Foyer
Foyer
Foyer
HomeFeaturesPricingCompanyResources
LoginContact SalesGet Started
Blog

Is Microsoft OneDrive Secure for Lawyers? (6 Reasons Why)

Is Microsoft OneDrive Secure for Lawyers? (6 Reasons Why)
Is Microsoft OneDrive Secure for Lawyers? (6 Reasons Why)
ByAdamonDecember 27, 2023

As a lawyer, there is a lot to consider when it comes to keeping your client's data secure, especially when you're running your law firm online. Navigating how to uphold client-attorney privilege, data security regulations (like GDPR and HIPAA), and simply keeping your client's data private, is no easy task!

But, if you're using Microsoft OneDrive to store client files, you don't have to worry about any of that yourself, because OneDrive is safe and secure for lawyers.

The files you store on OneDrive are secure, because they are encrypted end-to-end and, due to all the security features Microsoft offers, are protected from cyberthreats and even malicious insiders.

Curious to learn the reasons why OneDrive is safe for law firms? Keep reading!

Let's get into the 6 reasons why OneDrive is secure for lawyers.

Reason 1: OneDrive Uses End-to-End Encryption

OneDrive encrypts all your files both in-transit and at-rest. This means only you and Microsoft have access to your files, and eavesdroppers won't be able to "listen in" when you're accessing your OneDrive files. This is perfect for law firms, where your client's files have to be completely confidential.

If you're not familiar with encryption, encryption is a way to protect information by ensuring only authorized parties can access certain data. It is more than just keeping your data in a secret spot, it is more like putting a lock on your data.

For example, it's not like hiding a flash drive in a drawer, but more like putting a flash drive into a locked industrial-grade vault where you're the only one with the key.

That explains encryption, but you may be wondering: what does it mean to encrypt in-transit and at-rest?

What is End-to-End Encryption?

There are two common moments when encryption is applied: in-transit and at-rest.

In-transit encryption means encryption is applied when you are uploading or downloading files from OneDrive. This is what keeps eavesdroppers (or a "man-in-the-middle") from accessing your data as it is being transferred between you and OneDrive's servers.

At-rest encryption means your files are protected with encryption while they are "sitting" on OneDrive's storage servers. This means, if someone happened to get access to your files via either direct access to a Microsoft data center or through unauthorized software access, they would not be able to access any of your files.

Because OneDrive has both in-transit and at-rest encryption, you can be confident that your files are stored and transferred securely. However, there are still ways that cyber criminals can access your files.

Is End-to-End Encryption All You Need to be Secure?

No! All services need more than just end-to-end encryption to be secure.

The most common threats are phishing attacks (when "social engineering" is used), or through account security issues (e.g. not using a adequate password, not setting up multi-factor authentication).

According to CloudFlare, around 90% of successful cyber attacks start with email phishing attack.

Having end-to-end encryption is essential to being secure, but it is not the only aspect to consider.

A truly secure service should really have additional security features like multi-factor authentication (MFA/2FA), audit logging, and breach detection and remediation.

Reason 2: OneDrive Is Compliant With International Data Security Regulations

OneDrive is GDPR compliant, SOC 2 compliant, and HIPAA compliant. It is even compliant with many different international regulations.

GDPR compliance is important if you do business with anyone from the European Union (EU), as the EU has strict rules on cyber security and user privacy.

SOC 2 compliance is a testament to OneDrive's overall security posture, proving that it has processes that ensure user privacy, data integrity, and availability. Microsoft has third parties audit OneDrive to ensure that it is up-to-code to meet the rigid requirements of SOC 2 compliance.

HIPAA compliance is critical if your law firm will be storing any protected health information (PHI) on behalf of your clients. To meet HIPAA compliance, you will have to sign a business associate agreement (BAA) with Microsoft. This is standard practice, and is a common workflow for businesses who use OneDrive's business services. In fact, you may have already signed your BAA.

To learn more about HIPAA, check out the summary from the US department of Health and Human services found here.

In the remaining sections, we will discuss all of the security features Microsoft adds to OneDrive to prevent unauthorized access to your account, and to alert you when an attacker may be trying to compromise your OneDrive account.

Reason 3: OneDrive's Advanced Treat Protection (ATP) Support

In 2015, Microsoft launched Advanced Threat Protection (ATP), which provides an extra layer of protection and defense against cyberattacks. ATP helps to minimize the possibility for cyber threats by:

  • Automatically scanning links that are clicked to detect malicious phishing websites
  • Reporting on any attacks or data breaches that may have occurred
  • Scanning for and remediating threats from viruses and malware

OneDrive's Advanced Threat Protection (ATP) is a proactive defense layer that makes me confident in saying OneDrive is secure for lawyers. It is a layer of defense that not a lot of other services have, and is by no means "required" to be secure, but it is great to have included in OneDrive.

