Skip to main content
Law Firm ITManaged IT ServicesCybersecurityVendor Selection

How to Choose a Managed IT Provider for Your Law Firm

· By Ashkaan Hassan

The Short Answer

A law firm should choose a managed IT provider the same way it would choose outside counsel for a high-stakes matter: verify competence, test judgment, inspect the working process, and look for evidence that the provider understands confidentiality, deadlines, and risk. The right MSP is not simply the company that answers tickets. It is the operating partner responsible for keeping email, documents, billing systems, remote work, cybersecurity controls, backups, phones, vendors, and incident response reliable enough for legal work.

For a small-to-midsize Los Angeles firm, the best MSP will usually have these traits:

  • A clear onboarding process that starts with discovery, documentation, risk review, and a prioritized remediation plan.
  • Specific experience with law firms or adjacent professional-services environments where confidentiality and deadlines matter.
  • Strong Microsoft 365, identity, endpoint security, backup, and compliance capabilities.
  • Practical cybersecurity aligned to recognized frameworks, not vague promises.
  • Plain-English reporting that a managing partner can use to make decisions.
  • Contract language that defines ownership of data, documentation, credentials, response expectations, offboarding, and responsibilities.

The wrong MSP will sell tools before understanding your firm, avoid documentation, treat cybersecurity as an optional add-on, refuse to explain how backups are tested, or make your firm dependent on undocumented systems only they control.

This matters because law firms are not ordinary small businesses. They hold privileged communications, settlement strategy, employment records, financial data, intellectual property, medical records, production deal terms, celebrity or executive correspondence, and litigation materials. The State Bar of California has made clear that lawyers’ duties of confidentiality and competence extend to technology choices and electronic client information, including breach response obligations in Formal Opinion No. 2020-203. Your IT provider is part of how the firm satisfies those duties.

Start With The Risk Profile Of Your Firm

Before comparing MSPs, define what the provider must protect. A litigation boutique, entertainment-law firm, employment firm, estate-planning practice, and corporate transactional firm may all need managed IT, but their risk profiles differ.

Ask yourself:

  • What client data would cause the most harm if exposed?
  • Which matters involve regulated data, minors, celebrities, executives, trade secrets, medical information, or financial records?
  • How dependent is the firm on Microsoft 365, iManage, NetDocuments, Clio, PracticePanther, Worldox, QuickBooks, Adobe, DocuSign, RingCentral, Zoom, or industry-specific platforms?
  • How quickly must attorneys recover email, documents, phones, and remote access after an outage?
  • Which courts, clients, insurers, or outside counsel guidelines impose security requirements?
  • Does the firm allow personal devices, remote work, shared mailboxes, file sharing, or AI tools?

The MSP should help translate these answers into technical requirements. If the provider starts with a generic package before asking about practice areas, client obligations, courts, discovery, remote work, and line-of-business applications, that is a warning sign.

Law firms are also moving more work into cloud systems. The ABA reported that 73% of law firms used cloud-based legal tools in its recent Legal Technology Survey coverage, while 60% reported formal cybersecurity policies according to the ABA. Those figures point to a practical reality: the MSP you choose must understand both cloud productivity and law-firm security governance.

What A Law-Firm MSP Should Actually Own

A managed IT provider for a law firm should not be a vague help desk with a remote monitoring tool. It should own a defined operating model. During vetting, ask each provider to map its responsibilities across these areas:

