The 2022 Uber breach that I’ve mentioned in other posts is usually talked about as an MFA story. It’s also an endpoint story. The attacker didn’t compromise an Uber-managed laptop. He compromised a contractor’s personal device. The password that got him in was sitting in a file on that laptop because the contractor had saved it for convenience. Uber’s own post-incident writeup confirmed the initial access vector involved a third-party contractor.
Your firm probably has a version of this exposure and hasn’t thought about it much.
Every law firm and CPA practice works with people who aren’t employees. Of counsel attorneys. Contract paralegals. Outside bookkeepers. Seasonal tax preparers. IT consultants. Marketing agencies. Each of those people probably has some level of access to your systems. They log into your Microsoft 365 tenant. They open your documents. They handle your clients’ data. They usually do it from laptops you don’t own, don’t manage, and can’t see into.
If that contractor’s laptop has a keylogger, if their password manager is weak, if they store passwords in a Chrome profile that’s synced to their personal Google account, if they let their kid browse the web on their work laptop, if they got hit with commodity malware six months ago and never noticed, your firm inherits that exposure.
The shape of the gap
A typical small firm sets up contractors the same way they set up employees. A mailbox in the firm’s tenant, access to SharePoint or a shared drive, maybe a login to the practice management tool. The contractor accesses everything from their own device, which the firm has no visibility into.
Your firm’s cybersecurity investments, which I assume include MFA, conditional access, and endpoint protection on firm-owned laptops, don’t apply to the contractor’s device. Your EDR agent isn’t running on their machine. Your patching policy doesn’t govern their updates. If they get compromised, you won’t know until the attacker starts using their access.
The CISA advisory on Scattered Spider explicitly calls out contractor and supplier compromise as a common initial access vector. The Microsoft Digital Defense Report has documented the same pattern across their threat intelligence. Attackers who can’t get through the target firm’s front door will go find a contractor with access and compromise that contractor’s environment instead.
What good looks like
For contractors who need ongoing access, the right answer is usually to treat them the same as employees for security purposes. They get a firm-issued laptop, or their personal laptop gets enrolled in the firm’s management, or they access firm systems only through a controlled environment like a virtual desktop.
I know how that sounds. Small firms often react to this with “we can’t afford to issue a laptop to every contract paralegal, and they won’t accept management on their personal device.” Both are reasonable objections. There’s a middle path.
The virtual desktop option is the cleanest technical fit for most small firms. You give the contractor access to a virtual Windows machine in the cloud, running in your firm’s security perimeter, with your firm’s EDR and monitoring in place. They log into the virtual desktop from their personal laptop, and the work happens in that controlled environment. When the contractor’s engagement ends, you delete the virtual desktop and everything in it. Their personal laptop never actually holds your firm’s data.
Microsoft offers Windows 365 Cloud PC and Azure Virtual Desktop, both of which are reasonable options for this kind of use case. They cost something like $30 to $60 per user per month, which is a real cost but is a lot cheaper than a breach.
The lighter option is app-level controls. Conditional access policies in Microsoft 365 can require that a device meet specific security criteria before it’s allowed to access sensitive data. You can require that the device be joined to your firm’s Entra tenant, or that it have compliance checks passed by your MDM (mobile device management) tool, or that it be running from a specific network range. If the contractor’s personal laptop doesn’t meet those criteria, they don’t get access to the sensitive systems, and they know why. They can use a managed virtual desktop for the sensitive work and their personal laptop for everything else.
The accountability option is contractual and procedural. If your firm is going to allow contractors to use personal devices to access firm systems, your contractor agreement should require certain security controls as a condition of access. Up-to-date operating system. MFA on all logins. A password manager. Full disk encryption. No shared or family use of the device during work. And the firm reserves the right to audit compliance.
None of these are perfect. All of them are better than nothing.
The conversation with the contractor
The conversation tends to be uncomfortable because contractors reasonably view their laptops as their own. “I’ve been doing this for 15 years, I know what I’m doing, I’m not letting you put software on my computer” is a common response. That’s a fair position. The counter is also fair.
If the contractor is handling client-confidential information for your firm, your malpractice carrier cares about how that information is being handled. Your clients care. Your insurance underwriters care. “Trust me” isn’t a defensible answer if something goes wrong. You don’t have to force the contractor to accept management on their personal device. You can give them options. Firm-issued laptop. Virtual desktop. Managed enrollment. Whatever they pick, there’s a policy in place. What’s not an option is “access from an unmanaged personal device with no security controls,” because that’s just outsourcing your breach probability to someone else’s network.
The firms that get breached through contractor devices don’t lose their cases because the contractor was careless. They lose them because they didn’t have a policy. The policy is what separates “we took reasonable precautions” from “we let a stranger’s laptop into our client files and hoped it would be fine.”
The ABA’s ethics opinion on protecting client data has been pretty direct about this for years. Firms have an affirmative obligation to take reasonable steps to prevent unauthorized access. “Our contractor’s personal laptop was the entry point” is going to read badly to a bar disciplinary committee. “We required contractors to access our systems through a managed virtual desktop as a condition of engagement” reads much better.
The endpoint you don’t manage is still your problem when something goes wrong. The question is whether you address that problem before the incident or after.