6 Questions Smart Law Firms Ask Their IT Provider Every Quarter
You have spent years building your reputation.
Clients trust you with confidential information, important deadlines, and
some of the most stressful situations of their lives.
Most managing partners worry about the obvious threats: hackers,
ransomware, system outages.
The bigger risk is usually quieter.
It's the assumption that everything is fine because nobody has complained
recently.
That assumption is exactly how firms discover backup failures during
litigation preparation, learn former employees still have access to firm
systems, or find out during a cyber insurance renewal that required security
controls were never implemented.
A quarterly IT review is not about discussing technology.
It is about verifying that the systems protecting your firm can withstand
real-world pressure.
These are the six questions every managing partner should ask—and exactly
how to judge the answers.
Question 1: What Security Risks Require Immediate Attention?
Every law firm has vulnerabilities.
The question is whether someone is actively finding them before they
become expensive.
Ask your provider:
- What are our
top three security risks right now?
- How many
critical vulnerabilities are currently unresolved?
- Are any user
accounts creating unnecessary risk?
- Have there been
unusual login attempts?
- Are all devices
fully patched?
What Good Looks Like
A strong answer sounds like:
"We currently have zero critical vulnerabilities older than 30 days.
Patch compliance is 98%. Multi-factor authentication is enabled for all staff.
We identified 17 failed foreign login attempts last month, and all were
blocked."
Red Flag Answer
"Everything looks good."
That answer provides no evidence.
If your provider cannot give measurable answers, they may not be
measuring in the first place.
Question 2: Have You Tested Our Backups Recently?
Most firms ask whether backups exist.
Few ask whether recovery works.
That distinction matters.
A backup that cannot be restored is just a file taking up storage space.
Ask:
- When was the
last recovery test?
- How long did
restoration take?
- Were matter
files included?
- Are Microsoft
365 files protected?
- Are backup
copies isolated from ransomware?
What Good Looks Like
"We performed a full restoration test last month. Critical matter
files restored successfully. Recovery took 43 minutes. Immutable backup copies
were verified."
Red Flag Answer
"Backups are running normally."
Running backups and tested recoverability are not the same thing.
Where This Usually Breaks
A firm preparing for a major litigation deadline needed to restore case
documents after accidental deletion.
Everyone assumed recovery would be simple.
Nobody had tested restoration procedures.
The backup job had been failing silently for weeks.
The files were eventually recovered, but only after significant
disruption, stress, and lost preparation time.
The lesson was simple:
You do not buy backups.
You buy recovery.
Question 3: Where Is Technology Costing Us Billable Time?
Technology rarely hurts a firm all at once.
More often it steals minutes.
An attorney waits 30 seconds for a document management system to load.
Remote access disconnects twice a week.
Teams freeze during client meetings.
SharePoint access becomes unreliable.
Individually these issues feel minor.
Collectively they become lost revenue.
Ask:
- What are our
most common support tickets?
- What systems
generate recurring complaints?
- Which devices
are nearing replacement?
- Where are
people losing time?
What Good Looks Like
A provider should identify patterns such as:
- Login delays
increasing
- Storage
performance degrading
- Aging laptops
causing recurring issues
- Specific
applications creating bottlenecks
The goal is not fixing tickets.
The goal is removing friction.
Billable hours disappear one inconvenience at a time.
Question 4: Could We Pass a Cyber Insurance Review Tomorrow?
Many firms first discover security weaknesses during insurance renewal.
That is the worst possible time.
Today, many insurers expect firms to demonstrate:
- Multi-factor
authentication
- Endpoint
detection and response
- Security
awareness training
- Tested backups
- Access controls
- Incident
response plans
Ask your provider:
- Could we
satisfy current insurance requirements?
- Which controls
need improvement?
- What
documentation could an insurer request?
- Are there gaps
we should address now?
What Good Looks Like
"Multi-factor authentication is enforced for all users. Security
awareness training is current. Backup testing is documented quarterly. Incident
response procedures were reviewed this year."
Red Flag Answer
"You should be okay."
"Should" is not a control.
Proof is.
Question 5: What Should We Budget For Before It Becomes Urgent?
Strong IT planning prevents emergency spending.
Ask:
- Which devices
are approaching end of life?
- What warranties
are expiring?
- What software
renewals are coming?
- What security
improvements should be planned now?
The best providers help firms spread costs intelligently.
The weakest providers create surprise invoices.
A quarterly review should reveal future expenses early enough that they
become business decisions rather than emergencies.
Question 6: Where Are We Falling Behind?
This is the question most firms never ask.
It is also the question that separates a help desk from a true advisor.
Ask:
- What are firms
similar to ours doing that we are not?
- Which security
controls should we strengthen?
- Are we too
dependent on any one person?
- What concerns
would an outside auditor identify?
A good provider should not use fear.
They should provide clarity.
If a former employee account remains active, say so.
If backup testing is overdue, say so.
If cyber insurance expectations have changed, say so.
You cannot fix risks that nobody is willing to name.
The Law Firm IT Scorecard
Use this scorecard during every quarterly review.
|
Area |
Green |
Yellow |
Red |
|
Multi-Factor Authentication |
All users protected |
Partial deployment |
Not enforced |
|
Backup Testing |
Quarterly restore testing |
Annual testing |
Never tested |
|
Security Awareness Training |
Quarterly |
Annual |
None |
|
Critical Vulnerabilities |
Resolved within 30 days |
30-90 days |
More than 90 days |
|
Incident Response Plan |
Documented and reviewed |
Outdated |
Missing |
|
Former Employee Access |
Removed immediately |
Periodic review |
No process |
|
Patch Compliance |
Above 95% |
80-95% |
Below 80% |
If multiple categories fall into yellow or red, your next quarterly
review should focus on remediation priorities rather than new projects.
Five Metrics Every Managing Partner
Should Request
Ask for these numbers every quarter.
Backup Success Rate
What percentage of backup jobs completed successfully?
Recovery Time Objective (RTO)
How long would it take to restore critical systems?
Patch Compliance Percentage
What percentage of devices are fully updated?
Open Critical Vulnerabilities
How many high-risk issues remain unresolved?
Failed Login Attempts
Are suspicious authentication attempts increasing or declining?
These numbers transform IT from a black box into a business function that
leadership can oversee.
Look At Your Firm Through an Outside Evaluator's Eyes
Imagine a cyber insurer, major client, or outside auditor reviewing your
firm tomorrow.
They are unlikely to ask whether your technology "feels
secure."
They will ask for evidence.
They may request:
- Backup testing
documentation
- Security
training records
- Access
management procedures
- MFA enforcement
records
- Incident
response plans
- Security review
reports
Firms are rarely judged by intentions.
They are judged by documentation.
The purpose of a quarterly IT review is not conversation.
The purpose is evidence.
What To Do Next Week
Schedule a 45-minute review with your IT provider.
Send these six questions before the meeting.
Then request three deliverables:
- A written risk
summary
- Your current IT
scorecard
- The five key
metrics outlined above
At the end of that meeting, you should know exactly where your firm is
protected, where it is exposed, and what actions deserve attention before next
quarter.
If you are unsure whether your current provider would provide clear
answers to these questions, Schedule your 10 minute discovery call with 911 IT.
You'll walk away with a practical framework for evaluating your firm's current
level of readiness and identifying which areas deserve closer review before
they become bigger problems.
