Cloud solutions for law firms: How to ensure BYOD security
For solicitors, every six minutes of billable time counts.
With lawyers often out of the office and working long hours, law firms are fast adopting cloud solutions, ‘Bring Your Own Device’ (BYOD) policies and remote working to improve productivity as much as possible.
The benefits of BYOD and remote working do not just end with productivity improvements; they also offer law firms the chance to cut unnecessary overheads, improve client service standards and attract the brightest graduates in an age of Millennials who favour flexible working. The Law Gazette reported that DAC Beachcroft adopted agile working after calculating that desks were used just 70% of the time, whilst Wedlake Blake implemented an agile approach to further full service integration.
With such benefits comes the burden of potential increased risk. In order to maintain client confidentiality and data protection, solicitors have a specific duty to ensure that effective systems and controls are in place to safeguard against confidentiality risks. We have outlined the main risks that law firms need to be aware of and the protection measures they can take to guard against them.
The Data Protection Act
Solicitors need to ensure that any service they provide can comply with The Data Protection Act’s Eight Data Protection Principle; that personal data will not be send out of the European Economic Area unless the country offers a sufficient level of protection.
Cloud solutions and cybercrime
In 2013 a Legal Week Benchmarker survey indicated that 80% of partners and IT directors in legal firms believe that they are likely to be the subject of a cyber-attack, but only a third believe that their systems could withstand such an attack.
Cyber-risks from mobile devices and via cloud solutions can arise in a number of ways, including: devices being lost or stolen, devices connected to other devices, the apps running on them, or unauthorised access through services running on them.
The Solicitors Regulation Authority’s (SRA) risk resource Silver Linings: Cloud computing, law firms and risk outlines a number of key risks and steps that law firms can take to guard against cybercrime, which include:
- ensuring that any cloud service can provide audited information security that complies with ISO27001 2005 as a minimum
- ensuring that staff working on the move have properly secured communication channels to protect security
- using a private cloud, or private area of a hybrid cloud, for client confidential material
- use of software that automatically encrypts documents at the law firm’s end, and using security keys that are not known to the cloud provider
Out-of-the-box cloud services will often meet many of these minimum standards. For example,
Office 365 adheres to world-class industry standards such as ISO 27001, EU Model clauses, HIPAA BAA, and FISMA, and includes essential features such as permissions, versioning control, eDiscovery, and records management.
However, a cloud service provider should be able to offer additional security. For example, cloud services do not usually come with email encryption as standard or remote mobile device wiping of work-related data in the event that phones, laptops or tablets are lost. A service provider should be able to provide this and more, such as proactively monitoring malware, firewall breaches and ISP addresses – and most importantly, providing emergency onsite support in the event that there is a breach.
Human error and DIY BYOD
In a profession renowned for its cautious approach, ICO data in 2015 showed that the majority of security breaches in law firms were down to human error and not cybercrime. The most common cause was private data being sent to the wrong recipient by post, fax or email, followed closely by loss of confidential documents in hard copy format and failure to secure data stored on mobile devices. Out of the 72 breaches, 11 consisted of using unencrypted information being stored on devices not controlled by the firm.
An IT service provider should be able to work with your firm to put in extra safeguards against human error, such as a confidential document area only accessible to certain individuals with preauthorisation. You should also look for whether they provide additional training, with power sessions on internet security that go far beyond the basics you would find online.
As the data shows, it is much better to implement a BYOD and remote working policy than have employees engage in what is known as ‘shadow IT’, using their own devices without the appropriate security measures in place. If implemented correctly, enablement of mobile and remote working should enhance your competitive capabilities with a minimum of risk.