Posts

10 Best Security Practices for Securing Client Data

Keeping client data secure is always a minimum requirement for law firms. The combination of recent events, maturing technology, and evolving best practices make now a good time to reevaluate your security procedures and whether you’re doing enough to keep your practice and clients safe.

Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Netgain’s Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.

Why address security now?

As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.

To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.

1. Re-evaluate your security policies and posture

The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.

2. Remote Workspaces / Virtual Desktops

One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.

Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.

3. Physical Security

So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.

4. Cloud Security

While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.

5. Security-First Mindset

It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.

6. Training

Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.

7. Email Security

Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.

8. Multifactor Authentication and Password Managers

While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.

Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.

We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.

9. Encryption

While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.

10. Least-Access Approach

One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.

The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.

Getting started

To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.

Time for a (Cloud) Change: Poor Performance and Outages Aren’t “Normal”

Originally published September 28, 2020, by Bill Sorenson, VP of Product, Netgain at www.elite.com.


2020 has been painful at best—changing how law firms interact with clients, access core applications, files, and confidential information, and remain productive even when working remotely. With guidelines changing on a near-weekly basis, it’s hard to define what our “new normal” is or will be. But there are two things that shouldn’t be part of it: application performance delays and outages.

But if that’s exactly what you’re experiencing, you may believe that it’s just part of the COVID tax that comes from working remotely. The short answer is no. Instead, it’s a sign that your
current IT infrastructure is poorly equipped to handle current demands, and that’s a burden you don’t have to bear.

The truth is that you aren’t alone. While some firms were able to adjust very quickly, switching to an all-remote work environment with relative ease, many others struggled to maintain productivity and, in some cases, forced to maintain some onsite staff despite physical distancing recommendations.

What was the difference? Overwhelmingly for small to mid-sized firms with limited internal IT resources, we find that firms that have embraced the cloud for their IT needs were far more able to adapt quickly and enable their staff to work completely remotely.

On-premises IT

Typically located onsite at the main office, on-premises IT environments rely on internally maintained servers, storage arrays arranged in a storage area network, and local backups. While such environments can support remote workers through remote connectivity, performance degrades quickly as employees have to connect back to the main office location to get their normal services.

Organizations with this footprint have had to resort to heroic efforts to try to immediately increase connectivity capacity while at the same time implement new hardware or configurations that would allow the capacity needed for everyone to work at home—all while trying not to disrupt what productivity the team was able to achieve.

Cloud-based IT

In contrast, firms that have embraced the cloud as an integral, if not primary, part of their IT strategy had a significantly easier time adjusting to remote work. With cloud infrastructure, productivity is largely maintained (at least technologically) because the setup was already designed to support the number of employees working. Your team effectively sees no difference between working remotely or in the office, even when they are working with critical applications such as your document and case management systems or practice management solutions such as Firm Central and ProLaw®.

Taking the Fear of Change Out of Cloud IT

One way to deploy cloud IT is through virtual desktops or “workspaces” that mimic the desktops your team uses today. Following a migration (which for the majority of the firm will be practically invisible), firm partners often express surprise that their virtual desktop looks just as it did prior to the move.

Using virtual desktops eliminates the need to “retrain” staff to access things in a different way while ensuring a consistent and reliable performance experience for your team. It also significantly improves your firm’s security posture.

This spring, firms that relied on virtual desktops were able to focus on other huge issues related to the pandemic. This group immediately allowed their employees to work at home with minimal notice and provided a significant increase in cybersecurity capabilities, whether the employee was working on their own computer or a firm’s computer.

They could keep production up, address new needs of their clients, and focus on strategic direction for the firm in light of the economic environment. They weren’t distracted by IT issues, limitations, or security risks, but could concentrate on their clients and their business. This differentiation was huge in the response to this crisis.

Firms that have been experiencing poor performance and outages should reconsider their current IT environment. For practices with limited IT resources (perhaps just one or two IT staff, or in some cases none at all), cloud IT can seem daunting, especially in the midst of COVID-era distancing. But it doesn’t need to be.

Making the Switch

The flexibility needed for organizations in today’s world, during and post COVID-19, have significantly increased the focus on public cloud desktop solutions. The ability to have your work desktop hosted in the cloud and the ability for every employee to be able to get to that environment from anywhere has provided significant value to clients. With each user getting their own customized environment, secured with the industry’s best security, and delivered and managed by a trusted partner, cloud desktops deliver better than any other solution in the work-at-home environment.

To help with the process of setting up and managing your cloud IT, you can work with a managed services provider (MSP) that partners with you to understand your business and recommend the optimal setup, taking into account both business flexibility / needs and cost effectiveness. Such an approach often has the added benefit of freeing your internal team from time-consuming tasks such as software updates and hardware maintenance. Instead they can focus more of their time on high-value initiatives that align your IT strategy with your long-term firm vision.

