10 Best Security Practices for Securing Client Data

Earlier this month, our team presented a webinar on the best practices that managing partners, firm administrators, operations managers, and IT directors should keep in mind across a range of different vulnerability points. Led by Bill Sorenson, Vice President of Product and Steve Sobka, Director of Technology and Infrastructure, this webinar gave attendees a strong understanding of best practices to secure client data and identified areas of opportunity to strengthen security posture. Below we’ve recapped the top 10 security practices, but you can also watch the full webinar on demand here.

Why address security now?

As technology continues to advance, so do the tactics hackers use to access our data. Now more than ever cybersecurity should be a top priority, especially with the impact of COVID-19. Firms have felt major pressure to up their cybersecurity game as employees began working remotely this year due to COVID-19. Working from home poses many security risks for firms. As you plan for 2021, it’s a good time reevaluate your security procedures and policies.

To start, think about your firm’s network as a castle with all your data securely locked away. With some (or all) of your employees working from home, your castle walls need to extend beyond your on-premises office into employee homes. Office and data security are always a top priority, but there is more to consider and greater risks due to the continued remote work environment.

1. Re-evaluate your security policies and posture

The first step toward improving your firm’s security is to review your current security procedures and policies, particularly around remote work and the use of personal devices (bring your own device/BYOD). When were they last updated? Do you need to create new policies for scenarios that were not previously common? As mentioned, working from home creates new worries around safety of information. Like it or not, you no longer have control over the environment in which your team works – from whether the firmware on their wi-fi is kept up-to-date to whether their kids are using the corporate machine for school or personal reasons. Without a careful review of your security policies and procedures, you may open yourself up to hacking, data breaches, and ransomware attacks. Refreshing policies and adjusting your technology landscape to account for all that you can’t control is essential to improving security posture.

2. Remote Workspaces / Virtual Desktops

One way to dramatically increase firm security is to deploy virtual desktops. While the experience for your partners, attorneys, and staff will be virtually identical to that of a native desktop, a virtual desktop is significantly easier to secure and lockdown.

Again, thinking back to our “castle wall” analogy, virtual desktops can be protected within the castle, even when the person accessing it is not. Cloud desktop solutions or “workspaces” keep data tightly controlled and isolate any potential damage, while improving overall performance. Since the cloud desktop solution is housed in your encrypted cloud environment rather than on an individual machine, you minimize your risk exposure. And if a cup of coffee is spilled while working on the couch, a cloud desktop doesn’t suffer from lost local files – everything is instantly accessible from another computer.

3. Physical Security

So, what about physical security? With fewer people working in-office to notice anyone suspicious, your in-office physical infrastructure is actually at greater risk today than ever before. Indeed, even in “normal” times, cloud providers invest hundreds of millions of dollars to keep their data centers tightly locked down and secure with physical security that far outstrips the ability of any organization to meet. Microsoft Azure and Amazon have the money, resources, and supplies to provide top level security that many smaller businesses are unable to provide or keep up with.

4. Cloud Security

While cloud providers provide greater security, there are lots of factors to consider when choosing a cloud partner. First is considering public versus private cloud. When it comes to security, you can think of public cloud as a stand-alone house and private cloud as an apartment building. With a public cloud such as Microsoft Azure or Amazon Web Services, your infrastructure is self-contained – carved out in a separate virtual space with no disruptions from your neighbors and a team dedicated to maintaining security. In contrast, private cloud is like an apartment building because it is structured as a shared cloud environment, a server that is managing multiple clients. In private cloud, you are likely to be impacted by “something down the hall” whereas public cloud creates a dedicated environment to only your firm.

5. Security-First Mindset

It is so easy to label security as an IT problem. But to ensure security, it needs to be top of mind for everyone in a firm. Humans are often the last defense to stopping criminals – whether that be ransomware or someone posing as a copy repairman – so it’s important for all employees to do their part in protecting firm security and data. Employees need to be taught to question everything – be aware of potential security risks and think differently about security day to day. Having a security-first mindset across your firm will keep you ahead of any cybersecurity attacks or issues, as things change so quickly, you can never be too prepared.

