Let’s take case management software as an example. The typical case management product provides a single location for managing your files, generating documents, automating key tasks and keeping your workflow on track. All in all, it’s a pretty powerful piece of tech.
A decade or two ago, if a firm or chambers wanted access to this type of tool, it would have to purchase it outright, along with licences for individual users: a potentially large investment. The cloud-based model gives businesses an alternative way to access their tech. Instead of it being installed and located on their in-house computer servers, the software is hosted by either the software provider or a third party. Businesses access the software over the internet.
In addition to accessing software, the cloud also offers an alternative method for storing digital data. With cloud storage, instead of uploading information onto your firm’s own servers, that data is uploaded over the internet to the provider’s remotely located servers.
For lawyers, cost and convenience are probably the two biggest advantages of the cloud. Often referred to as ‘software-as-a-service’ (SAAS), you can pay for access on a monthly or annual basis, and add or remove users at relatively low cost.
So is the cloud inherently safer or less safe than traditional means of software access and data storage? Here’s a closer look at the cyber threat landscape — and at how the cloud fits into it.
With so much sensitive client information up for grabs, a typical law firm can provide rich pickings for cyber criminals — according to a Law Society Report in June 2019, 55% of British firms had experienced a cyber-attack in the previous 12 months.(1)
Cloud computing is sometimes billed as a way to help firms become less susceptible to security breaches. On the data storage front, the argument is that if your data is stored and backed up remotely, you will always be able to access it in the event that your in-house servers are attacked. In the case of software, updates and bug fixes tend to be handled by the software supplier, helping to keep you shielded from the type of vulnerabilities that can be exploited by hackers.
The reality is more complex. For a start, cloud-based computing basically introduces a “middle-man” into your data supply chain (i.e. a software and/or storage provider). In its report into the cyber threat and the UK legal sector, the National Cyber Security Centre (NCSC) specifically cited ‘supply chain compromise’ as one of the most significant threats facing firms.2 There are two important takeaways from this:
Service providers themselves are susceptible to cyber-attack. According to NCSC, supply chain compromises have increased significantly recently, having risen by 200% in 2017.(2)
Ultimately, data in the cloud remains your responsibility. If client data is compromised, attempts to shift the blame to your cloud supplier will probably hold little sway in the eyes of your professional regulator, the data regulator – and most importantly, your client. This is especially the case if you have done little or nothing to exercise oversight over those cloud suppliers.
The deadline for filing a statement on behalf of one of your clients is tomorrow. You attempt to log onto your cloud-based case management platform only to discover it is inaccessible. The supplier’s platform has been hit by a Distributed Denial of Service (DDoS) attack: basically a malicious barrage of traffic designed to disable it. The longer it takes to get back online, the greater the chances of missing the deadline.
Reliable backup and resilience against this type of attack is a must. When you research cloud providers, always look carefully at their reputation, along with their track record at guaranteeing continuity of service. For instance, a 99.9% uptime record is acceptable, whereas a 95% record is not. To help you make the right choices, it’s worth taking a look at NCSC’s guidance on cloud-enabled products as well as The Law Society’s cloud guide.(3,4)
In force since 2018, The General Data Protection Regulation (GDPR) sets out the current framework for ensuring personal data security and privacy. To avoid sleepwalking into non-compliance (along with potentially hefty fines), you need to ensure that appropriate levels of security are in place to protect data against cyber-attacks and manage security risks. This includes looking closely at potential cloud service providers’ own procedures. Only select providers with a clear GDPR policy in place demonstrating compliance.
One of the cloud’s big selling points is that so long as they have internet access, your people can log into your business systems from virtually anywhere, on any device. While this is good news if you want to encourage flexible and remote working, it can also trigger additional security issues.
In addition to supply chain compromise, the other major legal sector security issues flagged up by NCSC included targeted scams (phishing) and downloading infected material (malware). With each of these, the criminals behind them rely on the lawyer at the other end either clicking on something they shouldn’t or being duped into handing over information, such as a system log-in.
Security-conscious firms usually address this threat through a combination of technical measures such as email filters and anti-virus blockers. They also have robust rules in place, telling staff how to behave online. Just be aware that if you are using cloud software to facilitate remote working, make sure you update your policies and technical controls so that connected devices are secure — and your people know what’s expected of them.
When it comes to software and storage, it’s never a case of “cloud deployment, good; On-site deployment, bad” (or vice versa). Instead, tech tools should be considered on their own merits — and in particular, their ability to solve specific business problems. There won’t always be a clear business case for deployment through the cloud; but if there is, it’s then a case of looking carefully at any associated security risks and making sure that those risks are adequately addressed.
For further advice on the risks currently encountered in the legal sector, along with hints and tips on improving your business processes, be sure to explore our Insights Hub.
In the lawyer’s ideal world, monthly billing and work-in-progress targets are always on track, deadlines are never missed, while senior partners and clients alike are singing your praises. And to top it all off, you even have time to enjoy life outside of the office.
It’s fair to say that bringing up the topic of work pressure to non-lawyer friends isn’t always guaranteed to trigger a massive outpouring of sympathy. The problem lies in the old myth that a lawyer’s life must be a glamorous rollercoaster ride, packed with variety, intellectual stimulation, high-octane court showdowns, along with a bulging bank balance. If there’s a little stress along the way, then surely it’s just all part of the job?
Logic might suggest that to operate as efficiently and productively as possible on complex problems, a culture of collaboration would be a must for any legal organisation. But while the adjectives, cut-throat and competitive seem to be frequently levied at law firms, that phrase, collaborative seems to rarely get a look-in.
Right now, new technology is making it easier for lawyers to work with digitised documents. Most lawyers are familiar with pdfs: the standard file format for storing scanned documents, as well as for exchanging them with other parties. On the flip side, if you have ever tried to edit, copy or search through text in such a file, you’ll know just how frustrating pdfs can be to work with.