It can seem daunting to switch out your IT infrastructure in the midst of a crisis, but for many organizations, the cost of NOT doing so is even greater. As we continue to navigate this crisis, unsure of when it will end, it has become critically important that we figure out how to be at our most productive during this time.

5 Red Flags in your Cloud Partner

Now that you’ve asked all of the right questions of your prospective cloud partners (Questions to Ask – Part 1, Questions to Ask – Part 2), you’re ready to go back to your leadership team and make recommendations, right?! As you comb through your partner’s answers, here are some red flags that may indicate they’re not the right partner for your organization:

  1. They ask you to sign a long-term contract without termination for convenience.A reputable cloud provider should include a reasonable exit clause, sometimes called “termination for convenience.” This clause stipulates that your organization can terminate the contract at any time for any reason if you are unsatisfied.
  1. They have limited or no experience working with legal practices.Legal organizations have unique needs and require specialized support and services. Cloud providers that haven’t worked in legal likely do not have experience working with your applications, such as ProLaw or iManage. They have experience supporting customers but may not understand the urgent response times needed by firms. They also may not sign Business Associate Agreements (BAA).
  1. They are a young company.A new cloud provider may be able to meet all your needs, but without having a background in hosting for organizations similar to yours, it’s best to proceed with caution. It becomes even more important for you to understand how many team members the organization is made up of, how they manage their infrastructure, what support is provided, etc. Small, start-up cloud providers present risk in employee turnover and inexperience.
  1. They don’t have references similar to your practice.References are extremely valuable when choosing a cloud provider. They give you a good look at what it will be like to be a client of the provider. If the cloud provider has any hesitation in providing client references or testimonials, you may need to reconsider.
  1. They don’t ask about your desired business outcomes.Cloud providers should be focusing on what you want to get out of your IT infrastructure, ultimately asking what your desirable business outcomes are. Your cloud experience will be most successful when you and your service partner understand the overarching goals of the practice.

Choosing a cloud partner may be the most important decision your organization makes this year. The security of your data, the experience of your users, and the productivity of your firm depends on it. Choose wisely.

7 More Questions to Ask a Prospective Cloud Partner to Ensure Project Success

Last week, we explored seven questions to ask your prospective cloud providers as you’re doing your due diligence for your leadership team.

This week, we’re going to explore seven more questions. Ensuring you ask the right questions will help ensure your project is a success. Next week, watch for our blog on red flags to watch for in your cloud provider search.

  1. How can we minimize disruptions to our firm as our applications are migrated to your platform?

    It’s important to know that the transition to a cloud provider will go smoothly. Make sure the cloud provider has experience migrating firms like yours and can perform the migration with minimal disruption to your practice. Discuss the migration experience with references, if possible.A successful migration involves a knowledgeable, experienced cloud provider and a well-prepared firm. When the cloud provider and firm understand the overarching business objectives of the project, they can operate from the same playbook and communicate effectively throughout the process.
  2. How do you calculate your fees? What costs are outside the scope of your cloud services?

    Costs are calculated differently for cloud providers, but it’s important to understand how you will be charged. Is it based on number of users, applications, storage, or server resources?You will also want to understand what costs fall outside of the scope of your cloud services so you can budget accordingly. Some providers consider events like emergency support, software upgrades, or local network support as out-of-scope while other providers provide these services within their cloud offering.
  3. Describe your company’s approach to support. Will we have a dedicated support team that is familiar with our applications and environment?Businesses need quick, easy access to support when issues arise. Your cloud provider should keep your users productive and focused on their primary duty of serving clients. Support hours and levels of service should be outlined in the SLA so you understand what’s in-scope.It’s ideal for your cloud provider to offer a dedicated support team for your organization. This may mean that there are focused support teams dedicated to specific clients based on what vertical they’re in. Dedicated support teams allow your firm to experience more personal connections with the support staff, more specialized service, and shorter wait times.
  4. Do you have a Service Level Agreement (SLA) designed to meet your unique needs?Data availability is vital to law firms. A hosting provider’s Service Level Agreement (SLA) should detail the organization’s availability standards, response times, and support services. What is the average response time? Is any financial credit offered if availability drops below the threshold outlined? When are the provider’s maintenance windows and can these be customized for my firm? Be sure to carefully read the SLA and ask questions in any areas needing additional clarification.Negotiating an SLA is possible with the right cloud provider and should be one of the first terms discussed during your cloud evaluation process. Small details in your SLA can mean a better experience for your users, more value for your practice’s budget, and a cloud environment that is customized for your practice’s unique needs.
  5. Will our data be stored in a private cloud environment? Do you use any public cloud partners to deliver your cloud services?Take the time to understand where your data will be stored – a private or public cloud.The public cloud shares infrastructure resources across many types of clients, industries, and workloads. Some cloud providers partner with hyper-scale clouds like Amazon Web Services or Azure. If the provider uses the public cloud, ask questions about the public services to determine and assess the security of your data.Providers delivering a private cloud, where the IT infrastructure is dedicated to one organization, deliver benefits including enhanced security and performance as well as a high degree of flexibility and customization. These benefits lead organizations to choose private cloud platforms over the cookie-cutter nature of the public cloud.
  6. What kind of user training or orientation do you provide post-migration?Once your environment has migrated, users need to understand how to access the applications they use. Ask the cloud provider what training will be provided and what training is out of scope.
  7. Can you provide references from 2-3 practices of similar size or specialty to my organization?Speaking with references is the most effective way to understand how the cloud provider is performing. Are they keeping other organizations’ data secure? Are they providing the support they expected? Do they have knowledgeable staff? References offer valuable, candid feedback.If there is a specific application that you plan to host with the cloud provider, ask to speak to references running the same application.

