Why cyber security incidents matter
To improve your firm’s resilience to cyberattack, you should start with a thorough risk assessment, including a full accounting of any vulnerabilities present in your technology infrastructure, your operating policies and procedures, and the people who use your system. Your risk assessment should anticipate the full range of cybercrime, including:
- Computer viruses designed to breach or damage your systems and networks
- Phishing attacks that grant access to cybercriminals using your employees’ actual credentials
- Weaknesses in your VPN and other remote-connection protocols
- Overt wrong doing by employees
- Denial of service attacks that prevent critical digital assets and services from reaching their intended audiences
A risk assessment is just the start. Your firm must address each weakness revealed by your risk assessment, and it must have a detailed plan of response to both successful and unsuccessful cyberattacks. Let’s look at what an incident-preparation plan might look like.
Prepare for the worst
The right time to prepare for a cyber incident is now, before you come under attack. A complete set of security measures, policies, and procedures, including a comprehensive incident response protocol, will not prevent criminals from attacking your network. But they will minimise the damage wrought by an attack, and help your firm regain its footing as quickly and cost-effectively as possible.
Start by mapping your entire digital infrastructure, including remote data-storage facilities and any third parties on whom your firm relies. Consider losing each for an appreciable amount of time.
- How would the rest of your digital infrastructure be affected?
- How would your firm continue to function in the short run?
- What adjustments would your firm need to make?
- How would you communicate news of the attack and its effects to key stakeholders? Who, for that matter, would need to know of such an incident?
The answers to these questions will help you name an incident response team of appropriate scope. Small firms may find that a single person is enough to manage the response; many firms will need to assemble a proper team. However small or large your incident response team, it must be prepared to coordinate both the investigation of any cyberattack and your firm’s efforts to mitigate the damage wrought when criminals succeed at least partly in breaching your systems.
At minimum, the team should be responsible for the following:
- Assign roles and responsibilities to each team member, ensuring that every core function of the incident response team is assigned to at least one member.
- Create and maintain detailed response plans for each type of incident, including
- Viruses
- Hacker intrusion
- Ransomware attacks
- Phishing campaigns
- Denial of service attacks
- Create and maintain backup and recovery policies and procedures
- Train all employees and appropriate third parties on your firm’s incident-reporting and -response procedures.
- Create, test, and maintain an emergency contact policy.
- Identify the cyber incident response specialist with whom your firm will work after an incident occurs.
Preserve what’s yours
Backing up your firm’s data can help you recover quickly from a cyberattack, and can diminish the threat of ransomware. Your backup policy should include these elements at a bare minimum:
- Backups should be comprehensive, embracing data, software, and all information needed to restore your system’s configuration. You must position your firm to completely restore its digital infrastructure, not just its files.
- Consult the industry’s current best practices for guidance on the schedule on which you back up your data, the nature of each backup (e.g. incremental or differential), the extent of the backup history you maintain, and the infrastructure needed to maintain an adequate store of backup data.
- A complete store of backup data should be stored in a remote location, even if you also store backups at your firm’s facilities.
- Train staff on which information will be backed up, and how they can ensure that data they use on their computers is included in your firm’s backup protocol.
Toward a comprehensive incident-response plan
You should arrange for a cybersecurity specialist to review your incident-response protocol. With that said, here are some elements that should be addressed in any such plan.
Diagnosis. Some anomalous events are simply that. Others are signs that your infrastructure is under attack. Your response plan should include a robust set of measures to quickly diagnose potential threats, and to escalate those found to be valid.
Isolation. Once the threat is identified, it must be contained. All affected elements of your firm’s digital infrastructure should be isolated from those that have been compromised. Depending on the nature of the attack, the damage may have spread far beyond the specific machine or application that drew the response team’s attention.
Mitigation. Identifying the specific cause of a cybersecurity incident and removing it are typically well beyond the remit of a law firm’s staff. The incident-response plan should, however, contain timely information on the security specialist to whom your firm will turn for this work. Always call a specialist as soon as you suspect a ransomware attack. Criminals may retain access to your system, and any data they have copied and stolen may not be correctly identified.
Documentation and Communication. Draw up a complete description of the attack, and catalogue every digital asset that has been stolen or accessed. Determine the organisations and individuals with whom you will share news of the attack, from the police to the ICO and the Law Society, and any banks, insurers, employees, or clients who might have a stake in the matter. Continue to inform appropriate parties as the investigation proceeds.
Recovery. After the threat has been removed, bring your quarantined systems back into operation and restore your backed-up data where appropriate.
Review. Learn all you can from each cyberattack, even those that did not succeed. Identify opportunities to improve your infrastructure’s security and your firm’s response to cyberthreats.