Law firms have an obligation to keep client data secure. As hacking becomes an ever-increasing threat to businesses of all sizes—especially those that store and transmit sensitive data—two options, Two-factor Authentication and Email Encryption, can help put up barriers.
Two-factor Authentication (2FA): What is it?
2FA simply verifies a user’s identity a second time to make sure that the person making the request to enter a system is the actual user.
Often, it works in such a way that you enter your log-in credentials as usual, then the system sends a code to your cell phone that you enter to verify your identity a second time before you can access the system.
2FA is quickly becoming more prevalent in the business world. Some companies that currently use it include Google, Apple, Facebook, Twitter, Dropbox, Paypal, and Citibank. Many colleges and universities, including Penn State and the University of Chicago, are also adapting their systems to incorporate 2FA. Because these organizations understand that the data they house is precious to their users, they know that extra security is necessary to protect that data. It’s only a matter of time before 2FA becomes the standard.
What advantages does 2FA offer?
It can be frustrating to come up with a unique password for every single account—and that means that many people duplicate passwords across accounts or use simple and easy-to-remember passwords and passphrases. That may make it more convenient for the user—but it makes hacking more convenient, as well.
Even a strong password might not be enough because hackers sometimes use tools that repeatedly guess passwords. Such a tool was used to hack Apple’s iCloud in 2015 [link to: http://www.businessinsider.com/icloud-hack-idict-patched-by-apple-2015-1]; many high-profile users were affected. One way Apple responded was by improving 2FA.
Whether users employ weak log-in credentials, their information gets stolen, or they repeat passwords across accounts, 2FA adds an extra layer of protection that protects law firms’ data.
How does 2FA work?
Legal Workspace offers 2FA as one of the many security options so its clients can experience greater peace of mind around data security. When a Legal Workspace user logs in, he or she can automatically receive a one-time code on his or her Smartphone app. Then the user enters the code in the Legal Workspace environment and gains access to their workspace. The whole process takes five seconds or less.
Most users find the process painless, but if any issues arise, Legal Workspace offers complimentary technical support for assistance.
Email Encryption: What is it?
Email encryption protects content from being accessed and read by unauthorized parties. When an attorney sends a sensitive document to a client, he or she probably assumes that no one but the client will be able to see it. However, most email can easily be accessed by hackers determined to get the information, and the device where email is retrieved and stored—whether that’s a laptop or a Smartphone—is also at risk.
What advantages does Email Encryption offer?
Attorneys know it’s their duty to perform due diligence to protect client privilege. Sending unencrypted documents puts client data at risk—especially since email is one of the most vulnerable and targeted areas for anyone.
When a user opts to send encrypted email, the sent document is never stored on that user’s email server or computer. That means that the information is safe in the event of a computer or email server hack. It also protects information in case laptops or other devices are stolen or lost.
How does Email Encryption work?
Legal Workspace uses a system that works as follows: An attorney who is sending something to a client types the word “encrypt” in the subject line. Instead of the email server sending the email to the other party directly, it instead sends a link that informs the client that he or she has been sent an encrypted email. The client clicks the link, goes to the website, and can access or download the sensitive document from the website, bypassing the email system completely so the files are never stored on the recipient’s email server.
2FA and Email Encryption considerably help law firms battle ever-increasing threats to security. It’s no longer enough to cross your fingers and hope that hackers won’t attack your firm. If you store and transmit sensitive information, you are at risk. These two offerings mitigate that risk by giving you extra layers of protection.
In-House or in the Cloud: Choosing the Right IT for Your Law Firm
This article was written by Joe Kelly, CEO of Legal Workspace, and published in Colorado Lawyer.
Whether attorneys are hanging their shingles or working at large firms, information technology (IT) is probably not their highest priority. Most lawyers would rather focus on practicing law than worrying about technology. Nevertheless, IT plays a vital role in the business of law today.
Complicating matters is the growing necessity for practices to support mobile devices and a virtual workforce. At the same time, firms must also ensure security and compliance with professional obligations and regulations, such as the Colorado Rules of Professional Conduct and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). When transitioning to new IT systems, attorneys and staff often want to continue using their favorite software programs, which may come from different providers and may not be legal-specific.
Those at larger law firms can usually let the IT department worry about such logistics. However, attorneys at small or mid-sized firms do not have the luxury of a large IT staff—if they have any IT staff at all. Consequently, lawyers are left to figure these things out, even if the sheer number of issues to consider when setting up or reimagining IT seems overwhelming.
