Pop quiz! Of the following attacks, which of them breached cloud systems and which of them successfully accessed on-premise systems?
- NSA Snowden leaks
- JP Morgan Chase breach
- Home Depot breach
- Jennifer Lawrence iCloud photos
- Target breach
- North Korean SONY attacks
Answer: the lone attack in that list to hit a cloud system was the Apple iCloud hacking of Jennifer Lawrence’s pictures. Moreover, the intruders gained entry through poor user password usage, not through fancy cyber hacking or security issues with iCloud itself. The other attacks were breaches of on-premise corporate systems guarded by IT departments.
We’ve reached a point where the conversation about on-site versus cloud security may have flipped. It’s time we reexamine the true risks to cyber security. We’re at a point where legal professionals deserve serious dialog and educational content around the realities of our cyber landscape.
Some legal technology consultants maintain that lawyers need to take extra precautions when moving data to the cloud. This made sense in the early days of legal cloud computing, as it was important for these IT consultants to cast a wary eye towards storing data in an offsite location. A significant amount of legal technology consultants have now embraced the cloud. They understand the benefits to productivity and security. Furthermore, many state bar association ethics opinions have come down in favor of cloud usage by informed lawyers.
However, some legal IT departments continue to insist that on-site technology is safer than cloud technology, when that assertion is clearly up for debate. We are living in a highly connected world where computer systems, cloud or not, are accessible via networks. Every system is at risk.
It can be reasonably argued that in 2015, we’re at the point where cloud providers have the upper hand when it comes to providing secure storage for your critical information. It is a primary focus for cloud providers. Law firms, especially smaller ones, are not in the business of becoming security experts, and cannot reasonably afford the measures needed to guard their systems in an age of cyber warfare.
If you’re wondering what your law firm would need to have security on-par with a leading cloud provider, ask yourself the following:
- Does your local office have biometrically protected server access that requires a hand-scan to go near the server?
- Are there security cameras monitoring your equipment 24/7?
- Are you paying someone every night to probe your systems for vulnerabilities?
- Do you or your IT staff reliably and consistently apply critical security patches to your servers, before the exploited vulnerabilities make headlines on CNN?
- In terms of disaster recovery, what happens if your office is inaccessible for some reason?
- Does your law firm have three different electric utilities supplying it, and do you have two weeks of generator capacity to run your firm if you lose power?
- Are your backups happening continuously every day and do you perform geo-redundant backups?
I ask these questions to prove a point: lawyers need real, honest dialog about the pros and cons of on-premise versus cloud systems. The truth of the matter is this: no system is 100% bulletproof. Even the most impenetrable system can be sabotaged by the simple, duplicitous act of a disgruntled employee. Cloud computing, when done correctly by the right provider, has its security advantages. On premise, when done correctly with the right IT staff, is also reasonably secure and safe for confidential client information.
Lawyers are due an unbiased discussion about their security risks with both on-premise and cloud systems. Their livelihoods and our collective faith in confidentiality depends on it.