Working together to achieve a new standard of cyber-resilience

Working together to achieve a new standard of cyber-resilience

As highlighted earlier, legal organisations are entrusted with their client’s most sensitive and confidential data. As a result, they have a legal and moral responsibility to adequately invest in keeping that data safe and ensure malicious actors cannot use it to hold the firm or client to ransom. This means a new breed of cyber-resilience is required.

In our experience working with businesses in the legal sector (and numerous others), there are proven tactical measures and strategies that enhance business resiliency, minimise time to recovery, and provide clients with complete confidence that their data is secure.

The question then, is which measures will prove most effective for legal firms and their customers in terms of minimising the overall time to recovery in the event of a successful attack. For this reason, when we engage with firms to help develop cyber-resilience, regardless of their current level of cyber-maturity, our first questions are always intended to evaluate how long the firm can survive a ransomware attack by establishing the true financial cost of downtime. To this end, we encourage both self-assessment and expert assessment, as this will help develop a wider view of the current level of maturity across systems, process, and data, and can be repeated iteratively throughout the process to measure progress.

Secondly, a process of discovery and classification should take place to establish what should be protected, how it should be protected, and how much to invest in protection, based upon asset value. There are three steps to this:

Discover - identify all corporate assets, and where they are located

Classify - understand the value and importance of said assets

Protect - align a protection and recovery strategy, based upon these classifications

We then develop a sequence of activities and solution options that firms can adopt through a service provider model or deliver in house, including:

Cloud maturity & governance assessments

The classification of data for recovery may be central, but ensuring Cloud services are governed and managed effectively to reduce introduction of risk through human error is also critical. These assessments also delve into current DevOps and DevSecOps maturity to identify and act upon opportunities to more effectively leverage automation to offer an additional level of resilience.

User awareness & ongoing training

The weakest link in the security chain continues to be users, and as such continual focus should be maintained regarding user diligence and awareness. We support customer organisations with cyber security training, ensuring users consider all communications for phishing, spear attacks, smishing etc. to drive a culture of individual responsibility regarding cyber security.

Supplier management

As discussed earlier, legal firms are longstanding proponents of outsourcing and heavy SaaS consumers. This means that critical data, in many cases, has been migrated out of the traditional data centre storage platforms into third-party data repositories. Firms must therefore be ready to ask themselves, “Do your suppliers care as much about your data as you do?”.

We urge our customers to examine our own IT security and data management processes to ensure we have met their expectations. Equally, firms should insist on their SaaS vendors providing detail on how they protect client data, and what ransomware recovery strategy they have in place. Is it continually tested? Has it been certified or audited by an accredited entity? No assumptions should be made that a supplier will treat critical assets with the appropriate degree of diligence, as recently documented in the ransomware attack on NHS data held by MSP Advanced².