Enhancing Cybersecurity for Local Law Firms

Law firms are an attacker's dream target: rich data, irregular tech budgets, and trust-account dollars that move on short notice. Every Oklahoma firm — from a two-attorney practice in Norman to a 30-attorney shop downtown — sits on enough sensitive data to make confidentiality a daily risk, not a theoretical one. The good news is the controls that matter most are well understood, affordable, and well within reach for a small firm. The bad news is most firms have not implemented them.

This article walks through the threats that target law firms specifically, the ethical and regulatory obligations driving the controls, and a short list of must-haves an Oklahoma firm should check this quarter.

What makes law firms different (and more exposed)

Three things separate legal practices from a general small business security posture:

• Client confidentiality is a hard duty, not a best practice. Under ABA Model Rule 1.6 and its Oklahoma counterpart in Rule 1.6 of the Oklahoma Rules of Professional Conduct, a lawyer must make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Comment 18 makes clear that "reasonable" tracks the sensitivity of the data and the cost of available safeguards. In 2026, that means real controls — not a strong password and good intentions.
• Trust account funds are a direct payday for attackers. IOLTA accounts move significant sums and operate on tight deadlines. Business email compromise (BEC) targeting wire transfers is the single most common path to a six-figure loss at a small firm.
• Discovery, settlement data, and corporate transactions are leverage. Ransomware crews increasingly run a double extortion playbook: encrypt the files and threaten to publish them. For a firm sitting on M&A docs or sealed family-law records, the publishing threat is often worse than the encryption.

The five threats that actually hit law firms

1. Business email compromise targeting wire transfers

Attacker compromises a paralegal's mailbox via a phishing link, sets up a forwarding or inbox rule, watches a real estate closing or settlement thread, and intercepts the wire instructions. The client wires to the attacker. Recovery via the FBI's Financial Fraud Kill Chain only works in the first 72 hours and only sometimes.

2. Ransomware with data exfiltration

Modern ransomware crews exfiltrate files before encrypting. Even with perfect backups, the firm faces a published-data threat that triggers client notifications, bar inquiries, and malpractice questions.

3. Mailbox account takeover

Credential stuffing against Microsoft 365 is constant. One reused password from a breached consumer site lets the attacker into Outlook. From there: confidential client data, forwarding rules, OAuth grants, and a launchpad for BEC against the firm's contacts.

4. Insider mistakes

Sending a settlement spreadsheet to opposing counsel via "reply all." A laptop left in a car at Will Rogers airport with unencrypted client files. These do not require an attacker — they require a five-second lapse and no DLP or encryption-at-rest.

5. Third-party vendor compromise

Practice management vendors, e-discovery providers, and court filing services have all been breached in the last few years. A firm's security is a function of its weakest third-party integration.

What Rule 1.6 actually requires in practice

The ABA and most state bars have moved past "is this required?" into "what does reasonable look like?" Formal Opinion 477R and 483 from the ABA, combined with the Oklahoma Bar's ethics guidance, point at a working baseline:

• Encryption of data in transit and at rest (laptops, phones, cloud storage).
• Strong authentication on any account that touches client data — practically, MFA.
• A written incident response plan and breach notification process.
• Reasonable diligence on third-party vendors handling client data.
• Training on the firm's security and confidentiality policies.

None of that is exotic. All of it is auditable. A firm that cannot demonstrate these controls — in writing — is exposed both to the breach and to the ethics complaint that follows.

The must-have controls for an Oklahoma law firm

1. MFA on Microsoft 365 (or Google Workspace), no exceptions

Phishing-resistant MFA (authenticator app or hardware key) on every user, enforced via Conditional Access. No legacy auth. No exceptions for partners or the founder. This single control eliminates the majority of mailbox takeovers.

2. Real email security on top of native filtering

Microsoft Defender for Office 365 (Plan 2) or a layered product like Avanan, IRONSCALES, or Proofpoint Essentials. Specifically configured to detect impersonation of partners, opposing counsel, and known vendors. External email bannerson by default, so an "internal" spoof is visibly external.

3. A written wire transfer verification policy

Any change to wire instructions — including a "corrected" set sent via reply — requires verbal confirmation to a known phone number, not the number in the email. Trained staff. Drilled twice a year. This single policy stops most BEC losses cold.

4. Endpoint detection and response on every laptop and desktop

Including the founder's. Including the office manager's personal-feeling iMac that somehow still has client files on it. Standalone antivirus is not enough in 2026.

5. Encryption everywhere

BitLocker on every Windows laptop, FileVault on every Mac, device passcodes on every phone with email. SharePoint and OneDrive properly configured. If a device is lost, encryption is the difference between a non-event and a notification.

6. Backup that includes Microsoft 365 itself

Microsoft replicates your data; they do not back it up the way you think. Add an independent backup of mailboxes, OneDrive, SharePoint, and Teams (Veeam, Datto, Afi, etc.) with retention long enough to survive a deletion you discover months later.

7. Vendor due diligence and a written response plan

A short questionnaire for every vendor that touches client data. A one-page incident response plan with phone numbers (cyber insurance, outside counsel, IT, bank). Tested annually. Stored where someone other than the compromised user can find it.

A quick self-check for an Oklahoma firm

Take ten minutes with your managing partner and answer these:

• Is MFA on for every M365/Workspace account, including partners and shared mailboxes?
• What is the firm's written wire verification process, and when did staff last train on it?
• Are all laptops encrypted? Can you prove it on a list?
• When did someone last test a restore from your M365 backup?
• Does your cyber insurance application match your actual controls? (Misrepresenting controls voids policies.)
• Who would you call at 7 a.m. on a Saturday if a partner's mailbox was compromised?

If those questions raise more uncertainty than confidence, you are in good company — but the exposure is real and the fixes are tractable.

How we work with Oklahoma legal practices

Great Plains Networking works with law firms across the OKC metro on a security stack tuned for the legal threat model: MFA and Conditional Access, layered email security with impersonation protection, EDR, immutable backup of Microsoft 365, written policies that line up with Rule 1.6, and quarterly reviews. We also help with the conversation your cyber insurance carrier wants to have at renewal. More on our managed security stack here.

If you want a confidential, no-pressure review of where your firm stands, reach out for a free assessment. You will get a one-page summary, the three highest-priority gaps, and a straight answer on whether you would survive an ethics inquiry today.