Cyber security threats: can we trust cloud-based legal tech?
For any forward-thinking lawyer, the benefits of legal technology (or ‘lawtech’) are hard to ignore. In areas such as case management, research, communications and more, tech is helping to boost productivity, drive efficiency and, most important of all, deliver better outcomes for clients.
For many of the new legal tech tools out there, that phrase ‘cloud-based’ is often listed as a selling point. The last thing any lawyer needs is to be hit by a security breach. And the implication sometimes seems to be because a solution is based in the cloud, somehow cyber security becomes “one less thing to worry about”.
In reality, cloud-based legal tech offers many benefits — but what it doesn’t do is make your cyber security responsibilities disappear. Here’s a closer look at the cloud in a legal business context, its implications for cyber security, and at how to keep your data safe.
The cloud for law firms: what are we talking about?
Let’s take case management software as an example. The typical case management product provides a single location for managing your files, generating documents, automating key tasks and keeping your workflow on track. All in all, it’s a pretty powerful piece of tech.
A decade or two ago, if a firm or chambers wanted access to this type of tool, it would have to purchase it outright, along with licences for individual users: a potentially large investment. The cloud-based model gives businesses an alternative way to access their tech. Instead of it being installed and located on their in-house computer servers, the software is hosted by either the software provider or a third party. Businesses access the software over the internet.
In addition to accessing software, the cloud also offers an alternative method for storing digital data. With cloud storage, instead of uploading information onto your firm’s own servers, that data is uploaded over the internet to the provider’s remotely located servers.
For lawyers, cost and convenience are probably the two biggest advantages of the cloud. Often referred to as ‘software-as-a-service’ (SAAS), you can pay for access on a monthly or annual basis, and add or remove users at relatively low cost.
So is the cloud inherently safer or less safe than traditional means of software access and data storage? Here’s a closer look at the cyber threat landscape — and at how the cloud fits into it.
Cyber security threats to law firms
With so much sensitive client information up for grabs, a typical law firm can provide rich pickings for cyber criminals — according to a Law Society Report in June 2019, 55% of British firms had experienced a cyber-attack in the previous 12 months.(1)
Cloud computing is sometimes billed as a way to help firms become less susceptible to security breaches. On the data storage front, the argument is that if your data is stored and backed up remotely, you will always be able to access it in the event that your in-house servers are attacked. In the case of software, updates and bug fixes tend to be handled by the software supplier, helping to keep you shielded from the type of vulnerabilities that can be exploited by hackers.
The reality is more complex. For a start, cloud-based computing basically introduces a “middle-man” into your data supply chain (i.e. a software and/or storage provider). In its report into the cyber threat and the UK legal sector, the National Cyber Security Centre (NCSC) specifically cited ‘supply chain compromise’ as one of the most significant threats facing firms.2 There are two important takeaways from this:
Service providers themselves are susceptible to cyber-attack. According to NCSC, supply chain compromises have increased significantly recently, having risen by 200% in 2017.(2)
Ultimately, data in the cloud remains your responsibility. If client data is compromised, attempts to shift the blame to your cloud supplier will probably hold little sway in the eyes of your professional regulator, the data regulator – and most importantly, your client. This is especially the case if you have done little or nothing to exercise oversight over those cloud suppliers.
Cloud suppliers: how lawyers can make the right choices
The deadline for filing a statement on behalf of one of your clients is tomorrow. You attempt to log onto your cloud-based case management platform only to discover it is inaccessible. The supplier’s platform has been hit by a Distributed Denial of Service (DDoS) attack: basically a malicious barrage of traffic designed to disable it. The longer it takes to get back online, the greater the chances of missing the deadline.
Reliable backup and resilience against this type of attack is a must. When you research cloud providers, always look carefully at their reputation, along with their track record at guaranteeing continuity of service. For instance, a 99.9% uptime record is acceptable, whereas a 95% record is not. To help you make the right choices, it’s worth taking a look at NCSC’s guidance on cloud-enabled products as well as The Law Society’s cloud guide.(3,4)
Focus on GDPR-compliant products
In force since 2018, The General Data Protection Regulation (GDPR) sets out the current framework for ensuring personal data security and privacy. To avoid sleepwalking into non-compliance (along with potentially hefty fines), you need to ensure that appropriate levels of security are in place to protect data against cyber-attacks and manage security risks. This includes looking closely at potential cloud service providers’ own procedures. Only select providers with a clear GDPR policy in place demonstrating compliance.
The flipside of accessing data from anywhere
One of the cloud’s big selling points is that so long as they have internet access, your people can log into your business systems from virtually anywhere, on any device. While this is good news if you want to encourage flexible and remote working, it can also trigger additional security issues.
In addition to supply chain compromise, the other major legal sector security issues flagged up by NCSC included targeted scams (phishing) and downloading infected material (malware). With each of these, the criminals behind them rely on the lawyer at the other end either clicking on something they shouldn’t or being duped into handing over information, such as a system log-in.
Security-conscious firms usually address this threat through a combination of technical measures such as email filters and anti-virus blockers. They also have robust rules in place, telling staff how to behave online. Just be aware that if you are using cloud software to facilitate remote working, make sure you update your policies and technical controls so that connected devices are secure — and your people know what’s expected of them.
When it comes to software and storage, it’s never a case of “cloud deployment, good; On-site deployment, bad” (or vice versa). Instead, tech tools should be considered on their own merits — and in particular, their ability to solve specific business problems. There won’t always be a clear business case for deployment through the cloud; but if there is, it’s then a case of looking carefully at any associated security risks and making sure that those risks are adequately addressed.
For further advice on the risks currently encountered in the legal sector, along with hints and tips on improving your business processes, be sure to explore our Insights Hub.
- Lawsociety.org.uk. (2019). The three biggest cyber threats facing law firms – The Law Society. [online] Available at: https://www.lawsociety.org.uk/support-services/practice-management/cybersecurity-and-scam-prevention/three-biggest-cyber-threats-facing-law-firms/
- Ncsc.gov.uk. (2018). ‘The cyber threat to UK legal sector’ 2018 report. [online] Available at: https://www.ncsc.gov.uk/report/-the-cyber-threat-to-uk-legal-sector–2018-report
- Ncsc.gov.uk. (2017). Managing the risk of cloud-enabled products. [online] Available at: https://www.ncsc.gov.uk/guidance/managing-risk-cloud-enabled-products
- Lawsociety.org.uk. (n.d.). Cloud computing – The Law Society. [online] Available at: https://www.lawsociety.org.uk/support-services/practice-management/cybersecurity-and-scam-prevention/cybersecurity-for-solicitors/cloud-computing/