It is helpful for small to mid-sized firms to think in terms of three main options when it comes to IT:
1) keeping IT onsite;
2) adopting a hybrid mix that involves some cloud-based solutions with some onsite hardware and software; or
3) being fully cloud-based.
When considering which approach to take, lawyers should evaluate its cost, security, and convenience, as well as the amount of time it will take away from their practice to manage each option. Although three options are listed in this article, not all options are an exact fit for every law firm.
The Onsite Approach
The onsite approach is the most traditional IT route, simply because technology has not allowed for many other options until the past decade or so. With this approach, firms set up and maintain all of their IT infrastructures at the law firm.
Cost of Onsite IT
Conventional wisdom holds that medium and large law firms will benefit the most from onsite IT. Solo attorneys and small law firms can often function in a peer-to-peer based environment without a server. However, many of today’s leading legal applications use SQL Server as their backend database. An attorney who selects one of these legal applications will need to purchase and install a server for the application to function.
Setting up onsite IT is an involved process that can easily cost thousands of dollars a year for each staff member. The firm will need to (1) purchase and configure servers for data applications, backup, and security; (2) purchase and configure software programs (e.g., a Windows server, the email server, practice management applications, and time and billing systems); and (3) purchase and set up hardware, including computers, laptops, mobile devices, and Bluetooth devices.
Unless lawyers are intimately acquainted with IT and have the time to devote to it, law firms will find the need to hire IT consultants to help with initial setup and configuration. The initial labor costs can easily reach $1,000 per staff member. Additional consultant costs may arise for ongoing maintenance, unless someone at the firm can dedicate significant time to maintaining and troubleshooting hardware and software issues. As the firm grows and adds more personnel, someone at the firm will need to oversee licensing additional software, buying more hardware, setting up additional email accounts, and ensuring compliance standards are met.
Security of Onsite IT
Many lawyers assume that high security is inherently linked to the onsite approach because the law firm maintains complete control over the files and systems, including how they are stored and shared. However, when software is housed within the firm, it must be updated continuously to make sure that systems are as secure as possible. This means that someone must be available to run patches, checkups, antivirus software, and other tools to ensure that systems are not vulnerable to malware and hacking.
With an onsite approach, the firm must also consider backup plans and disaster recovery solutions. Backup plans should take into account how to host the backup at another site in the event of a natural disaster, fire, gas leak, or other circumstance that makes the firm’s office inaccessible.
Firms also need to consider where they are most vulnerable. According to the IT security firm Trend Micro, hacking and malware account for 25% of all data breaches, while lost devices account for 41% of data breaches. That means that firms need to consider how they can remotely wipe any devices that lawyers and staff have lost or misplaced.
Trend Micro further warns that data breaches caused by hacking and malware tend to be highly sophisticated and deliberate: “Highly customized defense solutions and strategies are required in these cases.” Firms need to decide whether to install consumer firewalls or enterprise firewalls. Enterprise firewalls may be more thorough than consumer firewalls, but they can also be more expensive and complicated to operate. And unless the firm is large enough to warrant a dedicated IT staff member, the firm will need to pay for special training on a regular basis.
Finally, if any of the firm’s clients and their information calls for HIPAA compliance, the firm will need to add additional layers of security. Complying with HIPAA comes with very specific and often costly requirements around physical, technical, and administrative safeguards. Failing to comply with these safeguards can lead to penalties in excess of $1 million per year.
Convenience of Onsite IT
An onsite server is highly convenient because all hardware and software is located just down the hall. As a result, it’s easy for staff and attorneys to check on anything that goes wrong.
However, unless someone at the firm is an IT expert, it will be difficult to fix most problems that arise. That means that the firm will have to bring in an IT consultant to handle serious issues. Along with the added expense, someone at the firm will need to take time away from legal projects to work with the IT consultant. The firm will also lose billable time and productivity while hardware and software problems are being addressed.
A Hybrid Approach
A hybrid approach encompasses onsite IT functionalities and the advantages of specific cloud-based software to support practice management, billing, and other areas.
Cost of Hybrid IT
This approach can be more cost-effective than an onsite system, since cloud-based software and applications normally run on a subscription model based on the number of users (e.g., software licenses for each user) or the amount of storage needed. The manufacturer normally handles all upgrades and patches automatically. This option and the subscription model are often more affordable than buying software licenses.
