Law Firm Cloud Security – 12 Things to Look For

What to Look for (and require) in a Secure Cloud for Law Firms

Data security becomes more and more of a focus and priority for law firms almost every day. And for good reason: Law firms often work with, exchange and store sensitive information every day. This makes keeping a law firm’s data secure really more about keeping their client’s data secure. And in that way, law firms have an ethical obligation to take precautions when keeping their client information safe.

Cybersecurity and data breaches seem to make headlines almost every week these days. And more recently, legal software and cloud provider TrialWorks was hit by a ransomware attack that locked lawyers out of their case files and documents for days on end.

Not long before that cloud provider iNSYNQ was similarly hit with ransomware, affecting many clients.

These kinds of things prompt law firms to take notice and ask questions. In recent conversations, I’ve even seen it prompt law firms to consider moving out of the cloud altogether. While moving from the cloud to on-premise equipment is always almost always a bad idea, I understand the reflexive tendency to walk-not-run away from the cloud.

But take a deep breath.

We’ve already established that in many, many ways, a private cloud is better than owning and managing on-premise IT. (Not the least of which is that on-premise servers are significantly more susceptible to ransomware attacks.)

Recent security breaches and ransomware incidents have made many law firms aware that not all clouds are created equal. So the questions become:

  • What makes a secure cloud?
  • What separates the good from the bad cloud providers?
  • How can I tell the difference?

In this article, we’ll explore twelve things to look for, and require, when considering a cloud provider for your law firm.

And in case you need a quick refresher on what exactly a private cloud is:

Consider this article an official checklist on what your law firm cloud hosting company must do to keep your client and firm data safe.

Let’s get started.

1. End-to-End Antivirus

The cloud provider should (obviously) protect your cloud servers with virus protection software. Beyond just software, the provider should be actively monitoring and updating the virus protection on each of your cloud servers.

Better still: The cloud provide should provide, update and monitor virus protection on each of your desktop and laptop computers. This end-to-end virus protection means that the entirety of your technology footprint is being protected, and monitored by a single, central system.

2. Ransomware Prevention

Antivirus software is good, but it’s not enough. Ransomware is truly unique, it’s not quite a virus, not quite a Trojan. It’s an entirely new category of malicious software, and it’s particularly devastating.

What’s worse, most ransomware attacks will get past general-purpose antivirus software. That means that a good, secure cloud provider will employ specific ransomware prevention/protection software, that can identify and block potential ransomware attacks. In today’s day and age, this is an absolute must for anyone storing sensitive law firm information or hosting software for law firms.

Related:

3. Enterprise Firewall Protection

Almost every network has some kind of firewall, at least a basic one. If a network is going to be hosting your firm and client data, it needs to be a truly enterprise-grade system (not the kind of firewall a local IT company might install in your office).

An enterprise-grade firewall will include active threat detection and prevention, regular updates to protect against the latest cybersecurity threats, and strict control and monitoring on traffic in and out of the network.

4. Data Encryption in Transit

Your private cloud provider will likely make your cloud accessible to you via RDS or a similar remote access technology. It’s vitally important that the connections to your cloud (which will traverse the public Internet) are encrypted using the latest, 256-bit encryption. Without this, any data can be intercepted and stolen by a third party.

5. Data Encryption at Rest

You’ll likely store all kinds of sensitive information within you cloud servers. From your time and billing software, to your practice management database, to sensitive documents stored in your file system. For this reason, its critical that all of this data be encrypted at rest.

This means that your cloud servers, applications and data is all encrypted while stored on the cloud provider’s servers. This additional, necessary layer of protection keeps your firm data (and most importantly: your client data) safe from unauthorized parties.

