Man holding umbrella protecting from threats like virus, hackers, and firewall as stressed colleagues watch in office.

6 Questions Smart Law Firms Ask Their IT Provider Every Quarter

July 13, 2026

6 Questions Smart Law Firms Ask Their IT Provider Every Quarter

You have spent years building your reputation.

Clients trust you with confidential information, important deadlines, and some of the most stressful situations of their lives.

Most managing partners worry about the obvious threats: hackers, ransomware, system outages.

The bigger risk is usually quieter.

It's the assumption that everything is fine because nobody has complained recently.

That assumption is exactly how firms discover backup failures during litigation preparation, learn former employees still have access to firm systems, or find out during a cyber insurance renewal that required security controls were never implemented.

A quarterly IT review is not about discussing technology.

It is about verifying that the systems protecting your firm can withstand real-world pressure.

These are the six questions every managing partner should ask—and exactly how to judge the answers.

Question 1: What Security Risks Require Immediate Attention?

Every law firm has vulnerabilities.

The question is whether someone is actively finding them before they become expensive.

Ask your provider:

  • What are our top three security risks right now?
  • How many critical vulnerabilities are currently unresolved?
  • Are any user accounts creating unnecessary risk?
  • Have there been unusual login attempts?
  • Are all devices fully patched?

What Good Looks Like

A strong answer sounds like:

"We currently have zero critical vulnerabilities older than 30 days. Patch compliance is 98%. Multi-factor authentication is enabled for all staff. We identified 17 failed foreign login attempts last month, and all were blocked."

Red Flag Answer

"Everything looks good."

That answer provides no evidence.

If your provider cannot give measurable answers, they may not be measuring in the first place.

Question 2: Have You Tested Our Backups Recently?

Most firms ask whether backups exist.

Few ask whether recovery works.

That distinction matters.

A backup that cannot be restored is just a file taking up storage space.

Ask:

  • When was the last recovery test?
  • How long did restoration take?
  • Were matter files included?
  • Are Microsoft 365 files protected?
  • Are backup copies isolated from ransomware?

What Good Looks Like

"We performed a full restoration test last month. Critical matter files restored successfully. Recovery took 43 minutes. Immutable backup copies were verified."

Red Flag Answer

"Backups are running normally."

Running backups and tested recoverability are not the same thing.

Where This Usually Breaks

A firm preparing for a major litigation deadline needed to restore case documents after accidental deletion.

Everyone assumed recovery would be simple.

Nobody had tested restoration procedures.

The backup job had been failing silently for weeks.

The files were eventually recovered, but only after significant disruption, stress, and lost preparation time.

The lesson was simple:

You do not buy backups.

You buy recovery.

Question 3: Where Is Technology Costing Us Billable Time?

Technology rarely hurts a firm all at once.

More often it steals minutes.

An attorney waits 30 seconds for a document management system to load.

Remote access disconnects twice a week.

Teams freeze during client meetings.

SharePoint access becomes unreliable.

Individually these issues feel minor.

Collectively they become lost revenue.

Ask:

  • What are our most common support tickets?
  • What systems generate recurring complaints?
  • Which devices are nearing replacement?
  • Where are people losing time?

What Good Looks Like

A provider should identify patterns such as:

  • Login delays increasing
  • Storage performance degrading
  • Aging laptops causing recurring issues
  • Specific applications creating bottlenecks

The goal is not fixing tickets.

The goal is removing friction.

Billable hours disappear one inconvenience at a time.

Question 4: Could We Pass a Cyber Insurance Review Tomorrow?

Many firms first discover security weaknesses during insurance renewal.

That is the worst possible time.

Today, many insurers expect firms to demonstrate:

  • Multi-factor authentication
  • Endpoint detection and response
  • Security awareness training
  • Tested backups
  • Access controls
  • Incident response plans

Ask your provider:

  • Could we satisfy current insurance requirements?
  • Which controls need improvement?
  • What documentation could an insurer request?
  • Are there gaps we should address now?

What Good Looks Like

"Multi-factor authentication is enforced for all users. Security awareness training is current. Backup testing is documented quarterly. Incident response procedures were reviewed this year."

Red Flag Answer

"You should be okay."

"Should" is not a control.

Proof is.

Question 5: What Should We Budget For Before It Becomes Urgent?

Strong IT planning prevents emergency spending.

Ask:

  • Which devices are approaching end of life?
  • What warranties are expiring?
  • What software renewals are coming?
  • What security improvements should be planned now?

The best providers help firms spread costs intelligently.

The weakest providers create surprise invoices.

A quarterly review should reveal future expenses early enough that they become business decisions rather than emergencies.

Question 6: Where Are We Falling Behind?

This is the question most firms never ask.

It is also the question that separates a help desk from a true advisor.

Ask:

  • What are firms similar to ours doing that we are not?
  • Which security controls should we strengthen?
  • Are we too dependent on any one person?
  • What concerns would an outside auditor identify?

A good provider should not use fear.

They should provide clarity.

If a former employee account remains active, say so.

If backup testing is overdue, say so.

If cyber insurance expectations have changed, say so.

You cannot fix risks that nobody is willing to name.

The Law Firm IT Scorecard

Use this scorecard during every quarterly review.

Area

Green

Yellow

Red

Multi-Factor Authentication

All users protected

Partial deployment

Not enforced

Backup Testing

Quarterly restore testing

Annual testing

Never tested

Security Awareness Training

Quarterly

Annual

None

Critical Vulnerabilities

Resolved within 30 days

30-90 days

More than 90 days

Incident Response Plan

Documented and reviewed

Outdated

Missing

Former Employee Access

Removed immediately

Periodic review

No process

Patch Compliance

Above 95%

80-95%

Below 80%

If multiple categories fall into yellow or red, your next quarterly review should focus on remediation priorities rather than new projects.

Five Metrics Every Managing Partner Should Request

Ask for these numbers every quarter.

Backup Success Rate

What percentage of backup jobs completed successfully?

Recovery Time Objective (RTO)

How long would it take to restore critical systems?

Patch Compliance Percentage

What percentage of devices are fully updated?

Open Critical Vulnerabilities

How many high-risk issues remain unresolved?

Failed Login Attempts

Are suspicious authentication attempts increasing or declining?

These numbers transform IT from a black box into a business function that leadership can oversee.

Look At Your Firm Through an Outside Evaluator's Eyes

Imagine a cyber insurer, major client, or outside auditor reviewing your firm tomorrow.

They are unlikely to ask whether your technology "feels secure."

They will ask for evidence.

They may request:

  • Backup testing documentation
  • Security training records
  • Access management procedures
  • MFA enforcement records
  • Incident response plans
  • Security review reports

Firms are rarely judged by intentions.

They are judged by documentation.

The purpose of a quarterly IT review is not conversation.

The purpose is evidence.

What To Do Next Week

Schedule a 45-minute review with your IT provider.

Send these six questions before the meeting.

Then request three deliverables:

  • A written risk summary
  • Your current IT scorecard
  • The five key metrics outlined above

At the end of that meeting, you should know exactly where your firm is protected, where it is exposed, and what actions deserve attention before next quarter.

If you are unsure whether your current provider would provide clear answers to these questions, Schedule your 10 minute discovery call with 911 IT. You'll walk away with a practical framework for evaluating your firm's current level of readiness and identifying which areas deserve closer review before they become bigger problems.