I recently read an article comparing security of on premises solutions to hosted (“cloud”) solutions. The author, who sells a cloud-based practice management system, asserted that hosted solutions are much more secure. I couldn’t resist commenting—pointing out his conflict of interest and asserting that there is nothing inherently more secure about cloud solutions. Such articles cause confusion and give people a false sense of security.
Rather than spreading fear and misinformation about on-premises or hosted solutions in an effort to drive sales of software, we should be offering constructive feedback about training personnel to be more secure. The issue is about access—be it physical or electronic. Edward Snowden had electronic access which enabled him to take data, no matter whether he took it from where he sat, from another building, or from the cloud (wherever that is for the NSA).
The biggest security threat is people. Social engineering is the simplest way for hackers to get to sensitive data. You don’t need to be Tom Cruise, lowering yourself on a wire into the NSA vault, to steal data. All you need is to get someone’s credentials or plant malware (think keylogger) onto a computer and you’re in. We need to be talking about security holistically, and training people to avoid being taken advantage of via social engineering.
If firms spend all their time focused only on buying firewalls and intrusion prevention systems, they’re missing the point. If a firm selects a cloud solution for its finance/practice management or its document management system and thinks there’s nothing more to worry about because the vendor is secure (and some vendors sell their solutions on such claims), their complacency is a guaranteed recipe for disaster.
People re-use passwords across multiple accounts (Facebook, LinkedIn, Gmail, etc.) from services who’ve had usernames and passwords stolen. It’s easy to trace one account to another and thus have access to private accounts. People share passwords, and use simple passwords, too; ones that can be guessed by computers running simple “dictionary attacks.”
It doesn’t matter where data resides; if credentials are so simple or have been cavalierly shared (as I have witnessed numerous lawyers doing), imagine how easy it is for someone else to log in to that cloud solution—the one the vendor touts as being accessible anytime, anywhere, from any device—and access the firm’s data. Do those firms audit every login? Some might audit that information on their internal systems, but few, if any, do so on cloud solutions. Does that mean that on-premises solutions are therefore more secure? Not necessarily.
Physical security matters. One law firm I know recently announced ISO 27001 accreditation (on just its data centre). Another large firm was proudly accredited a few years ago on its document management system. Those announcements are a farce; what about all of the physical files moving around their firms or data on other systems? File folders, documents on printers, mail—none of those were covered by either firm. With no controls on physical files, and without training on handling those files securely, those firms may as well have openly challenged hackers to attack them. I’ve heard countless stories of people leaving computers, file folders, entire briefcases in taxi cabs, at restaurants, and in other offices.
So, what’s the point? Firms need to spend more time focused on training. They need to train, test, and remind personnel about the numerous dangers. Responsible firms take security more seriously. They hire experts to perform penetration tests. They hire experts to perform social engineering tests to try and trick personnel into giving away sensitive information. They perform physical audits to look for easy access to sensitive data such as printed files, mail in the post room, anything. They hold regular security and awareness training. If lawyers don’t know what to look for or how to recognize the more sophisticated threats, they are far more likely to fall victim to them. If they aren’t regularly tested, firms can’t truly claim to be prepared or be secure. Good luck with that secure cloud solution.