6. Training

Shifting to a security-first mindset is just one of many security practices employees need to embrace. Having continuous security trainings for your firm is another key practice to maintaining security. Training cannot just be an annual activity; it is an ongoing activity for everyone in an organization. As mentioned, staff is the last line of defense, so even the person working at your front door needs to be trained! Hackers use social engineering to manipulate human tendencies – fear of your boss, desire to please, need for convenience, confrontation avoidance – and exploit them to gain access to valuable data.

7. Email Security

Email addresses have become a gateway for hackers to access accounts and greater information than we realize. Since hackers use human behaviors as a vulnerability, your team needs to be on the alert for suspicious emails. In addition to email security tools and security awareness training, consider putting in place protections and policies that assume that someone will fall victim. Have a strong incident response plan in place, for example, and train your team to follow it. Put in place policies to counter common phishing goals, such as confirming financial payments verbally instead of over email. Having that security-first mindset, questioning everything, and thinking differently will help mitigate these risks.

8. Multifactor Authentication and Password Managers

While multi-factor authentication (MFA) and constant reminders to “not reuse passwords!” are common recommendations, the sad truth is that such measures are still not universally adopted. Multifactor authentication requires a two-step verification that typically requires the user to acknowledge or input a code on a secondary device before authorization. Those not using multifactor authentication are more at risk to hacking. Even the FBI says multifactor authentication, MFA, is the best thing you can do for security.

Meanwhile, busy professionals are at high likelihood of reusing passwords across multiple accounts, which means that when one has been compromised, their other accounts are at risk. Password managers simplify complicated password recommendations, making it easier for employees to follow security best practices.

We can’t stress this enough: if you do nothing else, implement MFA and adopt a password manager for your organization.

9. Encryption

While data encryption is a given, it’s critical that data be encrypted both at rest and in flight. If you manage your own infrastructure, ensure that you deploy and maintain encryption not only as people are accessing your data, but also as it’s sitting on your servers. The best and easiest way to protect your data is to encrypt it by storing it in the cloud. Encrypting everything by default is another step towards ensuring the security of client data.

10. Least-Access Approach

One final security practice for your firm to take is the least-access approach, which controls exposure of data. For many firms, standard practice is to give everyone access to everything, and only restrict files, applications, and data on a case by case basis. Least-access turns this on its head, restricting everything by default and only adding people on an as needed basis.

The idea behind this approach is to only allow people access to the specific data they need, including folders, files, and applications. This approach limits exposure and can even stop the spread of ransomware.

Getting started

To get started, understand your current exposure and begin to shift your mindset to security first. Think about extending your network into your employees’ homes as safely as possible. Start promoting this security-first mindset among employees and make training a consistent activity in your firm. Most importantly, find a partner who knows your industry and can provide you with the specific application and industry knowledge to ensure best security. The good news is that out of these 10 recommendations, 8 of them can be implemented by a strong technology partner without significant disruption or effort on your side.

5 Red Flags in your Cloud Partner

Now that you’ve asked all of the right questions of your prospective cloud partners (Questions to Ask – Part 1, Questions to Ask – Part 2), you’re ready to go back to your leadership team and make recommendations, right?! As you comb through your partner’s answers, here are some red flags that may indicate they’re not the right partner for your organization:

  1. They ask you to sign a long-term contract without termination for convenience.A reputable cloud provider should include a reasonable exit clause, sometimes called “termination for convenience.” This clause stipulates that your organization can terminate the contract at any time for any reason if you are unsatisfied.

  2. They have limited or no experience working with legal practices.Legal organizations have unique needs and require specialized support and services. Cloud providers that haven’t worked in legal likely do not have experience working with your applications, such as ProLaw or iManage. They have experience supporting customers but may not understand the urgent response times needed by firms. They also may not sign Business Associate Agreements (BAA).

