A Law Firm’s Role in Cloud Security
Today’s cloud technology offers some of the most advanced security available to protect law firms from hackers, computer viruses, and other threats. (Often times, this security is even better than what most Fortune 500 companies and government agencies have. Not to mention using the cloud is also a lot easier, offers far more flexibility to both on-site and remote workers, and is significantly more cost effective than having and using a traditional IT infrastructure). But, even when a law firm does use the cloud, it still needs to take proactive steps to safeguard its confidential client data, software applications, and users. That’s because in a cloud computing environment, the cloud provider (in this case, AirDesk Legal), the customer (i.e., law firms), and the customer’s end users (i.e., a law firm’s employees) all share an equal responsibility for achieving and maintaining security, as follows:
AirDesk Legal’s Responsibilities for Security
AirDesk Legal, its infrastructure partners, and industry-leading security technology providers are responsible for delivering the multiple overlapping layers of security and protection needed within the cloud. This includes:
| Cloud Infrastructure Security (Both Physical and Operational). |
| Securing All Customer Applications and Data Stored In the Cloud. |
| All Application Updates and Maintenance in the Cloud. |
| Virus and Malware Protection in the Cloud. |
| Intrusion Prevention and Detection in the Cloud. |
| Application Integration Within the Cloud Network. |
| Best-in-Class Operational Procedures. |
| 24/7 Support for Email Spam, Delivery, Discovery in Cloud. |
| Audit Management |
| Compliance Management (For AICPA/SOC, SAS 70 Type II, SSAE 16, GLBA Compliance). |
A Law Firm’s Responsibilities for Security
As part of this effort, law firms are responsible for taking “reasonable security precautions”, such as:
| In House (On All Devices) | Once In the AirDesk Cloud | |
|---|---|---|
| On-Site Physical and Network Security. | X | X |
| Customer Data Security. Plus, Identifying, Classifying, and Cataloging All Data Assets. | X | |
| Primary Firewall; Operating System Firewall. | X | |
| Operating System, Network, and Firewall Configurations. | X | |
| Identity and Access Management. | X | |
| Security Policy/Policy Management. | X | |
| Employee Security Awareness/Training. | X | X |
| Compliance Management. | X |
The End User’s Responsibilities for Security (i.e., Individual Law Firm Employees)
And, the law firm’s employees are responsible for:
| On their Own Devices | Once In the AirDesk Cloud | |
|---|---|---|
| Using Strong Passwords | X | |
| Protecting Any Confidential Client Data the End User Stores or Uses on Their Devices (e.g., PCs, Laptops, Smartphones, tablets, etc.). | X | |
| Helping to Protect the Law Firm’s Network From Potential Security Threats/Security Awareness. | X | X |
Plus, as law firms and lawyers know, they also have ethical, common law, and regulatory obligations to safeguard client data.(1)
As a result, every law firm needs to:
- Have a formal security policy in place, which:
- Establishes reasonable care standards in handling confidential client data, no matter where or on what device an employee is working.
- Includes a Bring Your Own Device (BYOD) policy, so employees can use their own devices (e.g., cell phones, PCs, laptops, tablets, Wi-Fi, etc.) to access a law firm’s network, applications, and data when they’re on the go, but the law firm still has a way to protect and secure its network. This policy should also outline factors such as: What happens if an employee’s device is stolen and has company information on it? Who is responsible for backing up any company-related data on an employee’s device? Etc.
- Implement the right systems security in areas such as:
- Having a primary firewall and operating system firewalls.
- Controlling administration credentials.
- Providing regular security patches and virus definition updates.
- Formally managing wireless network access for staff and guests.
- Managing BYOD users.
- Provide formal security training to its employees on topics such as:
- Social engineering and phishing scams (both phone and email).
- Virus/malware forms and their impact.
- Spam blockers and sending.
- Password management.
- Desktop and device access.
- Encrypted email.
- File sharing programs.
After all, employees can often be the best line of defense in spotting and halting potential security threats in real-time, such as:
Common Security Threats and How to Prevent Them
| Security Threat | Description | Examples | Best Defense |
|---|---|---|---|
| Social Engineering | A highly skilled person convinces someone to do something he or she would not normally do (e.g., reveal protected information, bypass security controls, etc.) so the social engineer can access sensitive data or financial information. | -Phishing. -419 advanced fee. | -Train employees not to click on links in emails or open email attachments from people they don’t know and trust. |
| Malware | Malicious software designed to gain access to and/or modify, damage, or disable a computer. | -Computer viruses. -Trojan horses. -Worms. -Ransomware. -Spyware. -Adware. -Day zero attacks (A new computer virus which is released before a company discovers it and has time to fix it). | -Avoid suspicious websites, emails, and links. -Install anti-virus software on all computer devices and keep it updated. |
| Account Hijacking | Someone tries to obtain unauthorized access to a user’s account. | -A thief steals a lawyer’s laptop and uses it to gain access to his or her account. | -Set up a lock screen on all mobile devices and require a PIN number or password to use the device. -Reset passwords. -Make social media accounts private. |
| Data Breaches | A security incident in which sensitive, protected, confidential or other data is viewed, stolen, or used by an unauthorized individual. | -Hacking. -Data theft. -Unintended disclosure through mistakes or negligence. -Insider leak. -Payment card fraud. | -Use multi-factor user authentication. -Add email encryption. |
| Malicious Insiders and/or Compromised User Credentials. | Threats posed by people within an organization, such as current or former employees, contractors, or other business associates. | -Privilege abuse. -Bribery. -Email misuse. -Data mishandling. -Etc. | -Add user authentication technology. -Immediately disable employee accounts as soon as someone no longer works there. -Using strong passwords. |
| Trolling | Someone scans a public-facing system to uncover a weakness and exploit it. | -Unauthorized system scans. | -Regularly scan for vulnerabilities; identify and repair them. -Rapidly respond to system threats |
When all parties do their part to prevent unauthorized network access, misuse, and other security issues, it provides multiple layers of defense which are difficult to penetrate, and greatly reduces the potential security risks for everyone.
Source:
American Bar Association, Volume 36 Number 4, Page 49.
Disclaimer: All the information included above is for informational purposes only, and does not supersede service agreements or other customer agreements and terms.