The Minimum Viable Cybersecurity Stack for a 10-Person Law Firm
If you are a managing partner or office administrator at a small law firm, you are already stretched thin. Cybersecurity can feel like just another item on a long list of things you do not have time for. The truth is, a 10-person firm holds the same kind of sensitive data a 200-person firm does (client documents, trust account information, confidential communications), and attackers know it. The good news is you do not need a full-time IT department to defend against most of what is out there. You just need the right stack and a few habits.
Here is what "minimum viable" looks like for a firm in this size range, in plain terms.
1. Endpoint Detection and Response (EDR)
EDR is the modern replacement for traditional antivirus. Where AV looks for known signatures, EDR watches behavior on every device and can isolate a machine the moment something looks wrong. A 10-person firm needs this because one infected laptop is enough to put client data at risk. Good enough at this size: an EDR that provides real-time alerts, automatic containment, and a log you (or your IT partner) can review. You do not need a full enterprise SIEM yet.
2. Multi-Factor Authentication (MFA), everywhere
MFA is the single most effective control you can deploy. It should be required for email, file storage, document management, your billing system, and any portal that stores client data. A stolen password is the single most common path into a firm your size. Good enough: app-based MFA (Microsoft Authenticator, Duo, or Authy) on every system that touches client data. SMS is acceptable on accounts that do not have an authenticator option.
3. Real Email Phishing Protection
Microsoft Defender for Office 365 included with M365 Business Premium catches a lot, but in our experience it is not enough on its own for a firm. You want a layer that actively scores inbound mail, sandboxes attachments, and rewrites links so that even a clicked-on URL is checked again at click-time. Phishing is the leading cause of breaches in firms this size. Good enough: a third-party email security gateway or an enhanced M365 policy with safe-links and safe-attachments enabled and tuned.
4. Documented Backups With Tested Restores
OneDrive and Google Drive are sync, not backup. They will happily replicate a ransomware-encrypted file across every device. You need a documented backup system that takes immutable, off-site, encrypted copies of your data, and you need to test a restore, on a calendar, at least quarterly. A 10-person firm needs this because both ransomware and human error can wipe out your case files in seconds. Good enough: a backup product that supports immutability, retains 30 to 90 days, and has been proven by a real test restore in writing.
5. Security Awareness Training, on a Cadence
People are the weakest link in any cybersecurity strategy, and yelling at staff about phishing once a year does not change that. Regular, short, scenario-based training plus simulated phishing tests gives you measurable results. Good enough: monthly five-minute training and a quarterly simulated phishing campaign with reporting. The metric to watch is click rate over time, not completion rate.
6. Conditional Access and Device Compliance
Conditional access ensures that only enrolled, compliant devices can reach client data. It blocks logins from countries you do not operate in, enforces device encryption, and refuses to authenticate from a jailbroken phone. This is M365 Business Premium territory, which most firms this size already license but rarely fully configure. Good enough: a written conditional access policy that requires compliant devices for sensitive apps and blocks legacy authentication.
7. Managed Detection and Response (MDR) / SOC Partner
A 10-person firm cannot staff a 24/7 security team and should not try. An MDR partner gives you that coverage as a service. Lagniappe IT uses Huntress for this layer. The model: their SOC analysts watch your environment around the clock, triage alerts, and contain or call you when something needs human judgment, even at 3am on a Sunday. A 10-person firm needs this because attackers do not wait for office hours. Good enough: an MDR with verified containment capability and a clear incident escalation path to a human you can reach.
8. Written WISP and Incident Response Runbook
A Written Information Security Plan documents how your firm protects data and what happens when something goes wrong. Many state ethics rules and several federal regimes require some version of this. The point of having one in writing is twofold: it forces you to actually decide on the controls, and it gives your incident response a starting point that does not depend on improvisation under stress. Good enough: a 5 to 10 page WISP and a one-page runbook listing who calls whom in what order on the day of a breach.
Compliance and the Louisiana Bar Context
The Louisiana State Bar Association and ABA Model Rules expect attorneys to take reasonable steps to protect client information, and what is "reasonable" has been climbing every year. You do not need to be a cybersecurity expert. You need to take demonstrable, documented steps. The eight items above are about as close to a defensible baseline as you can get in 2026 for a firm this size, and most of the cost goes into the MDR partner and the M365 license tier, not into the headlines.
Final Thoughts
Cybersecurity for a 10-person law firm is not about buying the latest tool or hiring a CISO. It is about building a stack that fits your firm, documenting it, and keeping it honest. You will not be perfect. You will be defensible. At Lagniappe IT, we help firms in your size range build and operate exactly this stack every day. If you would like a clearer picture of where your firm currently stands, we offer a free 30-minute assessment. No pressure, just practical steps.