by Zach Olsen
In the wake of the recent Petya cyberattack — which spread ransomware around the globe from Ukraine to the United States — many of our professional services and legal clients have been asking us how they can at least prepare for, if not prevent, the eventuality of a breach or cyberattack.
This time around, the attack indiscriminately hit an array of industries from shipping and financial services to legal and utilities. Unfortunately, DLA Piper suffered a system breach that encrypted files and shut down its phone and email access.
The legal industry has been preparing for attacks like this for some time, purchasing cyber insurance policies and educating staff and vendors on the risks associated with poor data security practices. But more can and should be done, including performing pre-breach tabletop exercises and formulating incident response plans (IRPs) that force the firm to ask tough questions about how they will respond in the event of an attack.
Below are 10 key takeaways from the Petya attack, with thoughts on what law firms can do to avoid a situation like the one that crippled DLA.
- Have a formal INCIDENT RESPONSE PLAN. It will dramatically reduce response time.
- PLAN FOR THE WORST. Phones will be out, email will be down and your website will have crashed.
- BE READY to deal with an attack or breach. The longer you wait to respond, the worse the problem gets.
- Implement systems that will allow you to COMMUNICATE with employees and clients quickly, decreasing the likelihood any breach will spread and increasing confidence that the firm has the incident under control.
- Have one DESIGNATED SPOKESPERSON who can curtail speculation about what is happening at the firm among traditional and social media channels by communicating using the “Three Cs” — clear, consistent and concise.
- Ensure staff members KNOW THEIR ROLES, from admins and associates to CSIOs and managing partners. Everyone’s actions directly impact the success or failure of a breach response.
- Build an INCIDENT RESPONSE TEAM of people you trust who understand how your firm is structured, how you communicate with clients and the media, and what risks are associated with the types of law being practiced.
- Learn from the mistakes of others and TWEAK YOUR IRP to reflect lessons learned from breaches in other sectors.
- Regularly UPDATE AND TEST your plan to account for changes to the Incident Response Team, new risks to the firm and employee training practices.
- If a breach occurs, FOLLOW THE PLAN and don’t panic. People are human and make mistakes under pressure. Trust the plan, listen to your Incident Response Team, and be honest and transparent with your employees, clients and the media.
Zach Olsen is the President of communications firm Infinite Global where he leads its crisis response and reputation management group, helping organizations and individuals prepare for and respond to crises that threaten their reputations, brands and bottom lines.