Rethink your law firm's IT disaster recovery strategy
Information technology-related disasters are among the biggest contributors to long-term business disruption for law firms. Major data breaches that shut down entire systems, natural disasters that physically destroy data centers and purposeful cyberattacks threaten a law firm’s business continuity.
Innovative law firm leadership teams already recognize the risk IT threats pose, given the high volume of sensitive and confidential information they are responsible for. But with the recent implementation of the European Union’s General Data Protection Regulation and near-constant news of data breaches, even the most savvy and prepared law firms need to regularly re-examine their disaster recovery plans. Ignoring your disaster recovery plan can be costly: IBM estimates the global average cost of a data breach is $3.9 million. It can also be a risk when working with clients. According to Logicforce, 48 percent of firms report being audited by at least one corporate client in the past year.
For any law firm, developing a disaster recovery plan is one thing—it is another to maintain it. Often law firms create a strategy that sits on the proverbial shelf, where it is never simulated, tested or modified as time passes and threats evolve.
It is critical for a law firm’s IT team to work closely with leadership to maintain best practices when it comes to disaster recovery. Failing to do so can leave a law firm completely exposed when a failure or attack occurs, resulting in potential fines, loss of business or prolonged downtime.
Whether because of new regulations or in the face of a recently publicized cybersecurity breach, it is important for every firm to review their recovery strategy regularly. IT departments at law firms should ask themselves several questions to determine if they remain prepared:
- 1. What is needed to perform the recovery process? Start by taking a fresh look at the components needed to execute the existing plan. To do this, itemize everything related to the plan, including hardware and operating systems, communications, facilities, applications, personnel and anything else critical for keeping IT up and running. Once you have those items properly inventoried, it is time to examine the tactical process. Have a current document outlining processing requirements, a list of what would need to be replaced in the event of a natural disaster and an easily accessible database of contact information for all vendors.
2. What standards are current in the industry? Next, it is important to measure and assess the firm’s operational standards against industry best practices. This is especially important in the face of massive regulatory changes like GDPR. Law firms should also pay attention to the plans their peers—and competitors—have in place in the event of a disaster. The ABA’s federal government resources page is a good place to start when assessing best practices and information on cybersecurity for law firms.
3. What components are covered in the plan? A comprehensive disaster recovery plan should focus on restoring the firm’s physical IT infrastructure, systems and data networks. It should also include clear, strategic goals and processes related to the recovery—elements that should be established at the outset. This includes specific procedures involved, assigning roles to employees, a plan for internal and external emergency communications, a timeline for recovery and a contingency plan for the organization to continue operations should a disaster strike. This can more simply be broken down into defining the resources, actions, tasks and data that will be required to manage the recovery from start to finish.
4. Does the plan perform in practice? Simulating a disaster and executing the plan as if it is actually happening will stress test the strategy and reveal any weaknesses or changes that need to be made. Further, it helps staff members essential to the plan get accustomed to a disaster scenario. This testing should be done on a regular basis—every six months to ensure the team’s skills stay sharp—and the results should be well documented, evaluated and used to train staff for constant improvement.
5. What changes should be made to ensure the strategy is current? The pace at which technology is advancing means that disaster recovery plans likely have less than a year before they are outdated, and that time span continues to grow shorter. The plan should be revisited about every six months because of the rapid pace of technology evolution, especially if there are major changes at the firm or alterations to IT infrastructure.
These questions should help guide law firms as they revisit an existing plan, or even create a new one. It should be noted that no plan is perfect or foolproof, so law firms should be realistic. Expecting perfection only tempts employees to mask less-than-optimal results during planning or testing to create a false sense of readiness. Instead, seek the unvarnished truth and alleviate the biggest vulnerabilities before disaster strikes.
Jeff Norris is senior director of information security at HBR Consulting’s managed technology services division. Greg Inge is founder and executive director of CQR Consulting, a provider of cybersecurity services.
ABAJournal.com is accepting queries for original, thoughtful, nonpromotional articles and commentary by unpaid contributors to run in the Your Voice section. Details and submission guidelines are posted at “Your Submissions, Your Voice.”