• March 19, 2024
 Responding to a Cyber Security Breach

Responding to a Cyber Security Breach

Continuing with our compliance theme, Matthew Locker, a Cyber Security Consultant at Apstorm has shared his ideas on how law firms can remain compliant in the modern world.

The legal sector is rich in sensitive data and financial transactions, unfortunately, this makes it an attractive target for many cyber actors including, criminals, activists and possibly disgruntled claimants.

Depending on the size of the firm, it may come down to the Practice Manager to repair the damage if the systems are breached. This post gives an overview of what steps a law firm can take in advance and what it could do if a breach happens.

Creating  an Incident Response (IR) Action Plan

In times of crisis, a well crafted and communicated plan helps everyone understand the path forward and their role.  Creating an IR plan is not going to take away the anxiety, but it will make co-ordination much clearer and convey to staff and clients the organisation is in control.

The plan could include:

  1. Who is responsible?
  2. The initial steps the organisation takes to secure the situation?
  3. Commissioning an IR specialist that does the technical part of the remediation
  4. Making a documented report of the situation
  5. A communication plan to the relevant stakeholders in the firm and 3rd parties
  6. Lessons learned and protecting the business for the future

 

  1. Who is responsible?

Identify in advance, the people that are responsible and what their roles are should an incident happen. This may be one person or different people depending on the size of the firm.

Employees need to know how to report an incident if they feel they may have accidentally done something, e.g. clicking a link on a Phishing email, accidentally sending confidential information to the wrong party or downloading something from an untrusted website.

  1. What are the initial steps the business should take?

Time is of the essence in a security breach, the below are some factors that need to be considered:

  1. The initial response may vary depending on the type of incident and who has skills internally, or what the IR Consultancy have advised if they are engaged in advance of any incidents. But for instance, a first step may be securing the IT systems from the outside world, this may mean disconnecting the internet cable but keeping the systems running as not to wipe the system logs and audit trail, important to forensically analyse what has been tampered with and what has been taken.
  2. Communicating with staff that there is a problem, how the firm is dealing with it and what they should and should not do.
  3. Contacting an IR consultancy that can help remediate the situation.

 

  1. Commissioning a Specialist IR Consultancy to help

Most organisations will need a specialist IR Consultancy to help resolve the situation. Prices can vary and it is worth getting upfront fixed costs along with experience, case studies and any accreditations. The consultancy may be happy to honour the pricing for 12 months if they are needed, or offer some kind of subscription service like insurance, should an incident happen.

If an IR Consultancy can be commissioned before the event, it usually makes the response quicker. They may have procedures that need to be followed if a breach happens and they may install technology to enable a swifter response to the incident.

  1. Creating a report of the situation

The IR Consultancy should document what happened. But it may also be useful for the firm to produce a report, this could include:

  1. When the breach was found and when it happened, these could be different times and dates.
  2. Which systems have been infected and compromised and details of the breach?
  3. What is the collateral damage, e.g. missing information, downtime of service or systems, malware infection, etc?
  4. Who has been affected, including, staff, clients, other businesses?
  5. What has been done to resolve the situation?
  6. What has been put in place to prevent it from happening again?
  7. Who has the incident been communicated with?

 

  1. Communicating the breach

This is where reputational damage can be mitigated with a clear, solid response. The IR Consultancy may be able to help here too.

What needs to be communicated:

  • The incident has to be reported to the Information Commissioner’s Office (ICO) for GDPR, this must be done within 72 hours of discovering the incident and is a legal requirement.
  • Staff should be informed on how to deal with any inquiries from clients, press or third parties and who to escalate questions too.
  • Putting out a formal response to third parties, customers, trade bodies, business partners, the press, etc. This should include what has happened, what was involved (E.g. Systems, people, information, third parties, etc), what has been done (Remediation work, a specialist involved in the cleanup, etc) and how the situation has been secured going forward.
  1. Lessons learned and protecting the business for the future

After the breach, the organisation should reflect on the incident and take steps to ensure that it can not happen again. It may also want to look at cybersecurity “In the round” examining where else it may be vulnerable to attack. The IR consultancy may be able to help with this.

There are government certifications that can also help, like Cyber Essentials Plus. It is an accreditation the firm can display to show it takes cybersecurity seriously.

The National Cyber Security Centre (NCSC) has free staff training that takes 30 minutes and covers threats, like Phishing, Malware and using Passwords. It can be found here: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available .

Conclusion

Cyber threats are unfortunately another hazard that the legal sector needs to live with. However, with some preplanning, training and technology in place, law firms can reduce their risk and be confident that if a breach happens, they know how to respond to it.

Get 6 Months of Incident Response Cover for Free from Apstorm

Attend Apstorms Webinar and Get 6 Months of Incident Response for Free, click here for details https://apstorm.co.uk/home-2/webinar_xdr_pentesting/

Jennifer van Deursen