  3. They are a young company.A new cloud provider may be able to meet all your needs, but without having a background in hosting for organizations similar to yours, it’s best to proceed with caution. It becomes even more important for you to understand how many team members the organization is made up of, how they manage their infrastructure, what support is provided, etc. Small, start-up cloud providers present risk in employee turnover and inexperience.

  4. They don’t have references similar to your practice.References are extremely valuable when choosing a cloud provider. They give you a good look at what it will be like to be a client of the provider. If the cloud provider has any hesitation in providing client references or testimonials, you may need to reconsider.

  5. They don’t ask about your desired business outcomes.Cloud providers should be focusing on what you want to get out of your IT infrastructure, ultimately asking what your desirable business outcomes are. Your cloud experience will be most successful when you and your service partner understand the overarching goals of the practice.

Choosing a cloud partner may be the most important decision your organization makes this year. The security of your data, the experience of your users, and the productivity of your firm depends on it. Choose wisely.

7 More Questions to Ask a Prospective Cloud Partner to Ensure Project Success

Last week, we explored seven questions to ask your prospective cloud providers as you’re doing your due diligence for your leadership team.

This week, we’re going to explore seven more questions. Ensuring you ask the right questions will help ensure your project is a success. Next week, watch for our blog on red flags to watch for in your cloud provider search.

  1. How can we minimize disruptions to our firm as our applications are migrated to your platform?

    It’s important to know that the transition to a cloud provider will go smoothly. Make sure the cloud provider has experience migrating firms like yours and can perform the migration with minimal disruption to your practice. Discuss the migration experience with references, if possible.A successful migration involves a knowledgeable, experienced cloud provider and a well-prepared firm. When the cloud provider and firm understand the overarching business objectives of the project, they can operate from the same playbook and communicate effectively throughout the process.
  2. How do you calculate your fees? What costs are outside the scope of your cloud services?

    Costs are calculated differently for cloud providers, but it’s important to understand how you will be charged. Is it based on number of users, applications, storage, or server resources?You will also want to understand what costs fall outside of the scope of your cloud services so you can budget accordingly. Some providers consider events like emergency support, software upgrades, or local network support as out-of-scope while other providers provide these services within their cloud offering.
  3. Describe your company’s approach to support. Will we have a dedicated support team that is familiar with our applications and environment?Businesses need quick, easy access to support when issues arise. Your cloud provider should keep your users productive and focused on their primary duty of serving clients. Support hours and levels of service should be outlined in the SLA so you understand what’s in-scope.It’s ideal for your cloud provider to offer a dedicated support team for your organization. This may mean that there are focused support teams dedicated to specific clients based on what vertical they’re in. Dedicated support teams allow your firm to experience more personal connections with the support staff, more specialized service, and shorter wait times.
  4. Do you have a Service Level Agreement (SLA) designed to meet your unique needs?Data availability is vital to law firms. A hosting provider’s Service Level Agreement (SLA) should detail the organization’s availability standards, response times, and support services. What is the average response time? Is any financial credit offered if availability drops below the threshold outlined? When are the provider’s maintenance windows and can these be customized for my firm? Be sure to carefully read the SLA and ask questions in any areas needing additional clarification.Negotiating an SLA is possible with the right cloud provider and should be one of the first terms discussed during your cloud evaluation process. Small details in your SLA can mean a better experience for your users, more value for your practice’s budget, and a cloud environment that is customized for your practice’s unique needs.
  5. Will our data be stored in a private cloud environment? Do you use any public cloud partners to deliver your cloud services?Take the time to understand where your data will be stored – a private or public cloud.The public cloud shares infrastructure resources across many types of clients, industries, and workloads. Some cloud providers partner with hyper-scale clouds like Amazon Web Services or Azure. If the provider uses the public cloud, ask questions about the public services to determine and assess the security of your data.Providers delivering a private cloud, where the IT infrastructure is dedicated to one organization, deliver benefits including enhanced security and performance as well as a high degree of flexibility and customization. These benefits lead organizations to choose private cloud platforms over the cookie-cutter nature of the public cloud.
  6. What kind of user training or orientation do you provide post-migration?Once your environment has migrated, users need to understand how to access the applications they use. Ask the cloud provider what training will be provided and what training is out of scope.
  7. Can you provide references from 2-3 practices of similar size or specialty to my organization?Speaking with references is the most effective way to understand how the cloud provider is performing. Are they keeping other organizations’ data secure? Are they providing the support they expected? Do they have knowledgeable staff? References offer valuable, candid feedback.If there is a specific application that you plan to host with the cloud provider, ask to speak to references running the same application.

