When a law firm is moving from in-house data storage to the cloud, it should start with a security risk assessment. It’s similar to what you did when you set up your current system. In the cloud, your cybersecurity needs to be configured from the ground up inside the provider’s dashboards. While you can re-purpose your existing security software, different types of security, policies, and procedures may be needed depending on the cloud platform. Based on the cloud provider you select, there should be different risk assessments done to verify the security protocols, policies and procedures from who your firm works with.
For smaller law firms using cloud solutions like Office 365 for example, in addition to a platform, they need to have their cloud settings configured properly so there are no gaps creating vulnerabilities. They need to do penetration assessments. Firms that allow mobile devices access to their systems need to be configured properly and set up for encryption.
There is a common misconception that if you are hosting with Microsoftor Amazon or one of the other big providers, all your troubles will go away, and that’s not exactly true. That’s what happened recently with the two law firms whose trust accounts were hijacked using wire fraud that I discussed in my last column. They tricked the user with a fishing e-mail then there were settings that were misconfigured that could have been hardened to make it tougher for the hackers to get in.
Using the cybersecurity that comes with the cloud storage software without any upgrades puts your system at very high risk of exposure. See the most recent news postings on default router and IoT device settings. The defaults don’t cut it.
WHY YOU NEED AN EXPERT
Cybersecurity is not “one size fits all,” but you can do some things to heighten the security of your platforms that are public. If you read the terms and conditions of Microsoft and Amazon, they are not responsible for how you configure your controls. They give you the platform, but you still need to know what you are doing. You need to have an expert configure it all, assess the security assessment on those platforms and there needs to be checks and balances.
A freelancer who handles your IT may be an excellent resource for support or general helpdesk support, but not cybersecurity.
A cybersecurity expert can help you through the maze of what your law firm specifically needs to do, analyze what technology you are using, what software packages you are using, what vendors you are using. It’s like the doctor analogy, if you have cancer you would not treat yourself for it.
The cost for analysis can range widely depending on the amount of analysis that needs to be done and the remediation. For instance, our company would do a basic gap analysis for $3-5,000 that would identify problems that need to be fixed. Then we would give you options on the issues that need to be fixed and provide options on what other types of assessments that might apply. It’s like going to your GP to get initial tests done and the first diagnosis. Then the GP sends you to a specialist, and they give you options.
TRAINING IS ESSENTIAL
As I’ve discussed in prior columns, many cybersecurity breaches are the result of human error when established procedures are not followed. Its why when our company sets up cybersecurity systems we make training a high priority. Training your staff should always be an essential element of your cybersecurity system. When you move to the cloud you will need to train your team on any new protocols it’s also an opportunity to reinforce security procedures you already have in place. Craig A. Petronella