Reason 4: OneDrive's Data Loss Prevention (DLP) Support

Data loss prevention in Microsoft OneDriveA DLP Policy being triggered in OneDrive (Image Source)

Data Loss Prevention (DLP) is another additional defense mechanism where you can configure policies which restrict the sharing of certain types of data. OneDrive comes with DLP support out-of-the-box, which (like ATP) is a great bonus security feature to have.

At your firm you might want to configure a DLP policy (see here on how to configure a DLP policy) that is triggered for personally identifiable information (like credit card numbers, social security numbers, personal health information). DLP policies can be setup to do several different actions after data is discovered, these actions are called remediations.

The most common remediation to execute is to simply report and delete the sensitive data. This is likely all you'll need, if you're looking just to avoid oversharing private information.

DLP can protect your firm's OneDrive against external cyber threats, but it also defends against insider threats too. An insider threat is if you have an associate or employee who is trying to leak information about one of your clients. Without DLP, anyone who has access to client data, could leak the data. With DLP, most attempts at leaking information would be deleted, and also reported on, so you'll be aware of who the insider is.

DLP is a fantastic security feature to have for law firms, and makes me confident that OneDrive is a secure service.

Reason 5: OneDrive Has Multi-Factor Authentication (MFA/2FA) Policies

According to a study by Microsoft, enabling multi-factor authentication (MFA/2FA) reduces your risk of your account being compromised by over 99% (see full study here). You'll be glad to know that all Microsoft accounts support MFA, which means the odds of anyone at your firm having their account compromised is very low.

If you're not familiar with MFA, it is just an additional step where you verify a code from your email, a text, or an authenticator app as you login. Typically, MFA proves that you have some physical device, which is the reason why it is secure. An attacker would need to gain access to your physical property.

On top of having MFA, Microsoft also allows you to require MFA for all logins, so you can be sure that everyone's account has the protections afforded by MFA.

I strongly suggest you enable an MFA policy at your law firm, as requiring MFA is the easiest way to keep your firm secure.

Reason 6: OneDrive's Personal Vault

OneDrive Personal Vault on DesktopOneDrive Personal Vault on Desktop (Image Source)

If you're using a personal or home plan of OneDrive (and not the business plan), OneDrive offers an additional level of security for you called OneNote Personal Vault. Personal Vault is an additional authentication and encryption measure that is added to your account for a special folder.

With Personal Vault, you can add an additional security check when accessing certain files, such as text or email verification. This ensures that even if your Microsoft account was compromised (which are low odds, if you're using MFA), the attacker would still need to gain access to some physical device of yours (such as your phone).

In addition, the Personal Vault has great features like automatically "locking" (requiring verification again) after the folder goes unused for a period of time. This feature makes it easy to stay secure, even if you forget to lock your files. Personal Vault's "locking" mechanism works on both desktop version of OneDrive and the web version.

Need to Share Files with Client Securely? Consider a Secure Client Portal

A secure file sharing portal

While OneDrive is certainly secure, it wasn't designed for sharing files with clients. This is because it is mainly a cloud storage service, and not a client portal. Many law firms choose to use a secure client portal instead, because it is a more seamless experience for their clients and comes with essential productivity features.

Some features you'll find in a client portal for law firms are:

  • Secure file sharing with clients
  • A secure messenger to send clients encrypted messages
  • Email and desktop notifications for all portal activity
  • Audit trails for every action (login, file download, file upload, etc...)
  • Client multi-factor authentication (MFA/2FA) support
  • E-signatures
  • Custom forms to collect specific client information
  • Secure email via Microsoft Outlook
  • An internal knowledge base builder to share internal business documents and trainings
  • Desktop and mobile support

Additionally, with a client portal, each client has their own account, which allows clients easy access to their files and an open channel of communication with their lawyers.

If you're looking for a secure client portal for your law firm, you can't go wrong with Foyer. Foyer is a secure client portal that is built for law firms that provides every feature your law firm would need, all at a great price ($10 per month per internal user).

You can get started today for free (no commitment) by visiting our onboarding page. Onboarding is automatic and takes 1 minute. If you have any existing data, Foyer's support team is around to assist with any migration needs you have.

Thanks for reading! If you have any comments or feedback please send a comment below. Whether you're sticking to OneDrive or using Foyer, I wish all the best for your firm!

Share this post on Social Media

Related Posts

Send Comment

Get Started Today

Free for 14 days. No credit card needed.
Get Started
Features
Client PortalSecure File SharingReal-Time MessengerSignaturesFormsSecure EmailSecure File RequestsWebsite BuilderHIPAA-compliant File SharingHIPAA-compliant Web Forms
Contacts
SupportSales
Foyer
© 2024 Foyer LLC
Get Started
Foyer © 2024 Foyer LLC