Disaster Recovery and Business Continuity Plans
It is too late to build a disaster recovery plan after a successful cyber attack. Failure to build and maintain an effective business disaster recovery system can be catastrophic. A law firm must establish a proactive system, data, and business recovery plan that will cover system and software back-ups; off-site storage; and trial restores.
Policies and Procedures
Installing good IT governance procedures within a law firm is critical. Policies should include guidelines that ensure that systems are not misused, with practices to ensure that applicable policies are continually reviewed and updated to reflect current risks. Ongoing education to all employees of the practice on technology risks should be part of the practice risk management framework.
Adequate insurance for the law practice must be maintained and cover the cost of replacing infrastructure, labor costs to rebuild systems, restore data and deal with a cyber incident. Cyber insurance which covers the costs associated with cyber-related incidents but can also include business interruptions, costs, loss of profits, regulatory fines or penalties, ransom payments, and 24/7 helplines is becoming a must-have insurance policy.
Establish a Technology Risk Management Framework
The first step a law practice should take is to establish and maintain a technology risk management framework. This includes policies and procedures on how a practice assesses and identifies all risks associated with the use, operation, data security, network security, compliance, ongoing maintenance and enhancements of the firm’s IT infrastructure.
Commence a cloud services migration strategy. Cloud services can be significantly more cost-effective and secure than maintaining in house servers, provided that due care is taken in understanding the architecture and the cloud provider's service contract. Know who your providers are and where they are storing your data. Security solutions such as a Cloud Access Security Broker (CASB) and two-factor authentication should be standard for all practice systems.
It is important to have system utilities to protect the practice from malicious attacks. It is vital to have appropriate multi-layered, cyber defenses to proactively combat cybersecurity attacks including: Firewalls, Virus protection, Malware/spyware programs, and anti-spam and phishing software.
Keep a log of hardware (including laptops and phones). Maintenance contracts should be sustained with hardware suppliers so that hardware failures can be quickly rectified. Ban staff from using free Wi-Fi -- on company or personal hardware -- to access sensitive data.
Keep an updated tracking system of current, past, and potentially future software subscriptions. Regularly upgrade software to current levels and keep all your systems, devices, and software continuously current with the latest security patches.
Even if you have considered all the above, the best systems will still fail if you do not have appropriate induction and ongoing education programs for staff on emerging risks, supported by documented organizational policies. Some of the biggest claims are a result of a simple misuse of a USB stick, opening an email link or failing to authenticate client emails or client bank accounts.