This article is the third in the series on Business Succession Planning. It will discuss steps to protect your IT systems and how to establish a disaster recovery/business continuity plan for your office.
As more lawyers rely on technology to practice, there has been an increase in cyber-attacks and scams, and COVID-19 raised the bar for law firm cyber security. To conduct a technology audit of ALL devices used by all lawyers and staff, the first step is to list all devices. You can use a spreadsheet to list the device, who uses it, and what cyber security measures protect it.
Make certain that all listed devises have updated passwords, malware, antivirus, and spam filters. It is a good idea to list the passwords for each device, along with the date of the password, and keep the password information in a protected format. (Do NOT keep passwords in an Excel or Word document labeled “Passwords”) If you have already had a technology audit, schedule regular reviews to update and revise as devices and passwords change.
You can take these additional steps to protect your IT systems:
- Adopt two-factor authentication: This is the easiest step to add protection on password-protected accounts.
- Utilize secure passwords.
- Don’t use the same password across accounts and applications.
- Consider using a pass phrase – a short, secure phrase that you will remember, but others will not guess.
- Access your system remotely using a secure VPN.
- Don’t use public or unsecure Wi-Fi.
- Encrypt emails containing confidential or proprietary information.
- Consider offline backups: Offsite backups in addition to onsite can help protect against ransomware.
- Train lawyers and staff to avoid phishing emails and other scams.
- Adopt and test an Incident Response Plan (IRP)
- Have adequate cyber insurance: What Coverage Do I Have for a Cyber Breach If I am Working Remotely?
It cannot be stressed enough how important it is to remind lawyers and staff of the on-going cyber threats via phishing scams, wire fraud schemes, ransomware, and email fraud. Please visit the OBLIC Cyber Toolbox for training materials on how to avoid phishing attacks and common social engineering attacks. The training will give you tools and resources to protect your devices and information.
Another task is to implement or update your Incident Response Plan (IRP). The OBLIC Cyber Toolbox has a sample Incident Response Plan. If you already have an IRP in place, you can use the information on the Cyber Toolbox to test your plan using the breach scenarios for your own tabletop exercises.
The other lesson learned from COVID is the need for a Disaster Recovery/Business Continuity Plan. Many law offices did not have a contingency plan for operating away from the physical office. This situation can occur due to a fire, flood, natural disaster or other emergency. While lawyers still had access to their offices during this pandemic, circumstances may have curtailed access to it. Act now to enact your own Business Contingency Plan. The OBLIC Cyber Toolbox has a helpful section with steps to create your business continuity plan. The Business Continuity Development Guide lists four steps to establish the plan:
- Conduct a business impact analysis.
- Identify, document, and implement recovery strategies for critical business functions.
- Organize a business continuity team and compile a business continuity plan.
- Conduct training for the team and testing and exercises to evaluate recovery strategies.
You can follow the steps in the Guide to write your Business Continuity Plan. Then you can use the Training and Testing modules to conduct exercises with your lawyers and staff.
With these excellent resources, there is no excuse not to have plans in place to protect your IT and the most important asset – your law firm business continuity. As always, if you have questions, I’m happy to discuss these or any other loss prevention topics. OBLIC is here to help!
Gretchen Mote, Esq.
Director of Loss Prevention