How to Work Effectively and Safely in the Cloud Part One: The Basics

In my last post I talked about some of the technologies that benefit a small practice. I also touched on the concerns about using technology that often hold a practice back. I will address how to be more secure while working in the cloud in a two part article. Part One will address some of the basics; simple things you can do to be more secure while working on line. Part Two will be a deep dive into some of the more common issues.

In order to provide you with the best information and practices possible, I consulted a career cybersecurity professional, Dr. Richard Forno, the Assistant Director of UMBC’s Center for Cybersecurity. A former advisor to various corporations, the military, and government agencies, Dr. Forno’s twenty-year career in cybersecurity includes helping build a formal cybersecurity program for the US House of Representatives, serving as the first Chief Security Officer for Network Solutions (then, the global center of the internet DNS system), and co-founding the CyberMaryland conference.

Functioning in the cloud is not complicated.

The more technologically advanced lawyers out there will likely already be familiar with some of the concepts in Part One, but I encourage you to take a close look anyway as there’s likely to be a few things you haven’t considered. I’ve been keenly aware of this arena for a long time and I repeatedly found myself astonished with both the availability and low cost associated with some of the simple techniques Dr. Forno introduced. Some of the things we’ll cover in our deep dive in Part Two changed some of my computing habits.

What IS the Cloud?

You all know what the internet is, but this cloud thing, that’s new right? Not really. Basically, the cloud is all the network computing system resources, including data, storage, and applications, available on demand but not managed by the user. In lay terms this means I get all my software without having to store and maintain everything on my hard drive.

Remember the day when a full license of Adobe was $1600? You got a box, loaded it on your computer, stuck the disks and box in your file cabinet, and had to pay for upgrades year after year. Remember when you stored all of your data on a really big computer you kept in an (ideally) very cold closet that you connected to with a cable, required a technician to monitor, and sometimes it went offline at inconvenient times? Not anymore.

You can get all these services from providers who house, maintain and update it for you on servers spread all around the world. They provide with an application you launch on your computer with a login and password and store your data for a small monthly or annual fee. What used to be housed in that closet and those disks you installed onto your computer is now all out there ‘in the cloud’. That Adobe now costs a whopping $17/mo, paid annually.

Functioning Securely in the Cloud is Super Complicated Right?

You might think so given all security breaches and threats to your identity that you hear about working online. In truth, no, it’s not complicated — and it’s not necessarily dangerous. As a good first step, working securely online comes down to three things: secure passwords, secure devices, and secure networks.

Secure passwords — Passwords are the gateway to working online safely. They are the first and simplest line of defense and there are a few considerations when it comes to good passwords:

• A secure password does not have to be complicated. We are all familiar with the old rules: 8–12 characters in a mix of uppercase and lowercase letters, numbers, and special characters, preferably random, that you change every 3 months or so and which don’t repeat. But Bill Burr, the government cybersecurity engineer who invented this practice in 2003, has since reconsidered things. He now says it’s really much better to have a password in the form of a phrase with some characters replaced with numbers or symbols, something you can remember. “Appl3314f1ll1ng” is better than “Applepiefilling”.
• Don’t use the same password across applications or platforms as this is a sure way to risk a breach. It’s tempting to use a form of the same password or phrase for everything so you can remember it, but if one is compromised you risk all of them. If you can’t remember them, use a password manager. But maybe you use a theme to help you: “@ppl3314f1ll1ng” for iTunes, and “G1ng3rbr3@d” for Google, and “F1gn3wt0ns” for Facebook.
• No password helps if you succumb to ‘phishing’ scams. In their simplest form, phishing emails appear to come from a company (e.g., banks, vendors) telling you that your account was compromised and urgently asking you to click a link to change your password. If you get such a note, do NOT click on the link in the email since attacks like this are designed to make you think they are legitimate when they’re really trying to trick you into disclosing your password. Some are extremely sophisticated and can fool even the most expert of users. However, if you suspect you’re being scammed, the best thing to do is open a new browser window to log into that site/service or contact the company directly yourself to verify the message. If you are worried, feel free to update your security settings and change your password and then report the email as a phishing scam.
• Protect the access to security questions. You can reset a password if you forget it easily. You can replace credit cards if they’re compromised — even bank accounts can be fixed with proper documentation. But it’s much much harder to prove who you are over the internet if your account security questions are compromised and you’re trying to prove your identity, reset your password, or conduct business. Answers to many security questions can be found through public records searches (e.g., “mother’s maiden name”, “first street you lived on”), but there’s no rule saying you must be truthful with them. Perhaps your “mother’s maiden name” can be listed on your bank’s website as ‘Leia’ or ‘Hermione’ or ‘Chewbacca’ … good luck to attackers finding that information in a public database!

