CRAIG PETRONELLA | Cybersecurity Cybersecurity in the Cloud
When a law  rm is moving from in-house data stor- age to the cloud, it should start with a security risk assessment. It’s similar to what you did when you set up your current system.
In the cloud, your security needs to be con gured from the ground up in- side the provider’s dashboards. While you can re-purpose your existing secu- rity so ware, di erent types of security, policies, and procedures may be need- ed depending on the cloud platform. Based on the cloud provider you select, there should be di erent risk assess- ments done to verify the security pro- tocols, policies and procedures from who your  rm works with.
For smaller law  rms using cloud solutions like O ce 365 for example, in addition to a platform, they need to have their cloud settings con gured properly so there are no gaps creating vulnerabilities.  ey need to do pen- etration assessments. Firms that allow mobile devices access to their systems need to be con gured properly and set up for encryption.
 ere is a common misconception that if you are hosting with Microso  or Amazon or one of the other big pro- viders, all your troubles will go away, and that’s not exactly true.  at’s what happened recently with the two law  rms whose trust accounts were hi- jacked using wire fraud that I discussed in my last column.  ey tricked the user with a  shing e-mail then there were settings that were miscon gured that could have been hardened to make it tougher for the hackers to get in.
Using the cybersecurity that comes
with the cloud storage so ware with- out any upgrades puts your system at very high risk of exposure. See the most recent news postings on default router and IoT device settings.  e de- faults don’t cut it.
“Using the cybersecurity that comes with the cloud storage software without any upgrades puts your system at very high risk of exposure.”
WHY YOU NEED AN EXPERT
Cybersecurity is not “one size  ts all,” but you can do some things to heighten the security of your plat- forms that are public. If you read the terms and conditions of Microso  and Amazon, they are not responsible for how you con gure your controls.  ey give you the platform, but you still need to know what you are doing. You need to have an expert con gure it all, assess the security assessment on those platforms and there needs to be checks and balances.
A freelancer who handles your IT may be an excellent resource for sup-
AttorneyAtLawMagazine.com
port or general helpdesk support, but not cybersecurity.
A cybersecurity expert can help you through the maze of what your law  rm speci cally needs to do, analyze what technology you are using, what so ware packages you are using, what vendors you are using. It’s like the doc- tor analogy, if you have cancer you would not treat yourself for it.
 e cost for analysis can range widely depending on the amount of analysis that needs to be done and the remediation. For instance, our com- pany would do a basic gap analysis for $3-5,000 that would identify problems that need to be  xed.  en we would give you options on the issues that need to be  xed and provide options on what other types of assessments that might apply. It’s like going to your GP to get initial tests done and the  rst diagnosis.  en the GP sends you to a specialist, and they give you options.
TRAINING IS ESSENTIAL
As I’ve discussed in prior columns, many cybersecurity breaches are the result of human error when established procedures are not followed. Its why when our company sets up cybersecu- rity systems we make training a high priority. Training your sta  should al- ways be an essential element of your cybersecurity system. When you move to the cloud you will need to train your team on any new
protocols it’s also an opportunity to rein- force security pro- cedures you already have in place.
Craig A. Petronella is the CEO of Petronella Technology Group, Inc. (PTG), a trusted cybersecurity group that spe- cializes in helping law  rms with security and compliance. PTG assists business owners in reducing the improper handling of personable identi able information, protected health information by employees,  nes for breached regulations such as GDPR, HIPAA, PCI-DSS and cyber-fraud. PTG also provides a range of business continuity and disaster recovery solutions. Craig has 30 years of experience. He authored multiple books, including “How Hack- ers Can Crush Your Law Firm” and “Peace of Mind Computer Support.” For more information, call 1 (877) 468-2721.
13