If you have questions about evaluating cloud partners or what your organization could be like in a cloud environment, feel free to schedule a consultation with our team of cloud experts.

Choosing a Cloud Partner? These Are the Questions to Ask.

Choosing a cloud partner is the single most important decision you’ll make in your cloud journey. The cloud provider has the ability to make or break the project, the user experience, and the overall success of the cloud services.

Based on our over two decades of cloud experience, we’ve compiled an extensive list of questions your law firm should ask when evaluating cloud partners.  This week, we’ll explore the first set of questions. Be sure to check back next week for the second set of questions, and watch for our list of red flags to watch for as you evaluate cloud partners.

  1. What other legal services firms do you provide cloud services for?Law firms have unique needs and compliance requirements, making it important to find a cloud provider with experience helping organizations navigate complex technology challenges and increasing regulations.
  2. Do you have experience supporting firms of our similar size and specialty?What’s going to happen to your IT environment and the support provided if team members take vacation or sick time, or the company experiences turnover? Your cloud provider’s team should be made up of multiple group members so that you know you will always be covered. It’s also important to understand the cloud provider’s commitment to staff continuity, and what efforts they make to retain team members.If you work with a smaller cloud provider, make sure they have partners who specialize in areas you need further assistance in. The partner may be able to manage certain aspects of your environment.
  3. How long has your company been providing cloud services?The rapid adoption of the cloud has resulted in an uptick of technology providers offering varying degrees of cloud services. Take the time to understand how long they have been in existence and specifically how long they have been providing cloud services.While the cloud may feel new, some providers have been serving clients for decades.  Experienced cloud providers will have a deeper understanding of the technology required to offer the levels of performance and availability your practice needs.
  4. How is your company different than other cloud providers?Some cloud providers are just a service at the end of the wire while others focus on building a relationship with you, understanding your challenges, and achieving your desired outcomes.Ask the cloud provider what makes them stand out. Are they legal focused? Can they host all of your applications, not just your email? Will they advise you on what telecom solutions you should use? Do they offer telecom support?
  5. How does your security protocol keep our clients’ data secure?Your cloud partner should provide core security services that include identity-based security and encryption. In the legal world security is incredibly important, so make sure they reach or exceed that level.
  6. Provide your company’s disaster recovery and business continuity plan.Discuss how the hosting provider will continue supporting your environment in the event that a natural disaster takes down data center operations. This plan should include backup processes that include daily, weekly, monthly, and yearly backups and their corresponding retention policies. Experienced cloud providers even provide continuous snapshots throughout the day at intervals of 15-30 minutes, providing even greater coverage in the event of a disaster. A provider should assist in recovery due to major power outages or natural disasters. Make sure they will help you maintain redundant systems and manage automatic failovers (cutover to a secondary server should the first one fail).
  7. How are storage, server or compute resources scaled?The legal landscape changes rapidly, and a cloud provider should have the flexibility to adapt just as quickly. As your practice grows and changes, your storage, server, and processor needs will also change. How quickly can your cloud provider accommodate? What are the associated costs? Hosting fees are typically calculated based on the number of users and consumption of resources. This monthly fee structure provides budget predictability and stability.Cloud providers can mitigate this cost and enhance performance by offering tiered storage solutions that archive data based on its recovery and availability needs. Check if your cloud provider offers tiered storage as a way to curb storage costs.

Asking these questions will give you a really good feel for how the cloud provider will serve you now and into the future. Next week, we’re going to explore seven more questions — focusing on the right questions to ask so that you can ensure your project is a success.