Area You Are EvaluatingWhat A Strong MSP Should ProvideRed Flag
Identity and accessMFA, conditional access, role-based access, prompt removal of departed users, admin account controlsEveryone has broad access, or departures are handled manually with no checklist
Microsoft 365Secure configuration, mailbox protection, retention guidance, Teams and SharePoint governance, licensing reviewThe MSP only resets passwords and does not review tenant security settings
Endpoint managementManaged patching, device encryption, EDR, inventory, remote wipe, laptop lifecycle trackingUnknown devices can access firm email and files
Backup and recoveryDocumented backup scope, restore testing, recovery priorities, separation from production accountsThe provider says backups are running but cannot show restore evidence
Legal applicationsVendor coordination, updates, access control, matter-centric workflows, support escalationThe MSP blames the software vendor and leaves the firm to coordinate fixes
CybersecurityBaseline controls, risk register, incident response support, user training, security reportingSecurity is described only as antivirus and spam filtering
DocumentationNetwork map, asset list, vendor list, admin access inventory, standard proceduresThe provider keeps knowledge in technician memory
Executive reportingPlain-English risk, service, project, and roadmap updatesReports are tool screenshots with no business interpretation

This ownership model is especially important in Southern California, where firms may support hybrid work across Los Angeles, Orange County, the Valley, the Westside, Downtown, Century City, Burbank, and client sites. A provider should be able to support attorneys who are in court, traveling, working from home, or joining high-stakes client calls without treating every request as an exception.

The Questions To Ask Before You Sign

Use these questions in the first serious sales conversation. Do not wait until contract review to discover how the MSP actually operates.

Law-firm experience

Ask: “Which legal or professional-services environments do you support, and what are the most common IT risks you see in firms like ours?”

A good answer will mention confidentiality, conflicts around access, email security, document management, remote work, litigation deadlines, e-discovery data handling, client security questionnaires, cyber insurance, and vendor coordination. A weak answer will sound like a generic small-business pitch.

Assessment process

Ask: “What do you review before making recommendations?”

Look for discovery of Microsoft 365, endpoints, network equipment, backups, identity controls, vendors, domain/DNS, line-of-business systems, cybersecurity controls, contracts, administrative access, and prior incidents. If they can quote a scope before understanding the environment, they may be guessing.

Security baseline

Ask: “What controls do you consider non-negotiable for a law firm?”

A credible baseline should include MFA, least-privilege admin access, managed endpoint detection and response, patching, email protection, DNS or web filtering, encryption, backup, recovery testing, security awareness, logging, conditional access, and an incident response path. The provider does not need to bury you in jargon, but it should be able to explain why each control matters.

Framework alignment

Ask: “Which cybersecurity framework informs your recommendations?”

You are not looking for a ceremonial binder. You are looking for structured thinking. NIST Cybersecurity Framework 2.0 organizes cybersecurity around six functions: Govern, Identify, Protect, Detect, Respond, and Recover per NIST. A practical MSP should be able to use that kind of structure to show where your firm is strong, where it is exposed, and what should be fixed first.

Backup proof

Ask: “When was the last successful restore test, and what exactly was restored?”

The answer should distinguish between backing up Microsoft 365, local servers, cloud applications, laptops, databases, file shares, and legal applications. Backup without restore testing is hope, not resilience.

Incident response

Ask: “What happens if we suspect a compromised mailbox, ransomware, or stolen laptop?”

The MSP should explain escalation, containment, preservation of evidence, client communication support, cyber insurance coordination, outside forensic counsel coordination, and post-incident remediation. Verizon’s recent DBIR coverage reports that 48% of breaches involved ransomware according to Verizon, so this is not an abstract question.

Vendor management

Ask: “Will you coordinate with our practice-management, document-management, copier, internet, phone, e-discovery, and cybersecurity insurance vendors?”

The answer should be yes, with boundaries. Your managing partner or office administrator should not have to translate between every vendor when systems fail.

Reporting cadence

Ask: “What will we review with you on a recurring basis?”

The provider should discuss open risks, service patterns, projects, endpoint status, security posture, backup status, user changes, licensing waste, and roadmap decisions. Reports should help the firm decide, not merely prove that tools exist.

Red Flags That Should Stop The Process

Some warning signs are serious enough that you should pause or end the evaluation.

They cannot explain your data ownership. Your firm should own its data, tenant, domains, documentation, backups, and administrative access. The MSP may manage these assets, but it should not trap you inside accounts you cannot control.

