Risk Management in Law Firms: Disaster Recovery Planning

n my previous blog, GCHQ Warns of Cyber Threat to the UK Legal Sector, I highlighted the 4 most significant cyber threats that law firms should be aware of.  One of these is ransomware, and whilst any law firm’s focus should be on implementing policies and technologies (such as Epoq IT’s MySecurity) that try to avoid being infected with ransomware in the first place, it is also essential that firms have in place an effective disaster recovery strategy that can be used should the worst happen.

Ransomware is a rapidly growing problem, with a recent report by Barkly revealing that a company is hit with ransomware every 40 seconds and, alarmingly, 71% of companies targeted by ransomware attacks were successfully infected. The same report revealed that 72% of infected businesses lost access to data for two days or more while 32% of firms were locked out of their data for up to 5 days.

From an SRA compliance perspective, ransomware poses a number of risks including:-

• The potential for a negative impact on the structural or financial stability of a law firm (Principle 8)
• A breach of client confidentiality (Outcome 4.1)
• A risk to clients and their assets including information and money (Principle 10)

Therefore it is imperative that firms manage the risks around ransomware, and indeed other issues such as hardware, software or power failures which could also impact on the structural or financial stability of the firm.

So how does this translate into practicalities?

Well some of the things I would recommend considering would be:-

1. Implementing a multi-layered backup strategy

It is not enough to rely on a single backup solution these days, as recovery from different types of disasters may require a different backup strategy. For example, real-time replication of data to a backup server is a very useful way of providing almost instantaneous recovery from a hardware failure of the live server. However, if we take a disaster like a ransomware attack (where your files are encrypted) or a software corruption, then the problem with real-time replication is that the corruption or malware is immediately replicated to the backup server too, rendering it useless.  In these types of cases, an offline backup or periodic “snapshot” of your systems and data is much more effective as it allows you to restore your data and systems to a point in time before the incident occurred.

2. Considering your Required RTO and RPO

The RTO, or Recovery Time Objective, is the amount of time your firm could cope without access to some or all of your data and systems. This is likely to vary depending on the nature of the data/system – for example, current case records or email may require an RTO of only a few minutes, whilst an archived cases folder may have an RTO of several days.

The RPO, or Recovery Point Objective, is the amount of data loss that your firm could tolerate. This will dictate the frequency of your backups. For example, if you only backup overnight, then in a disaster that necessitated restoring the previous night’s backup you could lose up to a full day’s data updates and emails. Is that acceptable to your firm? How would you know what data has been lost and how would you re-create it? What about emails?

3. Carrying out Regular Testing

Testing is paramount to expose any flaws or omissions in the disaster recovery plan. Our use of technology is moving on at speed the whole time, and there is no guarantee that a D/R plan that was created a year ago will work today. Equally, the RPO and RTO which were deemed acceptable by the firm a year ago, may be anything but acceptable now. Increasing pressure from customers and regulators may also mean that your D/R plans need much more frequent review, testing and updating in order to be in-line with your customers’ expectations and compliance requirements.

4. Running a Business Continuity and Disaster Recovery Assessment

It is a good idea to get an independent disaster recovery audit of your firm’s network, including all servers and workstations, which will provide a benchmark of your current D/R position and a customized, data-driven list of recommendations for improving the backup and disaster recovery of the network.

I hope this article has given you some useful insight into the type of issues to be considering around risk management in relation to disaster recovery. If you have any questions, or you would like information on Epoq IT’s range of data backup, disaster recovery and independent D/R assessment services for law firms, then please do not hesitate to contact me on 01494 444065 or email david.wills@epoq-it.co.uk when I will be happy to arrange a no obligation conference call.

Epoq IT work with small and medium size law firms, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information please visit our website http://epoq-it.co.uk/law-firms-solicitors-and-legal-services-businesses/