Subscribe to LexTalk to stay on top of today’s legal issue and trends.
Catapult Your Career |
Industry Insights & Trends |
Product Training & Tips
Repeat after me: My firm will suffer a cloud security breach.
For you (the reader), repeating this might not change anything. You’ll gloss over the words and mindlessly click away. You’ll be thinking: Myeh ... Our cloud services are bulletproof!
But you really don’t know this, even if somebody’s told you otherwise. Just because somebody (e.g., a vendor or an IT professional) says your data’s safe in the cloud, doesn’t make it an iron-clad fact.
It’s like car safety. A 5-Star crash rating doesn’t eliminate car accidents. It only suggests safety. Likewise, a “secure” cloud doesn’t prevent data breaches. It only suggests a secure law firm. As pointed out in the LexisNexis white paper High Technology Where We Stand With Cloud Storage:
The risks of moving to the cloud are there ....
Risks ... definitely! But there’s hope. Consider this silver lining from the LexisNexis white paper:
[R]isks also exist with traditional servers and equipment. So, one way to look at the cloud debate is that the risks are merely different.
Lawyers—if they want to protect their firms, their careers, and their reputations—have to wise up to these “merely different” risks.
Writing for Law360, Shaun Jamison notes that lawyers aren’t exempt from the risks associated with cybersecurity (including cloud security). Underscoring the fact that lawyers handle sensitive client information and often operate as solo and small practices, Jamison defines lawyers as a “prime target” for cyberattacks.
“Prime-target” means lawyers must run their firms with a faithful eye toward cloud security. For lawyers and their clients, this is good business, but it’s also ethical business. In a recent ABA article, Jason Tashea wrote of a lawyer’s ethical duty to safeguard confidential information in the cloud:
Whether for personal or professional applications, remote storage has become the standard for millions of Americans. However, this and other internet-enabled technologies can create unique ethical quandaries for lawyers. ... [A]n ethical attorney is not just doing one thing; they are in a constant state of evolution and growth to keep pace with threats and best practices.
But “keeping pace” with cloud security, as you’ll soon see, is easier said than done.
Public cloud use exposes 1 in 4 organizations to data theft, this according to McAfee’s 3rd annual cloud adoption and security report, while 1 in 5 organizations have seen advanced attacks against their public cloud infrastructure. These numbers reflect the data insecurity felt by most of today’s organizations. In fact, only 16% of organizations believe their current security can protect them in the cloud.
Despite these concerns, it’s a myth that the cloud is “inherently” insecure. The Enterprisers Project characterizes public cloud security as better than old on-premises security:
[F]or some companies, leveraging the size and scale of some cloud vendors might actually be a part of a more efficient overall security strategy, especially if they’re strapped for budget or simply, like so many IT leaders, having a difficult time finding the right cybersecurity skills for their teams.
But even if the cloud offers your firm a “more efficient overall security strategy,” that doesn’t translate into 100% safety. To truly protect your firm and your ethical duties, you need to be aware of (and guard against) cloud security’s “inherent” flaws (a/k/a those “merely different” risks).
When it comes to cloud security, some of the more obvious risks include:
What might be less obvious is the cloud risk that comes from employee entitlements:
A former employee does not need a VPN connection to access a company’s SaaS application and can do so from another device with his or her credentials. As such, eliminating a former employee’s entitlement to use cloud applications makes decommissioning cloud application credentials a critical step in the employee exit process. - The Oracle and KPMG Cloud Threat Report 2018
Another risk—one you need to be hyper-vigilant against: shadow IT, in which impatient employees sidestep cloud-usage policies and use unapproved technologies without IT’s approval. Consider this cautionary legal tale from Venture Beat:
A large conglomerate faced [a] problem when members of its legal team uploaded contracts to online PDF converters, whose terms of service stated that they assumed complete ownership of all documents uploaded into their systems and that they had the right to distribute data to any third party. The legal team put its company at significant risk by uploading sensitive information to a service that could freely distribute it to any interested party.
With these risks in mind, it’s mission critical that lawyers maximize their cloud security efforts.
This has to change ... and change quickly.
One way to change it is through better education and understanding. A good place to start your cloud education is the LexisNexis white paper High Technology Where We Stand With Cloud Storage. This complimentary download examines diverse topics, including:
And with law firms headed toward widespread cloud-based adoption, the white paper goes on to suggest several security considerations, including:
To read the full analysis, download the LexisNexis white paper High Technology Where We Stand With Cloud Storage.