A cybersecurity audit doesn’t have to feel overwhelming. For law firms, the key is preparation. This checklist helps you gather the right information and implement the right controls before an auditor or incident response team arrives.
Use this guide to systematically review your firm’s access controls, data protection, backups, vendor relationships, and incident readiness.
1. Access Control
Why it matters: Unauthorized access is one of the most common ways law firms suffer data breaches.
Key Actions:
- Every user has a unique, named account (no shared logins)
- Multi-factor authentication (MFA) is enabled on all critical systems
- Former employees and contractors have had access revoked within 24 hours of departure
- Access reviews are conducted at least quarterly
Quick Win: Enable MFA on Microsoft 365 or Google Workspace today — Microsoft reports that MFA blocks more than 99% of automated account attacks.
2. Email and Domain Security
Key Actions:
- SPF, DKIM, and DMARC records are properly configured
- DMARC policy is set to at least
quarantine - Email is scanned with advanced threat protection
3. Backups and Recovery
Key Actions:
- Backups exist for all critical systems
- Backups are stored in immutable storage
- Backup restoration has been tested in the last 6 months
4. Vendor Risk Management
Key Actions:
- Maintain an up-to-date list of all vendors with access to firm or client data
- Collect and review security documentation from critical vendors
- Review vendor access at least annually
5. Incident Readiness
Key Actions:
- You have a written incident response plan
- Key decision-makers are clearly identified
- You conduct at least one tabletop exercise per year
Next Steps
Use this checklist as a living document. Review it quarterly.
Want a fast assessment?
Run our free Instant Cybersecurity Audit at audit.emailmenow.com.
Need deeper support? Contact EmailMeNow IT Consulting for a full readiness review.