Safer in the cloud or on the ground? The importance of vendor cloud security
For some within the legal sector, moving to the cloud has lowered costs and increased operational efficiency and security control. For others, the increasing number of cyber breaches is a clear warning against becoming easy targets for hackers. In any case, the legal sector is a warehouse of sensitive and confidential data and necessary steps need to be taken to reduce risk, whether data is digital or physical.
For offices that still operate primarily in hard-copy, there are well-known and widespread risks, from documents being left out and taken home, to faxes and scans sent to the wrong recipient. In a study done on 5 major industries, including the financial and governmental sectors, the combined percentage of data breaches due to physical loss, stationary device loss, and unintended disclosure ranged from18.6% to 44.7%.
Back in 2012, a survey done by Legal IT Professionals asking respondents whether they were willing to move key applications to the cloud showed that most responded with “overwhelming skepticism” with a an almost-even split with 45% for and 46% against. In a more recent survey done by the International Legal Technology Association (ILTA) in 2017 however, the conversation seems to have changed from “maybe we will” to “when we will.” It reports that those surveyed predict that adoption of cloud-based solutions is steadily increasing, rising from 51% in 2016 to 63% in 2017. Even for those whose primary networks are not cloud-based, it’s hard to find any organization that doesn’t employ cloud technology in some way, whether it’s using Dropbox to share files, or Office 365 to correspond with colleagues and clients.
“54% of law departments specifically highlight the importance of external data security practices for their vendors”
So the trend seems to have caught on in the legal industry, despite plenty of hesitance from law departments and law firms combined. The biggest concerns come are regarding information security, which is understandable, considering the sobering statistics being reported. 1,579 data breaches were reported in 2017, at least 2.8 billion records were exposed in 2017 and 2018 alone, and $3.62 million averaged as the total cost of a data breach in 2017. The CLOC reported that 66% of legal organizations stated that internal data security was a growing focus with 54% of law departments specifically highlighting the importance of external data security practices for their vendors. However, there is growing agreement that storing data on the cloud is better than on the ground.
Storing information in the cloud is a risk mitigator for protecting against natural disasters, with backups enabling system restores within minutes. Decreasing need for in-house servers and secondary datacenters, companies and firms can reduce their hardware costs and better plan for disaster recovery. Not to mention the increased security measures cloud-based systems enforce, from role-based access control to multi-factor authentication to compliance reports and logs. There’s no question that cloud-based applications also improve efficiency and increase productivity, enabling attorneys and employee to work from anywhere and through various devices. Many state bar associations (such as Massachusetts and California), have concluded that using the cloud is safe, as long as legal organizations do their due diligence.
“Using the cloud is safe, as long as legal organizations do their due diligence.”
Ahh… due-diligence. This is how you can protect yourself.
With increasing pressure on the legal industry to do all they can to protect their information, law departments and firms alike, everyone really, needs to carefully select and thoroughly vet their third-party cloud providers and vendors to ensure they can provide proof that they process and store data using best practices and hold verifiable certifications and accreditations. Wise companies and firms must turn to their technology partners and ensure that vendors’ information security policies and processes align with their own security and compliance objectives as well as those of their clients and partners. No one can afford to assume their third-party providers have information security considerations in mind and data protection policies and procedures in place.
Any vendor can claim to have secure environments to host data (and many do), but most lack verification. Why? Because it’s a lengthy and costly process to alter operations processes and achieve genuine certifications. But that’s not your concern – if vendors are handling your sensitive and critical information, you should insist on proof of compliance and specify security requirements in your vendor selection process.
“Wise companies and firms must ensure that vendors’ information security policies and processes align with their own security and compliance objectives.”
One trusted and rigorous certification is the ISO 27001:2013 standard designed for organizations in any industry, but is particularly pertinent for SaaS vendors, especially those which operate in the cloud. It not only ensures that information is secured from a technical and organizational perspective, it requires guidelines and processes for managing risk and implementing controls which continuously test compliance. ISO 27001 requires management to systematically assess security risks and impacts, design and implement controls to address potential vulnerabilities, and to review and revise controls over time. Furthermore, verified certifications can only be attained through a rigorous 3 step auditing process performed over several months and re-verified annually by third-party accredited certification bodies recognized by government-authorized parties.
Unfortunately, most vendors, particularly in the United States have not gone through the certification process and will often refer their prospects and clients to their cloud-service providers’ certifications, such as Microsoft or Amazon. This is highly misleading and risky, as those service providers only ensure the security of their own infrastructure, platforms, and software. Vendor software and data are not in the cloud-service providers’ ISO scopes. That’s why it is of the utmost importance to make sure your technology vendors carry their own certifications.
So how can you tell?
Start by asking all of your vendors these questions:
- Do you carry any security certifications, such as ISO 27001, and who is your certification body?
- What are your company-specific policies and procedures on information security? How often do you perform security risk assessments to identify and measure risks, and do you keep a log of security and risk incidents?
- What are your organization’s internal policies regarding user access and account security?
- How do you encrypt data at rest and in transit, and what kinds of controls and processes are in place for intrusion detection, monitoring, and threat detection? How often are vulnerability scans and penetration tests performed?
- How do you store and what is your retention policy regarding client data? How do you securely and permanently delete client data?
- Do you enforce your third-party partners and contractors to follow the same security and risk compliance measures, and how often are reviews of these contracts and partners performed?