Secure devices — All the passwords in the world won’t help if you don’t secure the devices, including anything that plugs into your devices. Current best practices include encryption, data wipes, and biometrics, which are all very simple to implement.

• Activate your encryption. Most operating systems now come with encryption, all you need to do is activate it if it’s not already enabled by default. That makes it simple to encrypt all your devices whether it’s a laptop, our phone, a tablet or your desktop. At the very least, if you lose your device, your data is much better protected than it would be otherwise!
• Keep your operating system and your antivirus program up to date. It’s very tempting to work on your computer and never turn it off. While it is true that your computer is designed to run this way, and some operating systems, like Windows 10, will download updates while the system is sleeping, which means you still need to reboot regularly to complete installation of the patches and updates. Reboot at least twice a month, just to freshen things up.
• Consider where you need to be the most risk averse and cater your devices accordingly. You can lose your phone — drop it in a sewer, lose it on the plane, leave it in a cab. For anything easily lost, like a phone or tablet, consider either limiting what’s installed on it, enabling remote data deletion, and/or turning on encryption. If you travel frequently you might want to keep a fairly ‘clean’ set of devices that if lost or confiscated, do not contain too much sensitive or personal information that could affect your personal privacy or commercial interests. And despite the convenience of syncing web browsers across your devices, it can create security risks; the possibility of losing one device might make it easier to compromise your data or other devices.

Secure networks — All the passwords and device security doesn’t matter a whit if your internet access is compromised, or the people accessing your networks are a sieve.

• Make sure your network link for accessing the internet is also secure. The data you send and receive should be encrypted during transit. Password protect your wifi router access and be cautious about working on public wifi. We’ll talk more about this in our upcoming deep dive. Most phones include hotspots now and are generally safer than public wifi.
• Use a secure website. Look for “https” in the website address and/or those little yellow or green locks, which is becoming the standard for internet sites these days. Consider using different browsers for work and personal needs, instead of one browser for everything — and, of course, consider using script and adblockers.
• Your home and work networks need to have the same degree of security — particularly if you access work from home. Consider using internet routers that have built-in security and/or antivirus features that can alert you to suspicious traffic on your network or unauthorized attempts to connect to your network.

That Has GOT to be Expensive!

Again, not so much. While there are plenty of free options out there, they are not always the best option for working in the cloud. You need to consider the regulations associated with your practice regarding data storage and transfer. Providers may store or backup data on servers in Canada, or in Europe. If so, you may be subject to the more stronger European data privacy regulations and you may need to move to a US-based hosting system if your client’s industry regulators require it. You’ll want to understand what kind of security they use for your data and how much control over it you have. A good provider will not only answer these questions, they’ll discuss your needs.

For a fairly modest price for small or home businesses, some office suites such as Microsoft Office or Google’s G-Suite include cloud storage and office-sharing functions as part of their cost along with proactive security monitoring. While no cloud service provider can ensure absolute security, these are some of the most commonly used cloud services for commercial, government, and academic organizations of all sizes. It also means that there shouldn’t be a large learning curve if you move to such services. Other services such as Box.Com, DropBox, or Sync.Com provide secure cloud-based file-sharing services designed specifically for business users.

It doesn’t have to be expensive

Many security-friendly network routers aren’t expensive which means securing networks doesn’t have to be expensive, either. Another option to make sure your network access is relatively secure the simple solution is a VPN, a virtual private network. These provide a secure tunnel between your computer and your cloud hosting environment, and can offer other security and privacy features as well, which may be helpful when travelling. Many reputable VPN services can be purchased for a few dollars a month for a single user with costs increasing based on how many people are using it in your office. We’ll go into a more robust VPN discussion in our next piece.

Your Best Practices Will Protect You

Ultimately the best defense when it comes to security are your personal habits. While working safely comes down to secure passwords, secure devices, secure networks, and more it all breaks down if you fail to have good habits and use a bit of plain old common sense.

Create habits that protect your systems

Create habits that protect your systems, such as encryption, more robust passwords that are easier for you to remember, keeping your operating system and antivirus updated, and the use of VPNs, and add these best practices to your policies and procedures manuals.

In my next installment with Dr. Forno, I’ll be going deeper into some of the complexities associated with these three areas, their associated costs and risks, and how they constitute good computing habits.

__________________________________________________________________

Alison Pacuska is the president of Pacuska Professional Services, a boutique consulting firm focused on top-tier legal assistant services with a focus in Intellectual Property and Solo Practitioners.