When considering which programs to host onsite and which to base in the cloud, the firm should consider its current software and processes. The ratio of cloud to onsite applications will affect costs. Firms will also need to spend more time and money managing multiple vendors when some programs are cloud-based and others are managed within the firm.
Because the main goal of leveraging technology at a law firm is to increase efficiency, progress usually involves connecting and automating different parts of a firm’s work flow. This becomes very difficult in a hybrid model. For example, a firm may use a cloud version of a non-legal-specific bookkeeping system and want to link it with the accounts receivable from a time and billing system. Some systems on the market cannot support this approach.
Security of Hybrid IT
The security of hybrid systems depends on the types of cloud-based applications and software that the firm is using. Many cloud-based apps and software offer built-in security contingencies, such as automatically installing the latest updates to address vulnerabilities and potential viruses.
However, attorneys need to be aware that common cloud-based apps or software, such as Google Drive or Dropbox, often have data storage facilities around the world, which might prompt data ownership questions. If the firm’s data resides overseas, it raises the question of who actually owns it. Therefore, when considering cloud providers for any type of information storage, attorneys have a responsibility to find out where their data will be stored. They need to feel confident that their data cannot be lost or stolen and understand who physically owns it.
Reliability and security are also major concerns with mainstream cloud-based services. Amazon Web Services (AWS), one of the world’s largest cloud providers, has been known to stop working on occasion. In September of 2015 roughly one-third of AWS services were down for an excess of five hours. Since the services can support a variety of items such as backup and recovery, websites and business applications, an interruption can impact a law firm’s ability to access critical client files or billing information.
Convenience of Hybrid IT
Most cloud-based software and applications enable mobility, allowing staff and attorneys to access information from anywhere at any time. A hybrid approach is also easier to scale up with solutions that grow as the firm grows and adds more staff.
The Cloud-Based Approach
With this method, all IT needs are handed off to a cloud-based third party. This third party sets up, configures, launches, and maintains hardware and software, allowing the firm to forego servers and backup devices.
Cloud-based solutions normally use one of three ways to configure a law firm’s IT:
1) managed cloud computing platform;
2) desktop as a service; or
3) private cloud computing.
The first approach, managed cloud computing, enables firms and other organizations to share databases, hardware, and software remotely through the provider. With managed cloud computing, law firms can purchase entire virtual servers or parts of cloud servers.
With the desktop as a service model, law firms can utilize virtual desktops that are highly customizable and run from the cloud. Users’ data is downloaded and uploaded to and from the cloud when users log on and off.
The private cloud computing option is similar to the managed cloud computing with one major exception: In private cloud computing, law firms do not share hardware with other companies or industries. A private cloud IT system allows law firms to maintain confidentiality and privilege when handling sensitive data on behalf of clients.
Costs of Cloud IT
When outsourcing entirely to the cloud, regardless of the configuration, law firms usually pay for a subscription-priced service that often offers a lower–entry price point compared to paying for onsite IT. Subscription based services are priced per person and normally include the programs the firm needs to operate its practice, along with IT support.
Typically, cloud providers offer a place for the firm to install an operating system and then build up its IT based on that foundation. Semi-customized programs typically include a desktop built on a Windows-based platform, MS Office, file storage, and antivirus protections. From there, firms can add their legal-specific programs of choice, such as practice management, document management, and document automation systems. This model tends to provide greater stability for the IT budget because the firm will not accumulate unexpected IT costs.
Security of Cloud IT
While all cloud providers tout their security protocols, not all of them understand the unique requirements of those in the legal industry. That is why law firms should consider a cloud-based provider that focuses on the legal industry and offers private servers with enhanced security measures, such as enterprise-grade firewalls, intrusion detection/prevention systems, and dual-factor authentication.
Firms should also look for the physical security of the data center that hosts the firm’s information (e.g., keycard access and biometric identification) and immediate disaster recovery that is enabled by a secondary site. That means that even if the firm’s office is destroyed, or one database supported by the cloud provider is compromised, attorneys and staff will only be one login away from accessing their information.
Convenience of Cloud IT
Cloud IT can be the most convenient approach, as the law firm has to spend little to no time managing IT. With this model, attorneys spend more time practicing law and the staff is able to focus on supporting the firm’s needs.
For small and mid-sized firms, there have never been more options for IT, ranging from systems that are completely hosted onsite to those that reside solely in the cloud. Attorneys should consider factors such as cost, security, and convenience, with the ultimate goal of selecting an approach that enables them to spend less time on IT and more time on their clients and law practices.