Dia Systems

05/29/2026

Before you close the week, here is a question worth sitting with.

Not about what you billed. Not about what is on the docket Monday.

Ask yourself this: If one of your highest-trust staff members resigned today, how long would it take your firm to contain the exposure?

Not terminate the account. Not update the password somewhere.

Actually contain it. Every system. Every platform. Clio. NetDocuments. Your email. Your shared drives. Your billing software. All of your portals.

Most firms have a mental answer to that question that is faster and cleaner than the real answer would be.

Offboarding in professional services is rarely the polished process it is assumed to be. It is usually a checklist that someone is doing from memory, during a week that is already full, on systems that were never fully mapped.

I'm not criticizing, it's just a pattern that I've seen.

The firms that are protected are not the ones that have never lost a staff member under difficult circumstances. They are the ones where offboarding is documented, owned, and practiced before it is needed.

If your honest answer to that question is "I'm not entirely sure," that is worth looking into this weekend.

Clarity is how a firm stays protected, productive, and profitable when things change unexpectedly.

05/28/2026

A law firm’s duty of confidentiality does not stop at locked file cabinets or private conversations.

It now includes how client information is stored, accessed, shared, backed up, monitored, and protected.

ABA Model Rule 1.6 says lawyers should make reasonable efforts to prevent unauthorized access to, or disclosure of, information related to the representation of a client.

This is where cybersecurity becomes more than a technical issue.

It becomes part of client care because client information does not only live in case files anymore.

It lives in email.
SharePoint.
Practice management systems.
Laptops.
Mobile devices.
Cloud apps.
Backups.
Vendor platforms.
Old employee accounts.

Something that gets overlooked is that “reasonable efforts” requires more than having IT support available when something breaks.

It means having practical safeguards in place before something happens.

Things like:

Strong access controls.
Multi-factor authentication.
Email security.
Secure file sharing.
Offboarding processes.
Backup testing.
Monitoring for suspicious activity.
Vendor oversight.
Clear policies for how client data is handled.

This is not about making a law firm perfect. It is about being intentional.

It is about being able to show that the firm took reasonable steps to protect the information clients trusted them with.

For law firm owners, cybersecurity is not just a technology decision.

It is part of protecting your clients, your reputation, and the trust your firm has worked hard to build.

Protected firms are not operating from fear. They are operating with clarity, structure, and peace of mind.

05/27/2026

With firms compliance and security often live in separate conversations, when really they are the same conversation.

Bar rules require confidentiality. Cyber insurance requires documented controls. Malpractice coverage is increasingly tied to how well your firm manages risk operationally.

The firms that are in the best position are not doing three separate things. They are running one well-organized practice where the processes that protect clients also satisfy carriers and demonstrate competence to the Bar.

That is what operational maturity looks like. It is not complicated. It is just consistent.

05/27/2026

https://diasystems.net/the-sharepoint-oversharing-problem-most-law-firms-have-never-looked-at/

I’m noticing with firms that SharePoint gets set up, documents get added, and then the permissions question never really gets revisited. The platform works.

05/26/2026

A common belief we hear from firm administrators is:

“We have Microsoft 365, so we are secure.”

I understand why that feels true.

Microsoft 365 is a strong platform. It includes alot of tools that can help protect email, files, users, devices, and collaboration.

The issue is that simply having Microsoft 365 does not mean all of those protections are turned on, configured correctly, monitored, or reviewed.

Your firm may still have gaps like:

MFA not being enforced properly.

Former employees still having access.

Mailbox rules going unnoticed.

Files being shared too broadly.

No clear backup strategy.

Security alerts not being reviewed.

Microsoft 365 gives your firm a strong foundation.

It does not replace the need for proper setup, ongoing monitoring, access reviews, policies, and accountability.

The way we see it, Microsoft 365 should be part of your security strategy, not the entire strategy.

When it is managed with intention, it can help your firm stay protected, productive, and profitable.

That is where real peace of mind comes from.

05/22/2026

Before the weekend fully arrives, here is one small question worth sitting with.

If a client asked you today, with full confidence, how their data is protected inside your firm, how clear would your answer be?

Not the marketing version. The honest operational one.

We're noticing that with firms that the answer is often somewhere between confident and uncertain, and that gap is worth paying attention to.