If you have questions about evaluating cloud partners or what your organization could be like in a cloud environment, feel free to schedule a consultation with our team of cloud experts.

Choosing a Cloud Partner? These Are the Questions to Ask.

Choosing a cloud partner is the single most important decision you’ll make in your cloud journey. The cloud provider has the ability to make or break the project, the user experience, and the overall success of the cloud services.

Based on our over two decades of cloud experience, we’ve compiled an extensive list of questions your law firm should ask when evaluating cloud partners.  This week, we’ll explore the first set of questions. Be sure to check back next week for the second set of questions, and watch for our list of red flags to watch for as you evaluate cloud partners.

  1. What other legal services firms do you provide cloud services for?Law firms have unique needs and compliance requirements, making it important to find a cloud provider with experience helping organizations navigate complex technology challenges and increasing regulations.
  2. Do you have experience supporting firms of our similar size and specialty?What’s going to happen to your IT environment and the support provided if team members take vacation or sick time, or the company experiences turnover? Your cloud provider’s team should be made up of multiple group members so that you know you will always be covered. It’s also important to understand the cloud provider’s commitment to staff continuity, and what efforts they make to retain team members.If you work with a smaller cloud provider, make sure they have partners who specialize in areas you need further assistance in. The partner may be able to manage certain aspects of your environment.
  3. How long has your company been providing cloud services?The rapid adoption of the cloud has resulted in an uptick of technology providers offering varying degrees of cloud services. Take the time to understand how long they have been in existence and specifically how long they have been providing cloud services.While the cloud may feel new, some providers have been serving clients for decades.  Experienced cloud providers will have a deeper understanding of the technology required to offer the levels of performance and availability your practice needs.
  4. How is your company different than other cloud providers?Some cloud providers are just a service at the end of the wire while others focus on building a relationship with you, understanding your challenges, and achieving your desired outcomes.Ask the cloud provider what makes them stand out. Are they legal focused? Can they host all of your applications, not just your email? Will they advise you on what telecom solutions you should use? Do they offer telecom support?
  5. How does your security protocol keep our clients’ data secure?Your cloud partner should provide core security services that include identity-based security and encryption. In the legal world security is incredibly important, so make sure they reach or exceed that level.
  6. Provide your company’s disaster recovery and business continuity plan.Discuss how the hosting provider will continue supporting your environment in the event that a natural disaster takes down data center operations. This plan should include backup processes that include daily, weekly, monthly, and yearly backups and their corresponding retention policies. Experienced cloud providers even provide continuous snapshots throughout the day at intervals of 15-30 minutes, providing even greater coverage in the event of a disaster. A provider should assist in recovery due to major power outages or natural disasters. Make sure they will help you maintain redundant systems and manage automatic failovers (cutover to a secondary server should the first one fail).
  7. How are storage, server or compute resources scaled?The legal landscape changes rapidly, and a cloud provider should have the flexibility to adapt just as quickly. As your practice grows and changes, your storage, server, and processor needs will also change. How quickly can your cloud provider accommodate? What are the associated costs? Hosting fees are typically calculated based on the number of users and consumption of resources. This monthly fee structure provides budget predictability and stability.Cloud providers can mitigate this cost and enhance performance by offering tiered storage solutions that archive data based on its recovery and availability needs. Check if your cloud provider offers tiered storage as a way to curb storage costs.

Asking these questions will give you a really good feel for how the cloud provider will serve you now and into the future. Next week, we’re going to explore seven more questions — focusing on the right questions to ask so that you can ensure your project is a success.