- The six most common client portal security failures: shared credentials, no MFA, no audit logs, unencrypted file storage, no access expiry, and over-permissioned roles.
- These are not edge cases — they are the defaults in most consumer-grade and SMB-targeted portal products.
- Security auditors check for specific, documentable controls. “It’s password protected” satisfies none of them.
- Enterprise-grade portal security does not require enterprise budget — it requires choosing the right product for regulated workflows.
A client portal that stores passports, financial statements, legal correspondence, and signed agreements is one of the most sensitive systems a professional services firm operates. It sits between your internal systems and your clients. It stores documents that, if exfiltrated, could cause serious harm to individuals and serious liability for your firm. And yet the security posture of most portals in use by small and mid-size law firms, accounting practices, and financial advisory businesses would fail a basic security audit.
This is not a harsh assessment — it is a consistent finding. When security auditors review client portal configurations as part of ISO 27001 assessments, SOC 2 readiness reviews, or sector regulator inspections, they encounter the same failures repeatedly. The firms operating these portals are not negligent people. They chose tools that did what they needed operationally and assumed the security was handled. In most cases, the security was not handled.
This article covers what auditors actually check, the six most common failure points, and what a portal that would pass that audit looks like in practice.
What a security audit of your portal actually examines
When an auditor reviews your client portal — whether as part of a formal ISO 27001 audit, a client security questionnaire, or a regulator inspection — they are looking for evidence of controls, not just assertions. “We use a secure portal” is a claim. The auditor wants to see the configuration, the access logs, the policy, and the documentation that prove the claim.
The specific controls they check vary by framework, but they converge around a common set of questions:
- How do users authenticate to the portal, and is that authentication strong enough for the sensitivity of the data stored?
- What can each user role access, and is that access scoped to the minimum necessary for their function?
- Is there a log of who accessed what, when, and what actions they took — and is that log tamper-evident?
- Is data encrypted at rest and in transit, and who holds the encryption keys?
- What happens to access when an engagement ends, when a client relationship terminates, or when a staff member leaves?
- How are security incidents detected and responded to?
If you cannot answer these questions with evidence — configuration screenshots, policy documents, access logs — you have a security gap whether or not anyone has exploited it yet.
Failure 1: Shared credentials and no individual accountability
The most common portal security failure is also the most fundamental: multiple people sharing a single login. It is extraordinarily common. A law firm sets up a portal with a single account, shares the credentials with the two partners and three associates who need access, and considers the setup complete.
The problem is not just that shared passwords are weak (though they are — shared credentials are typically simple, infrequently rotated, and known by former employees who were never formally offboarded). The deeper problem is that shared credentials make audit logs meaningless. If five people share one login, there is no way to determine which person downloaded a document, uploaded a file, or changed an access setting. Accountability requires individual identity.
- Individual accounts for every user (no shared logins)
- Multi-factor authentication enforced for all accounts (not optional)
- Password complexity requirements enforced at account creation
- Inactive sessions automatically terminated after a defined period
- Failed login attempts trigger lockout and notification
- Account creation and deletion events are logged
A portal that fails even the first item on that list — individual accounts — cannot pass an audit regardless of how well it performs on everything else. Individual accountability is the baseline from which all other controls derive their meaning.
Failure 2: Multi-factor authentication absent or optional
Even where portals have individual accounts, MFA is frequently absent or configured as optional. Optional MFA is security theatre: the users who most need it — partners accessing the portal from home, clients using public Wi-Fi — are the ones least likely to enable it voluntarily.
For a portal storing regulated data, MFA must be mandatory and enforced at the platform level, not left to user discretion. Every login should require a second factor. This is now a baseline expectation from the ICO in the UK, from data protection authorities across the EU, and from the SRA, FCA, and ICAEW when reviewing firms’ information security practices. It is also required under most cyber insurance policies issued in the past three years.
The resistance to MFA in professional services firms is typically “clients won’t use it.” In practice, when MFA is presented as a feature — “your documents are protected by two-step verification” — rather than as a burden, client adoption is high. It is a professional signal, not an inconvenience. The firms that have found resistance are typically those that rolled it out poorly, not those that encountered fundamental client objection.
Failure 3: No audit log, or a log that cannot be trusted
An audit log is not just a security control — it is a legal and regulatory requirement in most professional services contexts. If a client disputes whether they uploaded a document, if a regulator asks when a particular file was accessed, if an employee is suspected of data exfiltration — the answer lives in the audit log. A portal with no log, or a log that users can delete or modify, is useless for these purposes.
What a credible audit log captures: every login and logout with IP address and timestamp, every file uploaded and by whom, every file downloaded and by whom, every document viewed, every permission change, every user account created or modified or deleted, and every failed authentication attempt. This log must be append-only — users must not be able to delete entries — and it must be accessible to administrators without requiring database access.
Common audit log failure mode: Many SMB-grade portals keep an activity log but allow admins to delete entries or clear the log entirely. Some do not log file downloads at all — only uploads. A log that does not capture downloads is almost useless for data exfiltration investigations. Check your portal’s documentation: does it log downloads as individual events, or only as part of aggregated analytics?
Failure 4: Unencrypted file storage and transit
Transport Layer Security (TLS) for data in transit is now table stakes — any portal served over HTTPS encrypts data in transit. The more meaningful question is encryption at rest: are the files stored on the server encrypted, and who holds the keys?