6. Active Threat Monitoring

Unfortunately, firewalls and virus protection aren’t enough. Any important IT system, including and especially a law firm cloud platform, needs active threat monitoring and prevention. This is a combination of systems, people and process that actively watch for:

  • Potential hackers
  • Failed login attempts
  • Potential viruses and malware
  • Potential ransomware attacks
  • Potential security exploits
  • Private RDS and file servers
  • Private SQL Servers
  • Private Active Directory (not shared)
  • Private virtual disk drives

7. Active Server Patching

Monitoring and knowing about potential security vulnerabilities (or in-progress hack attempts) is one thing; fixing security holes is another. A capable law firm private cloud provider will have a well-defined and rigorously followed process for applying the latest security patches to your cloud servers.

As a cloud provider grows, this can be an easy process to overlook, miss or otherwise kick the can on. (We see this especially with small IT companies that struggle to keep up with the latest security threats and updates.)

8. Truly Private Cloud Environment

The “private” in private cloud isn’t just a buzzword (or at least: It’s not supposed to be). A truly-private cloud means that your firm has servers and functions dedicated to only it, and separate from the providers other clients. This includes:

Building a cloud architecture this way costs a little more, but provides a lot more security. Specifically, ensuring that each law firm operates (only) in their own private space ensures that viruses and ransomware don’t spread from one client to another, and that the actions or events of one law firm don’t negatively impact another.

9. Equipment Ownership

The best law firm private cloud providers own their own equipment, including servers and network equipment. Smaller, sometimes fly-by-night cloud providers (including small local IT companies) get around the capital requirements of building out a true business-class cloud infrastructure by simply reselling a public cloud service (such as Amazon AWS or Microsoft Azure.)

This creates a lot of accountability problems, and limits that providers’ ability to deliver performance and keep your data secure. Ensure your private cloud provider owns their own equipment, and isn’t simply reselling another service.

10. Dealing With a Subpoena

An often-overlooked element of data security is understanding what your cloud service provider will do if served with a subpoena for your data.

Read the contract carefully and question the process that occurs in the event of a subpoena of data and records. Check to make sure your service provider will provide you with adequate notice if records have been requested, or if they receive any request for information pertaining to your firm.

Many cloud service providers, especially those without legal savvy, are woefully unprepared and have no formal process for dealing with a subpoena. Small companies, such as local IT companies, may panic when served with a subpoena, and promptly hand over your data without informing you.

11. Two-Factor Authentication

Two-Factor authentication is low-hanging fruit when it comes to ways to do small things that have a big security impact.

With TFA, users will be required to authenticate by a second means before they can log into your firm’s cloud environment.

How it works:

  • You log in to an account using your regular username and password;
  • To confirm that it’s you, your mobile phone requests confirmation.

This prevents hackers from accessing your accounts because not only would they need access to your username/password combination, but your mobile phone as well.

Passwords being compromised represents one of the top reasons for data breaches across the world. TFA largely thwarts this threat, because a would-be attacker needs more than just your password to log into your account.

A security-conscious private cloud provider will offer TFA, and will accomplish it painlessly with a smartphone app that verifies the authenticity of each user logging into your private cloud.

12. NIST Framework

Finally, your law firm cloud provider should adopt and implement a specific security framework such as NIST.

There are lots of little things to think about, decide and implement when it comes to overarching cybersecurity. And there’s no need to reinvent the wheel; NIST is an information security framework that defines a host of best practices to be employed when security any computer network.

Your law firm private cloud provider should follow NIST or a similar cybersecurity framework. This has the added benefit of being viewed positively by third-party regulations such as HIPAA and PCI compliance.

Closing the Loop

Cybersecurity is something that every business in the world needs to take seriously, including and especially law firms. There’s simply too much at stake to ignore security or take the low-cost approach to keeping your data secure.

And if we’ve learned anything from the most recent legal cloud company breach, it’s that you should never simply assume that the provider is following all necessary cybersecurity best-practices. (Especially if cloud hosting isn’t their primary business.)

Learn More:

Want to learn more? Have a cybersecurity initiative for your law firm? Learn more about cybersecurity for Law firms with our free eBook.

Download Now