Limit the number of users with Global Administrator or Super Admin privileges. Two to three is usually enough.
• Review guest and external user access quarterly. Old guest accounts from past clients or co-counsel are easy to overlook.

2. Email security

Email is the primary attack surface for law and accounting firms. Business email compromise (BEC) attacks frequently target these verticals because wire transfers, closing documents, and tax filings are routine parts of the work. A convincing impersonation email sent at the right moment can cause significant financial loss.

• Publish SPF, DKIM, and DMARC records for every domain your firm uses. Move DMARC to an enforcement policy (quarantine or reject) so attackers cannot spoof your domain. Our DMARC and email security services page explains this in more detail.
• Enable anti-phishing protections: impersonation detection, safe links, and safe attachments where available.
• Disable automatic external email forwarding. This is a common tactic attackers use after gaining access to a mailbox, quietly forwarding copies of all incoming email to an external address.
• Turn on external sender tagging so staff can visually identify when a message comes from outside the firm.
• Train staff to verify wire transfer instructions and payment changes by phone, not by replying to the email requesting the change.

3. Data protection

Firms routinely store client documents in SharePoint, OneDrive, or Google Drive. The default sharing settings on these platforms are often broader than firm leadership realizes.

• Audit your SharePoint or Google Drive sharing settings. Know whether external sharing is enabled and who can create sharing links. Our SharePoint security services cover this in depth.
• Disable or restrict anonymous (anyone with the link) sharing. If it is needed for specific workflows, set expiration dates on links.
• Classify client data so you know where your most sensitive files live and who has access to them.
• Review permissions on shared drives, Teams channels, and Google Shared Drives at least twice a year. Access tends to drift over time.
• If your firm handles health-related information (common for employee benefits or personal injury work), apply additional access controls appropriate to that data.

4. Backups

Neither Microsoft nor Google provides full backup and recovery for your cloud data in the way most firms expect. Retention policies and recycle bins help with simple deletions, but they are not a substitute for a real backup.

• Use an independent, third-party backup solution for Microsoft 365 or Google Workspace. This should cover email, files, and collaboration data.
• Test restores on a regular schedule, not only when something goes wrong. A backup you have never tested is a backup you cannot count on.
• Document your recovery procedures: who initiates a restore, how long it takes, and what the expected data loss window is (your recovery point objective).
• Store backup data in a location that is separate from your production environment so a single compromise does not take out both.

5. Compliance readiness

Even if your firm is not subject to a formal compliance framework, clients, insurers, and regulators increasingly expect evidence that you take security seriously.

• Review your cyber insurance policy and confirm you meet its security requirements. Common requirements include MFA, endpoint protection, and backup. Failing to meet them can result in a denied claim. See our cyber insurance readiness page for more.
• Prepare answers for client security questionnaires. Larger clients (especially in financial services and healthcare) will ask how you protect their data. Having documented answers saves time and builds confidence.
• If clients require SOC 2 or HIPAA compliance, start by understanding the gap between where you are and where you need to be. A Tecnico Ready security review is a practical starting point.
• Keep a record of your security controls, policies, and any assessments. This evidence matters during audits, insurance renewals, and incident response.

6. Employee lifecycle

People join and leave firms regularly. Each transition is a security moment that needs a defined process.

• Onboard new employees with the right level of access from day one. Avoid granting broad access "temporarily" and then forgetting to tighten it.
• Use a documented offboarding checklist that covers account disablement, session revocation, file ownership transfer, shared credential rotation, and removal from client-facing systems.
• Revoke access on the employee's last day, not after. In professional services, departing employees often have access to highly sensitive client files up until the moment they leave.
• Audit active user lists against your HR records periodically. Ghost accounts (users who left but whose accounts remain active) are a common finding in security reviews.

7. Where to start

If you are looking at this checklist and wondering where to begin, start with two areas: identity and email. Requiring MFA for every user is the single highest-impact change most firms can make. Adding DMARC at enforcement is the second. Together, these two steps address the most common attack paths targeting law and accounting firms.

From there, layer on backup verification, a sharing audit, and a documented offboarding process. Each of these can be done in stages without disrupting daily work.

If you want a structured assessment of where your firm stands across all of these areas, a Tecnico Ready security review gives you a prioritized list of findings and recommendations specific to your environment.

Related resources

• IT support for law firms in Denver
• IT support for accounting firms in Denver
• Tecnico Ready security review
• Employee offboarding security