Security Awareness

Professional standards for protecting client data, case strategy, and firm systems.
Aligned with UAE Labour Law (Decree-Law No. 33 of 2021) and Cabinet Resolution No. 1 of 2022.

Passwords & MFA

  • Use a password manager; never reuse passwords.
  • Enable MFA on all firm and cloud accounts.
  • Do not share credentials—ever.
  • Change passwords immediately if compromise is suspected.

Phishing & Social Engineering

  • Verify sender, domain, and link destination before clicking.
  • Beware of urgency, invoices, case updates, or “password reset” prompts.
  • When in doubt, report via the firm’s phishing button or to IT.

Devices & Apps

  • Use only firm-approved devices and software; keep them updated.
  • Encrypt laptops and phones; enable screen lock.
  • Report lost or stolen devices immediately.

Data Handling

  • Store client data only in approved repositories (DMS/ERP).
  • Apply least-privilege access; share on a need-to-know basis.
  • Use secure transfer (SFTP/firm portal); avoid personal email.

Travel & Remote Work

  • Use firm VPN on untrusted networks; avoid public computers.
  • Do not discuss matters in public spaces; protect screens.
  • Secure documents during transit; shred when appropriate.

Incident Response

  • Report suspected incidents within 15 minutes to IT/HR.
  • Do not delete or alter evidence; disconnect from the network if necessary.
  • Follow the escalation playbook—speed matters.
Incident Escalation Playbook (Quick Reference)
  1. Detect: Stop work; preserve screen. Do not click further or delete evidence.
  2. Isolate: Disconnect Wi-Fi/network; keep the device powered on.
  3. Notify (≤15 min): Email/phone IT & HR. Include screenshots, timestamps, sender/URL.
  4. Secure data: Move client files to approved DMS; revoke any shared links.
  5. Triage: IT validates scope, resets credentials, forces MFA, checks logs.
  6. Report: If client data is impacted, Legal prepares notifications (as required by engagement).
  7. Recover: Patch, restore clean copies, re-onboard device.
  8. Learn: Post-incident review; update controls and training.

Full document: Cyber-Incident Escalation Playbook (PDF)

Security Awareness PolicyFull policy (PDF)
IT Device Usage PolicyRequirements for laptops & phones
Confidentiality (NDA)Obligations & scope
Note: Do not store or send client files via personal email, public drives, or messaging apps. Use approved firm systems only (ERP/DMS/secure portal). When in doubt, escalate per the playbook.

Assessment (12 questions)

Pass mark: 80%. Answers reflect firm policy and industry best practice.

1) The best way to store credentials is to…

2) You receive a “case file update” link from an unknown sender. You should…

3) A partner asks for a client document via WhatsApp personal chat.

4) Laptop left in a taxi. The first action is to…

5) Where should client data be stored?

6) You’re on hotel Wi-Fi. The secure approach is…

7) A supplier requests credentials to “troubleshoot.”

8) MFA is required…

9) USB from an unknown source is found at reception.

10) Emailing documents to opposing counsel should be…

11) A colleague’s account seems taken over. You should…

12) Printing confidential matter at a client site…

Your score and acknowledgement will be shown below.