ABA TECHSHOW 2020 will be held this year in Chicago on February 26 – 29, but the show’s blog is up and running. This month it features a link to an interview with cloud expert Andy Wilson in podcast and transcript formats. The topic is “The Cloud is the New Electricity–and What it Means to Lawyers.”
Here’s Wilson’s take on the security issue:
Well, ironically, I guess that most of the cloud providers that are coming to their door are orders of magnitude more secure than the way that they are handling data. There’s been a couple of studies that have been put out around law firm cybersecurity risk and 80% of Am Law 100 law firms have already been hacked; you probably heard of some of the biggest ones, DLA Piper was shut down for an entire week.
And one in four law firms, which 80% of law firms are fewer than 10 attorneys, have been breached, but they probably don’t know it because they don’t have the technology to even detect an intrusion.
Whereas a cloud service, what a cloud is offering is trust, like hey, listen, trust us to host your data because we have a team of engineers that are monitoring for detection, we have a software enabled that’s monitoring for intrusion detection, we have encryption at rest, we have SOC 2 Type 2 certifications, we have all these things. But fundamentally what they are selling is trust, and there’s ways to verify that trust if you are a law firm.
Most of these companies are going to have a security page where they list all their certifications, you can ask for copies of their SOC 2 Type 2, which is a big difference than a Type 1 certification, not just what Amazon provides. You can’t get by with that. I wouldn’t trust that, because obviously Amazon’s data center is SOC 2 Type 2 certified, amongst other things, but maybe the vendor selling the services hasn’t actually achieved a level of SOC 2 certification on their own, which is a red flag. So you can test that.
If you want to — if you are spending a lot of money in these cloud services, you can hire 10 testers, almost like white hat hackers, where they will try and penetrate the production environment of this cloud service. I wouldn’t recommend that for anything. If you are not going to spend $100,000 or more a year in these services, you probably can’t afford that.