Many SMB portal products store files in unencrypted form on cloud storage, protected only by access controls. If the storage bucket is misconfigured (a common occurrence in cloud environments), or if the infrastructure provider is compromised, the files are readable in plaintext. For documents containing personal data, this fails the GDPR requirement for appropriate technical measures under Article 32.
The gold standard for client document portals is end-to-end encryption: files are encrypted before they leave the client’s device, transmitted encrypted, stored encrypted, and decrypted only when accessed by an authorised user with the appropriate key. This means that even if the server is compromised, the files are not readable. Few consumer-grade portals offer this. It is a meaningful differentiator when evaluating enterprise-grade alternatives.
Failure 5: No access expiry or offboarding process
Client portals typically give access to clients during an engagement. What happens when the engagement ends? In most firms, nothing — at least not automatically. The former client retains portal access indefinitely. The departed associate’s login still works. The third-party contractor who was added to a specific matter can still log in two years later.
Access that is not revoked when it is no longer needed is one of the most common findings in security audits — and one of the most consistent vectors for data breaches. Former employees, former contractors, and former clients with lingering access represent both a data protection risk and a confidentiality risk in professional services contexts.
A compliant portal must support: automatic access expiry for client accounts at matter close, immediate account deactivation in a user offboarding workflow, time-limited access links for specific documents, and regular access reviews to identify and remove stale accounts. These are not advanced features — they are basic access hygiene. If your portal does not support them natively, you are managing them manually, and manual processes are not reliable at scale.
Failure 6: Over-permissioned roles with no principle of least privilege
The principle of least privilege holds that every user should have access to exactly what they need for their role and nothing more. In most client portals used by SMBs, the role model is binary: admin or user. Admins can see everything; users can see their own files. There is no middle ground for different staff roles, no matter-level access control, and no way to give a client access to specific documents without giving them access to everything in their account.
This creates situations that auditors flag immediately: a junior associate who processes a specific document for a matter can access all documents for all matters because there is no finer-grained permission. A client who is involved in one transaction can see documents from a prior engagement because client account access is flat. A billing administrator can see sensitive legal correspondence because admin access is not split by function.
| Security control | Typical SMB portal | Enterprise-grade portal |
|---|---|---|
| Authentication | Password only, MFA optional | MFA enforced, SSO supported |
| Access model | Admin / user binary | Role-based, matter-level, attribute-based |
| Audit log | Basic activity log, deletable | Tamper-evident, full event capture, exportable |
| Encryption at rest | Varies; often unencrypted storage | AES-256, customer-held key options |
| Access expiry | Manual; often never revoked | Automatic expiry, offboarding workflows |
| Session management | Long-lived sessions, no timeout | Configurable timeout, concurrent session controls |
| Incident detection | None; relies on user reports | Anomaly alerts, failed login monitoring, SIEM integration |
What HubSecure’s approach looks like in practice
HubSecure is built for regulated professional services environments where audit readiness is not optional. The architecture addresses each of the failure points above directly.
End-to-end encryption: Files are encrypted before transmission and stored using AES-256 encryption at rest. Access to encrypted content requires both authentication and the appropriate key — infrastructure-level compromise does not expose client documents in plaintext.
MFA enforced at the platform level: Multi-factor authentication is mandatory for all portal users, both internal staff and external clients. There is no configuration option to make it optional. Clients receive a frictionless MFA setup flow on first login.
Role-based access control with matter-level granularity: Permissions are defined by role and scoped to specific matters and document categories. A fee earner assigned to matter A cannot access matter B. Client access is restricted to the documents specifically shared with them, not to everything in their account.
Tamper-evident audit trail: Every action in the platform — every login, document view, upload, download, permission change, and account modification — is logged to an append-only audit trail. The log cannot be modified by any user, including administrators. It is exportable for regulatory submissions and accessible through the platform interface for internal review.
Access lifecycle management: Matter close triggers a workflow that includes access review and optional automatic revocation for client accounts. Staff offboarding terminates portal access as part of a structured process, not as a manual afterthought.
For ISO 27001 and SOC 2 readiness: The controls described above map directly to ISO 27001 Annex A controls A.9 (access control), A.10 (cryptography), A.12 (operations security), and A.18 (compliance). If you are working toward ISO 27001 certification, a client portal that provides this evidence natively significantly reduces the documentation burden for those control domains.
How to evaluate your current portal’s security posture
Run your current portal through the checklist below. If you cannot answer yes to every item with evidence — not just belief — you have identified your remediation priorities.
- Every user has an individual account; no shared credentials exist
- MFA is enforced for all accounts at the platform level
- File downloads are logged individually with user identity and timestamp
- The audit log is tamper-evident and cannot be deleted by any user
- Files at rest are encrypted with AES-256 or equivalent
- Access is scoped to the minimum necessary for each user’s role
- There is a documented process for revoking client access when an engagement ends
- Staff access is revoked immediately upon offboarding
- Inactive sessions time out automatically
- You can produce a complete access log for any file on request in under 10 minutes
This checklist is not exhaustive, but it covers the controls that appear most consistently in audit findings and regulator expectations for professional services firms. If your portal fails more than two or three of these items, the gap between your current posture and what a regulator, insurer, or client security questionnaire will expect has grown large enough to require action — not just attention.
A client portal built to pass the audit
HubSecure is designed for regulated professional services teams — with end-to-end encryption, enforced MFA, role-based access control, and a tamper-evident audit trail that satisfies ISO 27001, SOC 2, and sector regulator requirements.
Reserve your founding seat