Incident Response: What Every Law Firm Should Know
Katherine Riley, CISA, CISM

In 2017, 1 in 5 law firms were hacked. By early 2019, 25% of all law firms have experienced a data breach. Nevertheless, fewer than half of all law firms in the US have an adequate incident response plan in place, and less than a third of those firms with plans have undertaken any testing to ensure their preparedness in case of an attack.

The lack of planning and testing only increases the dangers law firms face.  The recent experience of one small firm, located on the east coast, illustrates just how quickly inadequate planning can lead to a dramatic escalation in the ultimate cost of a cyber-attack. In this case, after a ransomware demand surfaced on a lawyer’s laptop, the firm’s IT Director quickly discovered the firm’s server had also been ransomed as well as their online backup.  The online backup had been the basis for the firm’s recovery plan, because the IT Director had overlooked the possibility that a security breach could potentially crawl the network and encrypt the online backup.  In any event, since the ransom was not too expensive, and there was no way to recover the data, the IT Director advised the firm partners to pay and systems were restored.

In the aftermath, the IT Director began to review the security of the system but quickly got distracted by other pressing matters.  Three weeks later, before he had a chance to fix the security patches, that led to the ransomware, the IT Director walked into work only to be confronted by three attorneys who were boiling mad.  Ransomware again, they said!  Except for this time the demand was triple the cost of the first attack.  The partners insisted they were not going to pay again!  However, the IT Director instantly realized that recovery was impossible because he never got around to storing backups offline or segmenting the network.  And therein lies the risk of inadequate planning and testing.

Steps to Take

Law firms should begin with the end in mind when it comes to creating an Incident Response (IR) plan.  What impacts to the firm, clients, employees, and partners can occur as a result of a security breach?  Since a breach can result in such dramatic disruption of the firm’s entire operation, it’s important that the IR plan is developed with proper input from key stakeholders, such as HR and Legal, instead of leaving everything in the hands of the IT staff.  Of course, the IT staff will be primarily responsible for executing on the IR plan that’s put in place, but you need to anticipate the full ramifications on the firm’s business in order to be properly prepared.

Consider having key stakeholders support the formulation and implementation of the plan by following these five steps.

  1. Identify key processes for firm operations ranging from client services to HR management. What key risks, dependencies, and knowledge are needed to keep the firm in business?
  2. Place values on each process in order to prioritize what data should be recovered first and identify the consequences and impacts that will result from resources becoming unavailable. Know the risks.
  3. Build the IR plan to manage the risks. Reverse engineering to map to a database, application, or knowledge resource.  When you can define the what, who, how, and why, then you can define how systems and controls should be designed to minimize impact, ensure lines of communication and decision makers are identified with specific actions that need to be taken.
  4. Create the team responsible for IR plan execution. This should not be limited to IT engineers but should include appropriate HR and marketing staff responsible for employee communication and press notifications; Legal personnel should also be identified to manage communications with clients and partners as well as determining what evidence needs to be preserved and when to notify the FBI.
  5. Train the IR team and employees. The more teams become familiar with the implementation of the IR plan, the more effective your IR plan will be in reducing overall impact.

Development of the IR plan presents an opportunity to engage the whole firm in the process and create an awareness of what constitutes a security breach in the first place and as well as what the likely impacts will be on the firm’s business.  As you build your plan, ensure consistent management involvement throughout the process, including each of the six key stages:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

All too often, testing the IR plan gets completely overlooked.  As in the case of the IT Director who was caught without completing remediation activities, the ultimate cost of a breach will be amplified in the absence of adequate testing of a firm’s IR plan.

The Role of Third-Party Consultants

For firms that have struggled to engage all stakeholders in the planning process, or otherwise failed to invest in the tools and resources necessary to build out and test their IR plans, engaging a third-party consultant can be the answer.  External consulting services play a pivotal role in facilitating the conversation, asking the tough questions on cyber insurance, identifying single points of failure, dependencies, and budgeting needs.

This has been a key service offering Braintrace provides to our law firm clients. In addition to helping firms build an IR plan, we also support training teams on plan activities and assist with plan testing. Additionally, Braintrace can assist with vCISO services to support your IT department or firm’s objectives for continuity of services.

In conjunction with the IR plan process, Braintrace can also assist by performing a security risk assessment that identifies the strength of controls in place across all systems, infrastructure, and applications.  Having good information available about your risk profile supports management’s ability to make informed decisions in formulating the IR plan. You don’t want to be struggling to play catch up after a breach has occurred, which will only put your firm at risk of facing escalating ransom demands in the wake of the second incursion.

Take adequate steps now to ensure your firm is prepared.  Create an IR plan, test the plan, and train your employees on how to respond to a security breach in order to reduce the likely cost and severity of business interruption if and when a breach occurs.