Professional services firms hold some of the most sensitive client information. Whether you're a law firm with privileged communications, a CPA with tax records, or a consulting firm with proprietary client data—you have ethical and often legal obligations to protect it.
| Profession |
Key Requirements |
| Law Firms |
ABA Model Rule 1.6 (competent technology use), client confidentiality |
| CPA Firms |
FTC Safeguards Rule, IRS Pub 4557, AICPA standards |
| Consultants |
Client contract requirements, NDA protections |
| Marketing/PR |
Client data protection, social media account security |
Client Data Protection
Secure Client Communications
- Encrypted email for sensitive client communications
- Secure client portal for document sharing
- Large file transfers via secure methods (not regular email)
- Client confidential information not in email subjects
- Email retention policies aligned with professional requirements
Document & File Security
- Client matter files access-controlled by matter/engagement
- Document management system with audit logging
- Version control for critical client documents
- Clean desk policy for physical files
- Secure document disposal (shredding, certified destruction)
Remote Work Security
Work-from-Anywhere Protection
- VPN required for remote access to firm systems
- Home WiFi security guidance provided to staff
- Firm-owned or approved devices only for client work
- Screen privacy when working in public spaces
- Voice/video calls in private spaces (not public cafes)
- Client data not stored on personal devices
Law Firm Alert: ABA Formal Opinion 477R requires lawyers to take "reasonable efforts" to prevent unauthorized access to client communications. "I'm not a tech person" is not a defense to ethics violations.
Core IT Security Controls
Access & Authentication
- Multi-factor authentication on all accounts
- MFA on practice management / billing software
- MFA on email and cloud storage
- Strong passwords (16+ characters) or passphrase
- Password manager deployed firm-wide
- Unique credentials for each staff member
- Immediate access termination for departing staff
Endpoint Protection
- EDR (Endpoint Detection & Response) on all devices
- Full-disk encryption on laptops
- Mobile device management for phones/tablets
- Automatic OS and application updates
- USB/removable media controls
Backup & Business Continuity
- Client files backed up with 3-2-1-1 strategy
- Practice management database backed up
- Billing/accounting data protected
- Backup restore tested monthly
- Business continuity plan for IT outages
Vendor & Third-Party Security
- Cloud vendors vetted for security (SOC 2 reports)
- Client data location known (not stored internationally without consent)
- Vendor access to client data documented
- SaaS application inventory maintained
- Shadow IT policy in place (no unapproved apps)
Pro Tip: Many malpractice insurers now require specific cybersecurity controls. Review your policy for requirements—failure to meet them could void coverage.
IT for Professional Services Firms
Sabre IT Services understands the unique needs of professional services firms. We help Columbus-area law firms, CPAs, and consultants protect client data while keeping their practices running smoothly.
Schedule a Consultation →
(614) 683-0060
Save this checklist: Press Ctrl+P (Cmd+P on Mac) to save as PDF