Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

7 Tips to Make a Cyber Attack Comeback

By Jeff Ton
August 01, 2017

A law firm's cybersecurity strategy depends upon fully monitoring and responding to a diverse threat landscape — but this is no easy feat, with daily projects and additional demands that tend to stretch IT resources. While day-to-day maintenance tasks and insider risk protocols are important for long-term protection from different types of cybersecurity threats, it's important to acknowledge that no solution is 100% effective. No matter how much money a firm is currently investing in cybersecurity, the reality is that it only takes one wrong click for a breach to occur.

Even the largest and most prestigious firms with the best-of cybersecurity solutions are no longer immune to intrusions. For example, DLA Piper was recently struck with ransomware, which affected computers and phones across the firm. Cybercriminals are recognizing the pivotal role law firms play in housing sensitive client information for legal proceedings, and because of this they have begun to target the legal industry with unprecedented force.

For this reason, it's important to have a restorative plan in addition to a preventative plan for your IT systems. Here are a few steps a law firm can take to ensure critical case data remains intact and accessible after a cybersecurity breach.

1. Leverage Your Backups and Replication

Once you've identified an intrusion, it's critical to pause your replication and backup solutions immediately. For a ransomware situation in particular, having offsite backups of archived data and real-time copies of replicated data in the cloud gives your firm options to retrieve an uninfected copy for quick restoration with the least amount of data loss. Using a cloud-based Disaster Recovery-as-a-Service (DRaaS) enables you to bring you systems online in a separate environment. This allows you to continue working while you proceed with the other steps. No need to pay the ransom.

You'll want to test the new environment to make sure everything is working correctly before sending all operations back to normal use. This way you can ensure continued service to clients and litigation proceedings as quickly as possible, without the need to take things back offline again — as this will only add frustration.

2. Contact Your Insurance, Law Enforcement and DRaaS Provider Immediately

Notifying insurance will give them a heads up for compiling a claim. Law enforcement can officially document the incident. For the DRaaS provider, this means, as stated in #1, asking them to pause any backups or IT disaster recovery (DR) activities so that you can contain the intrusion from spreading pervasively across all departments and systems. If the attacker is able to enter into your offsite datacenter, this could take a small incident to a gigantic one in minutes.

3. Hire Experts to Assess the Damage

You can't recover from what you don't know has happened, or what has been infected or stolen.

State breach notification laws dictate that a law firm must understand and communicate damages to affected parties. Due process in this area means contacting a third-party team of security professionals to be sure the incident doesn't spread into a larger problem. These experts can review the extent of the infection and damage to your IT systems, do a forensic investigation to determine the cause, and offer recommendations for mitigation. This can also limit client frustrations and legal liabilities, as external parties will know that your firm is performing due diligence in its response. When a breach happens, clients and auditors are concerned how the situation will directly affect them, so if you're unable to deliver these immediate answers you can, at a minimum, let them know that you are working with recognized experts for a fast resolution.

4. Involve Your Firm's Leadership

Engage with your partners and other stakeholders in your law firm so that they are notified and on-hand to identify post-attack damage from differing perspectives. This involvement of key individuals will also go a long way in gaining the investment needed for the extensive recovery process, as well as implementing post-attack precautions for the future.

5. Use Your Segmented Networks for Clean-Up

Segmenting your networks puts up some additional walls to protect data sets. Once you've identified a breach, the goal is to take everything offline to assess the full extent of the intrusion. Better to halt the firm's operations right away than extend the downtime by days or weeks with fully-infected IT environments. Having networks segregated from each other allows you to bring each segment online separately to ensure everything is accurate without the risk of a bad application spreading further across the aisle.

6. Address Insider Risk and Identify Additional Attack Vectors

There's nothing worse than trying to recover from a breach and being hit with another one simultaneously. For this reason, it's important to understand each of the attack vectors intruders might use to infiltrate your systems and networks. Your policy of “least privilege” should ensure no one has access to information that isn't necessary for their job roles, which narrows your search for origination in an event.

Email is the most common attack vector for security breaches — which means that the culprit is usually someone within the law firm who has inadvertently clicked a link to a malicious webpage, opened an attachment to invite a ransomware attacker, etc. Blocking file extensions for emails, for example, is a great way to plug weak spots in your overall security strategy.

7. Learn from the Situation and Adapt for the Future

The American Bar Association's ethical rules place ownership on law firms to ensure client information isn't compromised again. With this in mind, integrate what your team has learned from this breach to take precautions for the future. Given the growing cyber threats the legal industry is facing, this won't be your last encounter with a breach, so due diligence may include increasing the specificity of your DR testing, security incident response procedures, playbook documentation or employee education. Be sure that all data not in use — whether in transit or at rest — is encrypted and your DRaaS environments have robust firewalls, with up-to-date patching and licensing too. Should a breach strike your firm again, all of these tips will help to mitigate any potential fallout — such as impacted reputation, loss of client case information, regulatory fines, etc. ***** Jeff Ton is executive vice president of product and service development for Bluelock where he is responsible for driving the company's product strategy and service vision and strategy. Ton has over 30 years of experience in business and information technology and previously served as CIO for Goodwill Industries of Central Indiana and Lauth Property Group.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.