Camera coverage that respects client confidentiality
- Lobby / reception: Cameras OK. Standard motion alerts after-hours. Caveat: position so the receptionist's monitor is not in the FOV.
- File rooms / records storage: Cameras OK. Often required by your malpractice carrier. Add door-open contact + after-hours unfamiliar-face alert.
- Conference rooms: Cameras only with explicit client consent (sign on the door). Otherwise NO — client conversations are privileged.
- Attorney / partner offices: No cameras inside. Their own door-locked space.
- Server closet: Cameras OK. Add temperature contact (server-room cooling failures cost more than break-ins).
- Parking + entry: Cameras OK. Useful for liability + after-hours alerts.
The IT hygiene pass
Most professional-office breach risk is digital. The camera install includes a same-day pass on the items below.
- Workstation soft audit — Group Policy / local equivalent enforces 5-minute auto-lock; verify and remediate exceptions.
- Stale local-admin inventory — scan every workstation, list every local-admin account, disable former staff and unknown-vendor service accounts.
- Bloatware removal — Adobe Flash player, EOL Java, abandoned VPN clients. Real attack surface, low operational value.
- Network segmentation — guest Wi-Fi on its own VLAN; cameras on theirs; file server on the office VLAN with explicit firewall allow rules.
- Quarterly restore-tested backups — most offices have backups, few have ever restored. We restore one file per quarter to a sandbox and verify.
- Endpoint encryption — BitLocker enabled on every laptop. PIN required at boot.
- Lost-laptop incident playbook — one-page document: notify the firm administrator, notify the carrier, notify affected clients per state breach-notification law.
- Email + 365 / Workspace audit — verify MFA on every account, review forwarding rules (a common BEC technique), revoke OAuth grants for old apps.
Common ask: "Help with the carrier's cyber-insurance form"
Most malpractice + cyber-insurance carriers now require a self-attestation form covering: MFA, encrypted laptops, segmented backups, password manager, EDR/anti-malware, employee training, incident-response plan. Half my professional-office engagements include walking the firm administrator through this form, so the answers are real and the system reflects what was attested.
Common questions from professional offices
Can you keep my existing IT vendor for day-to-day?
Yes. Many firms bring me in for a one-time camera install + IT hygiene pass and keep their existing MSP for day-to-day. The audit pack lives with the firm administrator regardless.
What about my document-management system (NetDocuments, iManage, Worldox, etc.)?
The IT hygiene pass includes a 30-minute review of the DMS access list (who has admin, who can export, who can delete). Cleanup is logged. The DMS itself stays under your existing vendor.
My state requires X, Y, Z for confidentiality. Can you accommodate?
Indiana Rules of Professional Conduct + the comparable state rules for KY, OH, IL are in the engagement packet. The scope document references the specific rule numbers when we agree to camera positions.
Is AI Integration appropriate for a law office?
Cautiously yes. After-hours unfamiliar-face alerts are useful. Body-recognition during business hours is generally NOT used for client-facing law offices because clients shouldn't be face-tagged. We tune the AI to alert only outside posted business hours.