According to Gartner, the SaaS (Software-as-a-Service) market is poised to reach $37.7 billion by the end of 2016. Law firms have already started getting behind these technological advancements, but while jumping into the cloud has many benefits for law firms, some security concerns accompany that decision.
Does this mean that law firms should avoid SaaS solutions at all costs? Absolutely not. However, the legal industry is subject to uniquely strict regulations and ethics considerations that other industries simply do not face. For that reason, it is important that all law firms are aware of the essential components of cloud security.
The Essentials of Cloud Security for Law Firms
When looking to secure a law firm’s operations and data in the cloud, keep in mind three main areas of concern: how the software is designed, what practices are in place to maintain the solution, and what the law firm is using the software for.
Secure Software/Platform Provider Design
When seeking out a secure provider of legal solutions in the cloud, it is extremely important that law firms and attorneys know what to look for in a vendor’s platform. The way a system is designed, the hardware being used and even the data encryption methods are all extremely important elements to consider when vetting a provider.
Legal software providers in the cloud need to design their platforms with security as their #1 priority. Before the cloud, there was always a physical separation of data because each installation of a software solution had its own infrastructure. In the cloud, multiple law firms will be running their instance of the software inside of a shared infrastructure. Part of a secure design for legal solutions means that a logical separation of data to ensure no commingling of your data with other client firms. Failure to design with these things in mind could result in one firm’s data being wrongfully shared with another.
Availability & Redundancy of Data Servers
System architecture and proper system setup are a big part of keeping a firm secure in the cloud. Infrastructure can be expensive, but any SaaS provider worth its salt will have made an investment in it.
Law firms deal with sensitive information. This can be theirs or their clients’. It is extremely important that the highest levels of security are used. When talking about encryption, law firms should be sure that their software providers are using 256-bit encryption methods while data is going back and forth over the internet. This is the highest level commercially available. Additionally, data must be kept in an encrypted state while you are not using the application.
Secure Software/Platform Vendor Best Practices
Beyond the way a provider designs their software offering, it’s equally if not more important that law firms consider the practices and procedures of the vendor. Providers that perform the following tasks tend to create a much more secure offering than those who do not.
Data Backups: Data backups should be performed on a daily basis, even multiple times a day. This ensures that if the worst were to happen, all of the provider’s client firms will not have to worry about losing all of the data that is supremely important to them and their clients.
External Audits: The best providers of legal solutions in the cloud have enlisted the help of external auditors. In doing this, the SaaS vendor subjects itself to rigorous internal audits that make sure they can stand up to any security breaches that may come their way. This serves as a real seal of approval from a third party that the provider has done the work to remain secure.
Subpoena Response: This is where providers of legal software in the cloud have to differentiate themselves from other SaaS providers. The vendor needs to have standard procedures in place that allows them to easily respond to subpoenas, court orders, and other third party requests. If they don’t have effective procedures in place to do this, their client firms could pay heavily.
Security Breach Notifications: In a perfect world, a law firm would never receive a notification that the security of its systems has been compromised, but in the rare event that it does happen, it is extremely important that all parties affected are notified in a timely fashion.
What Should A Law Firm Do?
When law firms turn to the cloud for software solutions, it isn’t crazy to think that they might let their guard down and assume that their vendor is on top of any and all security concerns. For the most part, this is fairly accurate, but carelessness will always lead to problems. Any law firm jumping into the cloud should outline policies and best practices to ensure members of the firm don’t inadvertently bring trouble to the firm.
Here are some of the practices and procedures implemented by law firms who have been able to remain secure in the cloud.
Ensure All Employees Are Aware of The Risks: In a law firm, more than just attorneys are handling sensitive data — paralegals, secretaries, accountants, and more are involved. Every single one of them needs to be aware of the potential security risks associated with them. It only takes one person inside a firm neglecting to take the necessary precautions to invite security issues into the practice.
Create User Privileges & Access Roles: In a firm with many different users at a number of different levels in the firm, it is important to control what users have and don’t have access to in the system. While all of the firm’s data may be accessible anywhere at any time, it doesn’t mean just anyone inside of the firm should have access to every area of the system. Firms should control access across their practice by setting up user-based permissions and access controls.
Avoid Phishing Attacks: When a strange email comes in, don’t click on it! Make sure the other members of your firm handle these emails the same way. Phishing attacks are the most common method used by hackers to obtain others’ information. The key here is education. While phishing attacks may be obvious to some, others may not be able to identify these emails meant to extract personal information. Firms that educate all of their members can effectively combat these attacks.
Implement An Audit Log Review Process: With any application, it is essential to have a log of activities. This allows firms to go back and review the activities that occurred that may have led to a security breach in the system. Not only is this an effective way to play detective when something has gone wrong, it also adds an extra level of accountability across all users. If users know that every entry is logged, they are more likely to show more care in the actions they take inside the system.
Utilize 2-Factor Authentication: One-layer passwords are not enough anymore, law firms need to utilize 2FA. 2FA stands for “2-Factor Authentication”, and it happens when users log in and a text message is sent to a mobile phone with a second piece of verification, a temporary code to log in. 2FA is about as close to “hacker proof” as law firms can get, and it’s fast becoming the new standard. Law firms should make it mandatory that all staff use 2FA. It’s a simple step that can go a long way in protecting law firms from cyber threats.
Manage The Firm’s Hardware & Devices: If a firm has taken every other security measure, but hasn’t secured the devices firm members access these systems on, they could be in for trouble. It is important to have effective corporate policies in place that ensure devices are properly used, maintained, and secured by all employees. In the event a device has been compromised, it is imperative that the issues are dealt with immediately to stop any potential viruses or hackers from accessing systems used by the firm through the compromised device. Firms that effectively manage their assets can generally detect, locate, and remedy any compromised hardware in the firm before it becomes a larger problem.
Moving a law firm to the cloud can be a real game changer. It increases the agility a firm can operate with, cuts costs, and is extremely scalable. Many firms either have already or will make the move. Success will only be attained by those who have security top of mind.
About The Author
Rick Kabra, Ph.D. is the CEO of Cosmolex, a leading provider of web-based legal practice management software.