Risks of outsourcing and cloud computing

Cloud computing (broadly the same concept as hosted systems and outsourcing) is a new way of expressing what is now a fairly well-established way of delivering applications to the desktop. Charles Christian in the February edition of his Orange Rag comments, “We have moved very quickly from a situation of ”˜if cloud computing ever takes off for law firms’ to one of, ”˜when firms switch to the cloud’. As a consequence, we are starting to see far more interest being taken in the quality, security and reliability of cloud operators’ services. And about time too, as we are also hearing reports of some law firms having 24 and 36 hour service outages because their cloud providers’ servers cannot cope with the demands placed on them.”

The simple fact is that while the basic cloud proposition is the same, not all cloud providers are created equal. And given that IT is mission-critical to most law firms, it is essential that firms undertake comprehensive due diligence on potential cloud partners to establish their credentials.

There are an increasing number of providers offering “cloud” solutions. The trick is to find a partner that suits (in terms of quality, ability, size, resources, pricing and chemistry) and to avoid the providers who might not have the stability, security or capacity that your legal business needs.

Solutions range from dedicated managed service providers such as e-know.net, who have partnered with a number of suppliers to provide a fully managed desktop to law firms, to suppliers who host their own systems and other desktop applications. A good selection of such offerings in the legal market can be found on Delia’s web page for outsourcing, hosted systems and cloud systems.

Following are the key risk areas you ought to examine when you consider outsourcing.

Is the company sound?

Check the accounts closely, make sure that hosting is a core part of what they do, how long they have been in business, what references can you take up? Are they simply a marketing front or do they own the infrastructure and have control over the service delivery? Visit and talk to other users. Find out what their performance has been over the last three years, and check with users what outages of service they have experienced and for what length of time for each outage. What quality accreditations do they have or are they working towards (and if the latter, how long have they been working at it)? They really should be striving to achieve the ISO 27001 standard. What does the chemistry feel like? Particularly in the early days of switching to the cloud there are going to be problems that will need a lot of patience on both sides to overcome. Will they work with you and your people to solve the issues sympathetically and pragmatically?

Data security

How frequently is your data going to be backed up and for how long will it be kept? What anti-virus and anti-spam protection are they offering? If data is to be transported off-site what encryption and security methods are to be used? When you visit their data centre examine their security arrangements for your visit. Did those arrangements fill you with confidence that they will look after your data? Do they offer dedicated servers holding your data or are they shared with other users? Is there any risk of the data being held on servers outside of this country as part of their backup routines?


This is a very complex and technical area but you need to be looking at Tier 2 or Tier 3 data centres, and a specification that is geared to ensuring your managed service is delivered quickly, reliably, securely and with 99 per cent uptime. Visit and compare the competing data centre environments, see for yourself the level of redundant power and communications provision, the security, the monitoring, the failover options and so on. While you’ll probably want a techie along to make an informed operational assessment, you should also be able to get a feel for the quality of the facility and the attitudes of those running it. Questions to ask your potential partner might include: what would happen if you grew by 50 per cent in the next year? Do you have the infrastructure and resources to cope and what affect would that have on the service to your existing customers? Who owns, maintains and supports your server farm and are all those resources under your control?

Customer support

Is the support 24 x 7 x 365? Can calls be logged by telephone, email and web? Is there a ticketing system? What is the experience of other users? Examine the history of some of their calls and track how long it took to solve different complexities of problem. Talk to the support head and gauge attitudes, competencies etc, understand escalation procedures, ask about individual staff qualifications, experience and accreditations – these are the people who you’ll be dealing with fairly regularly. Plus, do they offer hardware support solutions or are you going to have to find a third party to keep your desktop PCs and printers working?

Solution functionality

Does a switch to the cloud still give you what you need? Multi-level functionality for different users, desktop configuration tools, support for POP/IMAP clients, disk space controls, email aliases and public folders? Can the provider take over and successfully host all your legacy applications? Speculate with the provider and ask them to take you through their process for introducing a new product to your application set; for example, suggest that you want to trial a new digital dictation product that provides voice recognition capability. Are they able to cope with this using internal resources or do they have to outsource? And what would be the cost to you of running the trial? How long would it take? Check whether they only offer a fixed price, fixed service solution, or whether they offer a fully managed solution supporting multiple applications. There is no right answer here: it will depend on your business needs, existing IT setup and knowledge, and your budget.

Mobile access

Is OWA included? Are all current mobile devices (Android, Windows mobile, Symbian, Iphones, Blackberries) supported? Can emails be pushed to the users? Topically, ask them how many of their users have called support to set up their new iPads and how they coped with this.

These are six areas you should consider if you’re contemplating taking your business into the cloud. It’s not an exhaustive list and you would be well advised to seek counsel from others who have already taken the journey before you – and have the bullet wounds to prove it.

Chris Cann is a solicitor (non-practising) and consultant with Cann Consultancy Limited, advising law firms on Systems and IT, Risk and Compliance and Management and Strategy. As head of finance and systems for Martin-Kaye, he oversaw the firm’s switch to the cloud in 2000 and has been a user of fully hosted systems for more than a decade.

Email chris@cannconsultancy.co.uk.