Imagine this (not-so-outlandish) scenario: Your law practice has suffered a data breach. Your email accounts, computers or networks have been compromised and your confidential data is no longer confidential. It doesn’t matter how it happened—whether it was a cyberattack, a phishing scam or simply human error. If you are the victim, then you have to respond and protect yourself, your firm and your clients from further harm. If your client was victimized, you might get a frantic call seeking advice.
The best and most effective way to avoid a worst-case scenario is to have a structure already in place to deal with and respond to cyberincidents. Failure to prepare is preparation for failure, and lawyers must invest time toward incident response planning before a breach occurs. Planning for a data breach may seem less fun than preparing for a serious traffic collision, but it comes with benefits that include knowledge, prevention and better response. Contemplating the consequences of a serious cybercrime allows us to properly allocate time and money toward avoiding it.
Good incident response planning and good cybersecurity go together and are continual processes. Planning starts before the breach—just like driver’s education starts before the imminent traffic accident. When it is time to take emergency evasive action, you already should know how to use the steering wheel and brake. After the collision, you should know what to do, including whether you are allowed to leave the scene or must notify the police.
The threats and risks are clear: Our profession makes us targets, and we have special duties of confidentiality and competence. Attorneys are subject to frequent cybercrime attacks, email accounts are breached, and we are solicited to move money for cybercriminals. Law firms have been breached, their secrets exposed to the world or used for insider trading—the Panama Papers, the Paradise Papers and other events speak to that. Knowledgeable lawyers can protect themselves and their clients.
BREACH RESPONSE OVERVIEW
For background, consider the computer security incident-handling steps from the National Institute of Standards and Technology, outlining four cyclical phases of incident response beginning before the commission of a cybercrime: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.
The NIST cybersecurity framework also envisions a continual process through identifying operations, assets and data; protecting on a risk-prioritized basis; detecting cybersecurity events; responding to them; and recovering from them.
These are helpful frameworks for information security professionals, and this article adapts them for your incident response planning.
PREPARE FOR THE CYBERCRIME
Before disaster strikes, develop foun-dational knowledge and improve your cybersecurity posture in your personal and work lives. To get started, read my article in the ABA’s September/October 2017GPSolo magazine, “Cybercrime and Fraud Protection for Your Home, Office, and Clients.”
Develop an incident response plan. Perform risk analysis, evaluate threats, consider probabilities and potential harms, and think about how you would respond. Ask three questions to address the critical information security concepts of confidentiality, integrity and availability.
- What confidential information do I store, where is it, and what would happen if it were stolen? Think data breach.
- What harm could a hacker do by tampering with my systems, including by hacking my email account and sending emails as if he were me?
- What information and systems are essential? What if I could no longer access them? Consider a ransomware attack.
Think about your incident response procedure and whether it is periodically reviewed, practiced and updated. If nothing is written down, consider getting started with a list, plan or call tree.
Which people are required to respond to an incident, inside and outside your organization? Identify them and their roles and responsibilities ahead of time, and ensure the team can contact one another in a crisis. They should include: designated incident handler; legal counsel; public relations; information technology; digital forensics investigation and recovery; insurance; and law enforcement and other government agencies.
DETECTING A BREACH OR FRAUD
When anomalies occur, we have to know about them and determine whether they are merely an event or a serious incident. We are all important sensors, whether or not we work in a large organization that has tools and personnel dedicated to detecting and preventing a data breach—and especially in smaller organizations.
Attorneys and our clients may need to rely upon our wits, knowledge, communication skills and the ability to review and configure our applications. Again, this starts before the breach. Checking the settings for our applications is as important as turning the lock on our door or setting the burglar alarm. If we fail to do this properly, our tools are ineffective.
We should periodically review the security and privacy settings for our email and cloud accounts and configure them to alert us when there is suspicious activity. We have to discern genuine alerts from fraudulent phishing attempts and be aware of suspicious behavior from our devices and the people we communicate with. Yes, people, too. After all, people can be easily impersonated, and their email accounts can be easily hacked.
Pick up the phone and have a verbal conversation when in doubt. This improves security, combats social engineering, and builds personal relationships. We should warn our clients of fraud risks, including business email compromise and bank wiring scams.
John Bandler is the founder of the Bandler Law Firm in New York City, which helps firms, businesses and individuals with cybersecurity, cybercrime investigations, litigation support and other areas. He is the author of the ABA-published book
Cybersecurity for the Home and Office: The Lawyer’s Guide to Taking Charge of Your Own Information Security, which includes sections on incident response planning and procedures.
This article was published in the July 2018 ABA Journal magazine with the title: “Preparing Today for Tomorrow’s Attack: A cybersecurity expert details how to prepare for and plan against a cyberattack.”