They resist documentation. If the provider says documentation is internal only and cannot be shared in a usable offboarding package, expect pain later. A law firm should have access to an asset inventory, vendor list, administrative-access inventory, network overview, backup scope, and standard operating notes.

They treat MFA as optional. For law firms, MFA is table stakes. If a provider is casual about identity protection, it is not ready to protect privileged information.

They oversell AI without governance. AI tools can help with drafting, intake, search, summarization, and operations, but client confidentiality, privilege, retention, and access controls still matter. A provider talking about AI agents before discussing data boundaries, permissions, logging, and approved tools is skipping the hard part.

They cannot describe backup scope. “You are backed up” is not enough. What systems? How often? Where? Under whose credentials? How are restores tested? What happens if the Microsoft 365 tenant, local server, or laptop fleet is unavailable?

They have no incident process. A real incident process includes triage, containment, communication, evidence preservation, insurance coordination, recovery, and lessons learned. If the answer is “call our help desk,” the provider is not prepared.

They make security sound like a product bundle. Cybersecurity is not a bag of tools. It is a set of managed outcomes: reduced unauthorized access, faster detection, recoverable systems, controlled privileges, safer users, and documented response.

They avoid contract specifics. Vague service promises create future disputes. You want clarity on response expectations, exclusions, after-hours support, onboarding, offboarding, data ownership, confidentiality, subcontractors, insurance, and change approval.

They cannot speak to California legal duties. The MSP does not need to practice law, but it should understand that California lawyers have confidentiality and competence obligations around technology. The State Bar’s technology ethics resource page exists because technology choices now sit inside professional responsibility as the State Bar explains.

How To Evaluate The Proposal

A strong MSP proposal should read like a risk and operations plan, not a shopping cart. Review it for these elements:

  • Scope clarity: Which users, offices, devices, systems, cloud services, and vendors are included?
  • Security baseline: Which controls are included from the start, and which are recommended projects?
  • Onboarding plan: What happens during discovery, documentation, tool deployment, account cleanup, backup validation, and user communication?
  • Governance rhythm: How often will leadership review risk, support trends, roadmap items, and projects?
  • Support model: How do users request help, how are urgent issues escalated, and what happens after hours?
  • Project handling: How are migrations, office moves, new systems, and security improvements scoped and approved?
  • Offboarding rights: What does the firm receive if it leaves the MSP?

Be cautious with proposals that look simple because they omit hard work. The most common omissions are onboarding labor, legacy cleanup, backup gaps, identity hardening, documentation, vendor coordination, security monitoring, and project governance. Those omissions do not make the risk disappear; they push it into the future.

Also distinguish predictable managed support from reactive break-fix work. Break-fix can appear simpler because it waits until something fails. Managed IT should reduce the number of surprises by maintaining systems, monitoring risk, standardizing devices, documenting the environment, and planning ahead. For a law firm, the value is not only fewer tickets. It is fewer preventable interruptions during filings, closings, negotiations, depositions, trials, client calls, payroll, billing, and conflict-sensitive work.

The Law-Firm-Specific Security Baseline To Require

A managing partner does not need to become a security engineer, but you should know what a credible baseline looks like. Ask each MSP whether these controls are present, planned, or out of scope.

Identity controls: MFA for all users, separate administrator accounts, conditional access, disabled legacy authentication, controlled guest access, fast deprovisioning, and periodic access reviews.

Endpoint controls: Managed patching, encryption, EDR, screen lock policies, local admin restrictions, device inventory, and remote wipe for lost or stolen laptops.

Email and collaboration controls: Anti-phishing protection, safe attachment and link handling where available, external sender warnings, mailbox auditing, secure sharing rules, and review of forwarding rules.

Data protection: Backup coverage for critical systems, documented retention expectations, restore testing, immutable or separated backups where appropriate, and clear recovery priorities.

