Newbie sets up law firm computer infrastructure - windows environment - HELP

I am trying to help set up a new law firm - sole practitioner. I need some recommendations on security and software.

Here is what I have done so far.

Single workstation laptop - Lenovo T480S upgraded i7 from 2019 with 16gb ram -
BitLocked hardrive, 12 key password rotated every 6 month login (no Microsoft account), 2-factor office 365 business account, 2 - 64gb bitlocked usb drive for on the fly data movement. All passwords stored in LastPass account, not bitlock keys.
Daily network backup (windows) to home desktop (3800x DIY workstation also bitlocked) and 4Tb HD (bitlocked) NAS with infinite file history saved. Automatic backup of the main hardrive and network drive to backblaze - continuously. All bitlocked keys are unique and backup stored in safe deposit box on additional bitlocked USB drive. This restore key to this USB drive is stored on two friends computer and printouts - we store each other keys, but no one know what keys go to which item for each user.

My network is Synology router rt2600ac at home as well as in the office (2 in mesh network) - standard password protects only, guest account with device logging.

Question 1)

What other security enhancement do I need for the computer system above? Do I need a more robust backup or individual file inscription? - any big gaps?

Question 2)

I need way get PDF’s signed and passwork locked though client email, ideally with a password locked or 2-factor type of signature system. I was thinking DocuSign through sharepoint, or adobe sign with PDF’s only. I need the documents locked after all signatures are complete and ideally password protected. I also need email logs of who opened the file and when it is signed. - I have no experience with this, but I need recommendations and help.

Question 3)

I am looking for an alternative to Zoom for video conferencing with clients that may want to share personal information. I have set-up Microsft teams meeting though office 365, but on a smartphone this requires clients to download the APP, which is a barrier for many. Ideally, I would find something that does not require my clients to download an phone APP. As a Necessity, I also have to setup a Facebook page as many clients want to talk through facebook messenger. I do not know how secure the video conference is - does anyone know either they record or monitor the audio - my gut is yes? I advise clients to not type anything on facebook they do not want to be public.


Is this backup encrypted e2e?

You may want to look into tox.
It sends the video stream directly without routing through a central server. The downside is I think it only has 1 on 1 video. Also, you need to download an app.

If you are feeling really ambitious you could look at self-hosting jitsi
Clients connect in browser, but you have to provide the central server for it.

Ill phrase my response differently, trying to answer as much as I can.
Any users, make them use a limit user account, even admins shouldn’t log in daily as administrator, Windows security relies on impersonation (hence UAC) by all means have an admin account, but don’t use it for daily tasks.
Its recommended now that password rotation is 365 days, but having stronger passwords, specifically anything over 15 characters to stop old NTLM hashes being generated (They work in key pairs of 7 x2), you can bolster this with a GPO but its recommended to just force 16 characters, the 365 rotation is recommended to try gamify passwords, making users have stronger passphrases.
Use Microsoft security baselines for everything Windows, they are good baselines but may need a little tweaking, just remember if you ever get a DC, group policy management has to be done via a client, the DC cannot do this.
Make sure any data leaving site is encrypted as strong as possible, RClone maybe a good idea for this.
For external access (Working from home for example) I recommend Wireguard currently, it beats IPSec or oVPN, its great and works on all devices, getting it distributed is as easy as generating QR codes for the apps to scan.

For the NAS do you really need a guest account? just create user accounts and do proper configuration, similar to like folder permissions.

You’ve focued on encryption a lot, which is good, but client configuration is also important, plus training users and a good security policy and DR plan in case everything goes wrong.

Can’t help with the PDFs, I know you can password lock them but thats as far as I know.

I wouldn’t use Facebook, its not reliable, private or secure, WhatsApp maybe a good idea yes its facebook but its encrypted using the signal protocol (Open source protocol created by Moxie0), has VoIP and video, plus almost everyone uses it and has desktop clients, if your client requests more privacy, Signal is better, Jitsi is a good one also, E2EE Video conferencing, for marketing Facebook is fine just not private information.

You have a good starting base, I know a lot of big companies that use security as an after thought, just read Microsoft best practices documentation for more info.