A law firm’s cybersecurity strategy depends upon fully monitoring and responding to a diverse threat landscape — but this is no easy feat, with daily projects and additional demands that tend to stretch IT resources. While day-to-day maintenance tasks and insider risk protocols are important for long-term protection from different types of cybersecurity threats, it’s important to acknowledge that no solution is 100% effective. No matter how much money a firm is currently investing in cybersecurity, the reality is that it only takes one wrong click for a breach to occur.
Even the largest and most prestigious firms with the best-of cybersecurity solutions are no longer immune to intrusions. For example, DLA Piper was recently struck with ransomware, which affected computers and phones across the firm. Cybercriminals are recognizing the pivotal role law firms play in housing sensitive client information for legal proceedings, and because of this they have begun to target the legal industry with unprecedented force.
For this reason, it’s important to have a restorative plan in addition to a preventative plan for your IT systems. Here are a few steps a law firm can take to ensure critical case data remains intact and accessible after a cybersecurity breach.
1. Leverage Your Backups and Replication
Once you’ve identified an intrusion, it’s critical to pause your replication and backup solutions immediately. For a ransomware situation in particular, having offsite backups of archived data and real-time copies of replicated data in the cloud gives your firm options to retrieve an uninfected copy for quick restoration with the least amount of data loss. Using a cloud-based Disaster Recovery-as-a-Service (DRaaS) enables you to bring you systems online in a separate environment. This allows you to continue working while you proceed with the other steps. No need to pay the ransom.
You’ll want to test the new environment to make sure everything is working correctly before sending all operations back to normal use. This way you can ensure continued service to clients and litigation proceedings as quickly as possible, without the need to take things back offline again — as this will only add frustration.
2. Contact Your Insurance, Law Enforcement and DRaaS Provider Immediately
Notifying insurance will give them a heads up for compiling a claim. Law enforcement can officially document the incident. For the DRaaS provider, this means, as stated in #1, asking them to pause any backups or IT disaster recovery (DR) activities so that you can contain the intrusion from spreading pervasively across all departments and systems. If the attacker is able to enter into your offsite datacenter, this could take a small incident to a gigantic one in minutes.
3. Hire Experts to Assess the Damage
You can’t recover from what you don’t know has happened, or what has been infected or stolen.
State breach notification laws dictate that a law firm must understand and communicate damages to affected parties. Due process in this area means contacting a third-party team of security professionals to be sure the incident doesn’t spread into a larger problem. These experts can review the extent of the infection and damage to your IT systems, do a forensic investigation to determine the cause, and offer recommendations for mitigation. This can also limit client frustrations and legal liabilities, as external parties will know that your firm is performing due diligence in its response. When a breach happens, clients and auditors are concerned how the situation will directly affect them, so if you’re unable to deliver these immediate answers you can, at a minimum, let them know that you are working with recognized experts for a fast resolution.
4. Involve Your Firm’s Leadership
Engage with your partners and other stakeholders in your law firm so that they are notified and on-hand to identify post-attack damage from differing perspectives. This involvement of key individuals will also go a long way in gaining the investment needed for the extensive recovery process, as well as implementing post-attack precautions for the future.
5. Use Your Segmented Networks for Clean-Up
Segmenting your networks puts up some additional walls to protect data sets. Once you’ve identified a breach, the goal is to take everything offline to assess the full extent of the intrusion. Better to halt the firm’s operations right away than extend the downtime by days or weeks with fully-infected IT environments. Having networks segregated from each other allows you to bring each segment online separately to ensure everything is accurate without the risk of a bad application spreading further across the aisle.
6. Address Insider Risk and Identify Additional Attack Vectors
There’s nothing worse than trying to recover from a breach and being hit with another one simultaneously. For this reason, it’s important to understand each of the attack vectors intruders might use to infiltrate your systems and networks. Your policy of “least privilege” should ensure no one has access to information that isn’t necessary for their job roles, which narrows your search for origination in an event.
Email is the most common attack vector for security breaches — which means that the culprit is usually someone within the law firm who has inadvertently clicked a link to a malicious webpage, opened an attachment to invite a ransomware attacker, etc. Blocking file extensions for emails, for example, is a great way to plug weak spots in your overall security strategy.
7. Learn from the Situation and Adapt for the Future
The American Bar Association’s ethical rules place ownership on law firms to ensure client information isn’t compromised again. With this in mind, integrate what your team has learned from this breach to take precautions for the future. Given the growing cyber threats the legal industry is facing, this won’t be your last encounter with a breach, so due diligence may include increasing the specificity of your DR testing, security incident response procedures, playbook documentation or employee education. Be sure that all data not in use — whether in transit or at rest — is encrypted and your DRaaS environments have robust firewalls, with up-to-date patching and licensing too. Should a breach strike your firm again, all of these tips will help to mitigate any potential fallout — such as impacted reputation, loss of client case information, regulatory fines, etc.
Jeff Ton is executive vice president of product and service development for Bluelock where he is responsible for driving the company’s product strategy and service vision and strategy. Ton has over 30 years of experience in business and information technology and previously served as CIO for Goodwill Industries of Central Indiana and Lauth Property Group.