Profit and reputation are built on trust. That also means trust, in a professional services firm, is inseparable from how well you protect what clients hand over to you.

Have a good weekend. Use a little of it to get clear on one thing you have been meaning to look at.

05/21/2026

https://diasystems.net/when-the-firm-owner-became-the-it-department/

Most firm owners did not plan to become the IT department.

05/21/2026

One of the more honest conversations we have with firm leaders goes something like this.

They know their practice. They know their clients. They know their people. However, when it comes to what is actually happening inside their systems, they are relying on someone else's word that everything is fine.

That is not a failure of leadership. It is just a gap that is worth closing.

The firms that feel most protected are not necessarily the ones with the most tools. They are the ones where leadership has decided to stay informed, asks direct questions, and has someone accountable for real answers.

Peace of mind is not about hoping nothing goes wrong. It is about knowing you would find out quickly if something did.

05/20/2026

Email impersonation attempts are slipping through the cracks too often in law firms.

Someone gets a message that looks like it is from the managing partner. It is asking for a wire transfer, a W-2, or a quick login. It looks real. It sounds real. In a busy workday, it gets acted on before anyone stops to question it.

This is not about people being careless. Attackers have gotten better at copying tone, signatures, and timing. They wait for the right moment and send the message that fits the day.

Here are a few practical steps that go a long way:

1. Set up SPF, DKIM, and DMARC on your domain. These tell the world which servers are allowed to send email on your behalf. Without them, anyone can impersonate your domain.

2. Turn on external sender warnings in your email system so messages from outside the firm are clearly labeled.

3. Create a verify-by-phone rule for anything involving money, credentials, or sensitive data. If the request came in by email, the confirmation should NEVER happen by email.

4. Train your team to check the actual email address, not just the display name. Most impersonation lives in that gap.

5. Make it easy and expected to report a suspicious message. No blame, no second-guessing.

These steps are not flashy. They are quiet, steady protections that keep your firm protected, productive, and out of the kind of cleanup no owner wants to be in.

If you are not sure where your firm stands with email security, that is a fair place to start a conversation to have. Send me a message...

05/19/2026

Unfortunately some law firm owners believe that their email is secure because they have Microsoft 365.

Because I've heard this before I understand why it makes sense on the surface. Microsoft 365 is a solid platform. It has built-in protections. It is far better than what most firms were running years ago.

However, here is the myth worth addressing directly.

The tool does not make your email secure. The process around the tool does.

Microsoft 365 does not decide who is allowed to send a wire transfer request by email. It does not train your paralegal to recognize a spoofed domain that looks almost identical to a client's address. It does not tell your front office what to do when something feels off but they are not sure if it rises to the level of reporting it.

Those are process decisions. Human decisions. Firm decisions.

What good looks like is a firm where the technology is set up correctly, the staff knows what to watch for, there is a clear path forward when something suspicious lands in an inbox, and IT has monitoring and protections in place.

The firms that get compromised are not always running bad software. What I'm noticing is that many of them were running perfectly adequate software with no process behind it.

The email platform is the foundation. The firm still has to build on top of it.

If your answer to the question of email security is the name of a tool, it may be worth asking what sits behind that tool.

05/18/2026

Alot of firm owners say, “We already have IT.”

That may be true, and basic IT support is important.

You need someone to fix computer issues, reset passwords, troubleshoot email, and help your team stay productive.

The bigger question is whether your IT support is also helping you stay protected.

Cybersecurity oversight goes beyond day-to-day support. It should include things like:

Access controls
MFA enforcement
Email security
Suspicious login monitoring
Old user account cleanup
Vendor access reviews
Admin permission reviews
Device protection
Patch management
Endpoint protection
Backup testing
Microsoft 365 security settings
File sharing permissions
Security awareness training
Business email compromise protections
Cyber insurance requirement reviews
Incident response planning
Disaster recovery planning

For law firms, CPA firms, and professional services businesses, this matters because your systems hold sensitive client data, financial records, legal documents, tax information, and internal communications.

The goal is not to create fear.

The goal is clarity.

You should know what is protected, what is being monitored, and where the gaps are before they become bigger problems.

That is how firms stay protected, productive, and profitable.