Network controls: Business-grade firewall, secure Wi-Fi segmentation, guest network separation, VPN or modern secure access where needed, and documented internet failover options when the firm’s tolerance requires it.

User process: Security awareness, simulated phishing where appropriate, new-hire and departure checklists, device return procedures, and approval workflow for new software.

Incident readiness: Written response procedure, cyber insurance contact path, outside counsel or forensic escalation options, evidence-preservation awareness, and post-incident review.

The point is not perfection on day one. The point is visibility and prioritization. The MSP should be able to say: here is what you have, here is what is missing, here is what is urgent, here is what can wait, and here is the business reason.

Fit Matters More Than Tool Count

Many MSPs use similar categories of tools. The difference is how they operate. For a law firm, fit shows up in the details.

A good provider understands that attorneys may be impatient with clunky security if it blocks client work, so the provider designs controls that are strong and usable. It knows that a partner’s mailbox may contain privileged communications and settlement strategy, so mailbox compromise is an urgent legal-risk event, not an ordinary password reset. It knows that a document-management outage before a filing deadline is different from a minor printer issue. It knows that entertainment-law and professional-services firms in Los Angeles often work with high-profile clients, outside business managers, studios, agencies, production companies, accountants, and opposing counsel, so secure collaboration is part of daily operations.

Ask for examples of judgment:

  • How would you handle a partner who wants to use an unapproved AI tool with client documents?
  • How would you secure a shared assistant workflow without everyone knowing everyone else’s passwords?
  • How would you support a departing attorney while preserving firm data and avoiding overbroad access?
  • How would you manage access for contract attorneys, experts, co-counsel, or temporary staff?
  • How would you prepare the firm for a cyber insurance renewal questionnaire?

The best answers will balance security, ethics, workflow, and practicality. The worst answers will be absolute, vague, or tool-first.

A Simple Vetting Scorecard

Use this scorecard after each vendor conversation. Rate each area as strong, acceptable, weak, or unknown.

Evaluation AreaWhat Strong Looks LikeWhat Weak Looks Like
Legal-sector understandingDiscusses confidentiality, deadlines, document workflows, client requirements, and attorney behaviorTalks only about generic computers and tickets
Discovery processReviews systems, users, vendors, risk, backups, identity, and documentation before final recommendationsProvides a generic scope with little investigation
Cybersecurity maturityUses a recognized framework, explains priorities, and separates controls from projectsSells security as a vague bundle
Microsoft 365 competenceCan explain identity, email security, Teams, SharePoint, retention, and admin controlsFocuses only on mailbox setup
Backup and recoveryDefines backup scope and proves restore testingCannot show what would actually recover
CommunicationGives plain-English risk guidance to leadershipSends technical noise without decisions
Contract clarityDefines scope, responsibilities, offboarding, confidentiality, and escalationUses vague promises and unclear exclusions
Cultural fitRespects attorneys’ time while enforcing standardsEither says yes to everything or blocks work without explanation

After scoring, ask one final question: “Would we trust this provider in the first hour of a serious incident?” If the answer is no, keep looking.

Final Recommendation For LA Law Firms

Choose the MSP that can prove operational discipline before it promises transformation. The provider should understand legal confidentiality, support hybrid Los Angeles work patterns, secure Microsoft 365, coordinate vendors, document your environment, test backups, and help leadership make risk decisions in plain English.

Do not choose based on friendliness alone. Do not choose based on tool count alone. Do not choose based on the shortest proposal. Choose the provider whose process would still hold up during a missed filing scare, compromised mailbox, departed employee, ransomware attempt, office move, client audit, or insurance renewal.

We Solve Problems is a Los Angeles managed IT services provider serving small and mid-size Southern California businesses, with particular depth in entertainment-law and professional-services environments. If your firm wants a practical review of its IT, cybersecurity, Microsoft 365, and compliance posture before choosing an MSP, request a consultation through /contact.