I've assessed a lot of small office networks. And I'll tell you something that might surprise you: most of them have the same five problems. Not variations of the same problems — the exact same problems, almost every time.
That's actually good news. It means if you fix these five things, you're already ahead of the majority of small law firms in San Antonio. It also means a breach, if one happens, was almost certainly preventable.
Here's what I find — and what you should check right now.
Default credentials still on network devices
Your router, your wireless access point, your network switch — every one of these shipped from the factory with a default username and password. Usually something like admin/admin or admin/password. These are publicly listed in manufacturer documentation anyone can Google.
When I run a basic network scan on a new client's office, finding at least one device still running default credentials happens more often than not. Sometimes it's the router. Sometimes it's a printer with a web interface. Sometimes it's an old wireless access point someone forgot was even still active.
An attacker on your network — or sometimes even from outside it — can log into that device and redirect all your internet traffic, intercept emails, or use your network as a launchpad for deeper attacks. All without triggering a single alert.
The fix
Log into every network device in your office and change the admin password to something unique, at least 16 characters, that isn't written on a sticky note on the device itself. If you don't know how to access your devices or don't know what devices you even have — that's exactly what a Tier 1 audit is for.
No separation between staff Wi-Fi and guest Wi-Fi
If a client, vendor, or delivery person connects to the same Wi-Fi network your staff uses, they can potentially see your internal devices, shared drives, and printers.
This is called network segmentation — or more accurately, the lack of it. Your internal network and any guest network should be completely isolated from each other using something called a VLAN (Virtual Local Area Network). When they're not, your network is essentially one flat space where any connected device can talk to any other.
Most modern routers support guest networks, but "guest network" in consumer router settings doesn't always mean properly isolated. I've seen plenty of offices that thought they had separation but didn't.
The fix
Verify that your guest network is actually isolated. If you're not sure, the easiest test is to connect a phone to your guest network and see if you can access your office printer or any shared drives. If you can — it's not isolated.
Outdated firmware on routers and access points
Network device firmware is software. Software has vulnerabilities. Manufacturers release firmware updates to patch those vulnerabilities. Most small offices never update their router firmware — ever.
I regularly find routers running firmware that's two, three, sometimes five years out of date. In the security world, that's an eternity. Some of those outdated versions have publicly known vulnerabilities with working exploits that any moderately skilled attacker can use.
A vulnerability called CVE-2022-26376 affected certain ASUS routers and allowed attackers to execute code on the device remotely. Firmware update was available. Most affected routers never got it.
The fix
Log into your router's admin interface and check the current firmware version. Then go to the manufacturer's website, look up your model, and see if a newer version exists. If your router is more than 5 years old and no longer receiving updates — it's time to replace it. Budget $150-300 for a business-grade replacement.
Staff using personal devices with no policy
Someone on your team is checking firm email on their personal phone. Maybe they're also accessing client files from a home laptop. That personal device almost certainly has no endpoint protection, no remote wipe capability, and no management oversight.
Under ABA Rule 1.6, you have an obligation to make reasonable efforts to prevent unauthorized disclosure of client information. A paralegal accessing client files from a personal laptop with outdated Windows and no antivirus is a direct violation of that standard — and you'd be hard pressed to argue otherwise if it led to a breach.
The fix
At minimum, create a written Acceptable Use Policy that defines what devices can access firm data and under what conditions. It doesn't need to be 20 pages. A one-page document that staff sign acknowledging the rules is a meaningful start and demonstrates reasonable effort.
No multi-factor authentication on email
This one is the most preventable and the most damaging when it goes wrong. If your firm uses Microsoft 365 or Google Workspace without MFA enabled, a single compromised password gives an attacker full access to every email, every attachment, every client communication — going back years.
Business email compromise (BEC) is consistently one of the most costly cybercrimes targeting small professional firms. The attack is simple: someone gets your password through phishing or a data breach, logs into your email, and either steals information or impersonates you to commit fraud. MFA stops this cold even if the password is compromised.
The FBI's Internet Crime Report shows BEC losses averaging over $120,000 per incident for small businesses. MFA is free in Microsoft 365 and Google Workspace. There is no excuse not to have it enabled.
The fix
Log into your Microsoft 365 or Google Workspace admin panel today and enable MFA for every account. Use an authenticator app — not SMS if you can avoid it. This takes about 20 minutes to set up across a small firm and is the single highest-ROI security action you can take.
So where does your firm stand?
Here's the honest truth: most law firms I assess have at least three of these five issues, and many have all five. It's not because the attorneys aren't smart — it's because network security isn't what you went to law school for. You're focused on your clients. Security falls through the cracks.
That's exactly why I started Binary T Solutions. A Tier 1 audit covers every one of these issues and more, gives you a plain-English report of what we found, and tells you exactly how to fix it in order of priority. It takes about two hours of your time and starts at $500.
If you want to know where your firm stands before you have a problem — not after — that's the conversation I'd like to have.
Find out where your firm stands
Book a free 15-minute call. I'll tell you exactly what your office needs — no sales pressure, no jargon.
Book Free Call