Cloud Security: They Didn’t Teach It In Law School (But They Should Have!)

Posted on 04-26-2018 by
Tags: law firm security , law firm , cloud security , cloud , security , cybersecurity


Cloud security for law firms: Safe or “merely different” risks?

 

Repeat after me: My firm will suffer a cloud security breach.

For you (the reader), repeating this might not change anything. You’ll gloss over the words and mindlessly click away. You’ll be thinking: Myeh ... Our cloud services are bulletproof!

But you really don’t know this, even if somebody’s told you otherwise. Just because somebody (e.g., a vendor or an IT professional) says your data’s safe in the cloud, doesn’t make it an iron-clad fact.

 It’s like car safety. A 5-Star crash rating doesn’t eliminate car accidents. It only suggests safety. Likewise, a “secure” cloud doesn’t prevent data breaches. It only suggests a secure law firm. As pointed out in the LexisNexis white paper High Technology Where We Stand With Cloud Storage:

The risks of moving to the cloud are there ....

Risks ... definitely! But there’s hope. Consider this silver lining from the LexisNexis white paper:

[R]isks also exist with traditional servers and equipment. So, one way to look at the cloud debate is that the risks are merely different.

Lawyers—if they want to protect their firms, their careers, and their reputations—have to wise up to these “merely different” risks.

Cloud Security: Not Just IT ... Lawyers Too!

Writing for Law360, Shaun Jamison notes that lawyers aren’t exempt from the risks associated with cybersecurity (including cloud security). Underscoring the fact that lawyers handle sensitive client information and often operate as solo and small practices, Jamison defines lawyers as a “prime target” for cyberattacks.

“Prime-target” means lawyers must run their firms with a faithful eye toward cloud security. For lawyers and their clients, this is good business, but it’s also ethical business. In a recent ABA article, Jason Tashea wrote of a lawyer’s ethical duty to safeguard confidential information in the cloud:

Whether for personal or professional applications, remote storage has become the standard for millions of Americans. However, this and other internet-enabled technologies can create unique ethical quandaries for lawyers. ... [A]n ethical attorney is not just doing one thing; they are in a constant state of evolution and growth to keep pace with threats and best practices.

But “keeping pace” with cloud security, as you’ll soon see, is easier said than done.

Cloud Theft: Is Your Law Firm the 1 in “1 in 4”?

Public cloud use exposes 1 in 4 organizations to data theft, this according to McAfee’s 3rd annual cloud adoption and security report, while 1 in 5 organizations have seen advanced attacks against their public cloud infrastructure. These numbers reflect the data insecurity felt by most of today’s organizations. In fact, only 16% of organizations believe their current security can protect them in the cloud.

Despite these concerns, it’s a myth that the cloud is “inherently” insecure. The Enterprisers Project characterizes public cloud security as better than old on-premises security:

[F]or some companies, leveraging the size and scale of some cloud vendors might actually be a part of a more efficient overall security strategy, especially if they’re strapped for budget or simply, like so many IT leaders, having a difficult time finding the right cybersecurity skills for their teams.

But even if the cloud offers your firm a “more efficient overall security strategy,” that doesn’t translate into 100% safety. To truly protect your firm and your ethical duties, you need to be aware of (and guard against) cloud security’s “inherent” flaws (a/k/a those “merely different” risks).

Cloud Security: The Soft Underbelly

When it comes to cloud security, some of the more obvious risks include:

What might be less obvious is the cloud risk that comes from employee entitlements:

A former employee does not need a VPN connection to access a company’s SaaS application and can do so from another device with his or her credentials. As such, eliminating a former employee’s entitlement to use cloud applications makes decommissioning cloud application credentials a critical step in the employee exit process. - The Oracle and KPMG Cloud Threat Report 2018

Another risk—one you need to be hyper-vigilant against: shadow IT, in which impatient employees sidestep cloud-usage policies and use unapproved technologies without IT’s approval. Consider this cautionary legal tale from Venture Beat:

A large conglomerate faced [a] problem when members of its legal team uploaded contracts to online PDF converters, whose terms of service stated that they assumed complete ownership of all documents uploaded into their systems and that they had the right to distribute data to any third party. The legal team put its company at significant risk by uploading sensitive information to a service that could freely distribute it to any interested party.

With these risks in mind, it’s mission critical that lawyers maximize their cloud security efforts.

Lawyers: Advocates for Cloud Security?

Despite the risks, lawyers, according to the LexisNexis white paper High Technology Where We Stand With Cloud Storage, have demonstrated “a shocking lack of effort” in scrutinizing key aspects of cloud services, such as the security team and the terms of use.

This has to change ... and change quickly.

One way to change it is through better education and understanding. A good place to start your cloud education is the LexisNexis white paper High Technology Where We Stand With Cloud Storage. This complimentary download examines diverse topics, including:

  • Cloud adoption
  • Litigation jurisdiction
  • Risk/benefit analysis
  • Shadow IT

And with law firms headed toward widespread cloud-based adoption, the white paper goes on to suggest several security considerations, including:

  • Encrypt your organization’s data, including at the level of your browsers.
  • Make certain even your browsers are 100% authenticated.
  • Insist on deeper insight into where data is going and how a provider will keep it from going anywhere undesirable.
  • Deploy automatic patching to make sure this critical task takes place in a timely way.
  • Make sure your cloud provider is capable of delivering three types of encryption, e.g., in-transit, at-risk, end-to-end.
  • Thoroughly research, review and understand the terms of services and privacy policies of prospective service providers.
  • Thoroughly test a cloud provider’s security system. For example, you will want to see two-factor authentication plus use of a local encryption key.

To read the full analysis, download the LexisNexis white paper High Technology Where We Stand With Cloud Storage.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close