Over the past decade, the cloud has become incredibly popular among law firms—with good reason. Once thought of as a risky concept by attorneys who gladly transported confidential files on jump drives the size of lighters (and just as easily misplaced), the tide started to turn when providers like Dropbox and Google Docs offered an introduction to the security of cloud storage with their consumer and enterprise-facing storage systems.
While these were reasonably secure and offered an introduction to the cloud, they weren’t foolproof, and you likely heard stories of attorneys in trouble for accidentally sharing their Dropbox by creating a public link, a successful phishing attempt or fake login page, or poor password management resulting in privileged information getting into the wrong hands.
However, as the standards have evolved, so have the solutions. While some firms can use document storage applications in the cloud, many have opted to work with cloud service providers who can focus on the entire business of law—not just one element.
Hosting Your Entire Firm in the Cloud: The Security Advantage
Today’s law firms no longer rely just on consumer services to host a few documents that an attorney needs to take home. Rather, they have moved their entire business into the cloud. Offering increased security over both point cloud applications and on-premises solutions, the decision to host their entire stack of applications in secure data centers offers a wide range of benefits—with increased security among the leading reasons.
Prior to cloud computing, your data and applications were stored within a single machine. If that device is lost or gets stolen your data is vulnerable to third party intrusion. Cloud computing eliminates this threat completely.
You often need to access your systems from public Wi-Fi, creating an inherent security flaw. Often, hackers will spoof a Wi-Fi hotspot to create the impression that you are accessing the legitimate hotspot, only to monitor your activity and breach your system.
Cloud hosting companies take steps to address this, utilizing high-grade secure socket layer (SSL) encryption to make sure no one is able to intercept your data in transmission from public networks like coffee shops or airports.
You need to make sure that no one gets in if they are not authorized to do so. Knowing this, a cloud hosting provider deploys multiple state-of-the-art firewalls to protect your data. In addition, vigilantly monitoring servers 24/7 with intrusion detection software that senses, prevents, and disrupts hacking attempts.
If you still host applications on-premises, take a walk down to your IT department. How many secured doors do you have to walk through to get to in order to get to the server room? Zero? How many armed guards? Did you have to go through an iris scanner, fingerprint scan, scan a badge, or enter a code? Probably not. If you’re lucky, you have video surveillance of your server room and server cabinet locks installed.
While not as prevalent as a hack, physical compromises of security are just as dangerous, resulting in a criminal either destroying data, stealing data, or shutting down your operations. Your hosting provider’s reputation is even more reliant on data protection than yours, meaning even physical security is taken into account.
Multiple layers of physical security ensure that only authorized personnel have access to systems. Hosting providers often employ video surveillance, RFID security badges, PIN codes, biometric fingerprint scans, and server cabinet locks to maintain the physical security you need and deserve.
The Proof is in the Audits
When considering a cloud company to host your applications, the company you select should face immense scrutiny from unbiased auditors and comply with the most stringent standards. Among the necessary audits:
- SSAE 18/ISAE SOC 1 Type 2: Evaluates the controls that a company has in place.
- ISO 27001: ISO 27001:2013 is an auditable international standard that formally outlines requirements for an Information Security Management System (ISMS) to help protect and secure an organization’s data.
- SOC 2 Type 2: The SOC 2 report is an attestation report that provides an evaluation of controls specific to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles.
- SOC 3 Type 2: Another Trust Services Report, SOC 3 Type 2 is designed for service organizations who do not need the levels of detail provided in an SOC 2 report, but still need proof of security and reliability.
- PCI DSS Compliance: If you are handling payments (which you are), you need a cloud provider who is PCI DSS compliant.
- HIPAA / HITECH Security Rule Compliance Report (AT 101): While healthcare focused, HIPAA standards are among the most stringent and hardest to attain, requiring advanced levels of physical, technical, and administrative safeguards to ensure that confidential electronic protected health information (ePHI) is secure.
- EU–US Privacy Shield Framework: Another important privacy measure, the Privacy Shield framework is an international set of standards designed to ensure data privacy rules are followed.
How the Cloud Makes It Possible
The consequences of a data breach are devastating to firms. Not only do you face ethical, compliance and legal challenges, you may ultimately end up dead in the water—what client wants to work with a firm that can’t protect them? More often than not, firms—especially small ones—suffering data breaches collapse.
Your data is stored off site in our data center. We provide and maintain protection against third party intrusion. Think of the data center like a bank vault for your data. Only authorized users have access to it.
At Flywire, we take the steps you need to protect sensitive and confidential client and case data, and store it in our redundant Tier 3 Data centers to ensure that only the right people have access to applications—when and where they need to access them. Get to know more about the security and compliance guaranteed in our SLA, learn more about the benefits of working with us, and get in contact with us for more information.