During the first year since Australia’s Notifiable Data Breaches (NDB) scheme was rolled out in early 2018, there have been 964 data breaches reported. Of those, 60% were reported as malicious or criminal in nature, and another 30% related to human error. Understandably, cybersecurity is a hot topic across the legal industry, both in-house and in private practice. Are you, your team, your clients and your third-party vendors prepared to prevent, detect and respond to these cybersecurity threats? Combating the constant and innovative barrage of attacks is challenging, but there are some simple things you can do to ensure you have the basics covered. Below are some tips to get you started.
Identify What Is Important
There are two key, organisational assets that can help as you establish or refine your cybersecurity programme. The first asset is a data map that identifies and classifies the organisation’s data. What and where are the crown jewels, the most important data? What data do you have that, if compromised, will require a breach notification to satisfy regulatory or contractual obligations? What is your data attack surface? All these questions are more readily answered with the use of a data map.
The second asset is a business impact analysis. This identifies key business processes, their related systems and the impact if they are degraded or unavailable. If your website or email server go down, what is the impact? What about a file server? How long can you survive without your most vital systems before the impact becomes intolerable? Is there a third party whom you depend on for an important process?
Assess Your Current State
Based on your key data assets and critical business functions, you can now perform a risk assessment and evaluate your security programme to find the gaps and weaknesses in your current controls. The actions you take will depend on your organisation’s unique situation but should include an ongoing programme of risk assessment and refinement that aims to consistently improve your security over time. Resources like the CIS Top 20 and the OWASP Top 10 can help focus your efforts.
Your assessment should also examine the risk introduced by your vendors and subcontractors, as well as the adequacy of any cybersecurity insurance you may decide to carry.
Make a Plan
Every organisation should have an incident response plan to guide critical actions in case a security incident or breach occurs. However, a recent survey shows one in four Australian businesses don’t have a plan in place, even though having an incident response team and resolving incidents quickly can significantly reduce the cost and damage from a breach. Develop a detailed plan with clearly defined roles and expectations, thresholds and timelines. Establish your incident response partners in advance, engaging the talent you need to make sure you have a comprehensive plan with all roles filled. At minimum, your incident response team should include senior management, IT, cybersecurity personnel, legal counsel and trained internal resources or vendors to handle breach containment, forensics, breach data analysis and required notifications.
Training and Practice
Cybersecurity is a business problem, not an IT problem. The entire team needs to be involved in protecting the organisation from cyber threats. Stakeholders should know about the procedures you have in place and the steps they need to take when an incident occurs. Cybersecurity training not only shores up your defences on the front line, but also means a quicker response and less exposure if an incident does occur. Currently one-third of Australian law firms don’t invest in cybersecurity training, even though it is one of the top five ways to reduce the cost of a data breach.
Third-party testing and a company-wide dry run – simulating an actual incident – is a best practice to ensure your security and incident response procedures are well designed and up to date. These exercises can be applied to incident response plans, disaster recovery plans and data privacy scenarios, validating your processes and verifying compliance to regulations and industry standards.
Follow Your Plan
You can’t control when an attack will happen, no matter the size of your organisation (43% of attacks are on small businesses). What you can control, however, is how you respond to such attacks when they occur. Whilst each incident is different, your incident response plan, counsel and insurance carrier provide a framework within which to act swiftly and surely.
Activities under your incident response plan should serve to stop the attack and mitigate the damage. The extent of the incident and the data and systems impacted must be determined. If necessary, the appropriate regulatory bodies, individuals and business partners should be notified.
The steps outlined above can help you prevent and prepare for a cybersecurity incident. Proper security and preparedness is a process, so these steps should be revisited regularly and adapted to changes in the organisation.
TransPerfect’s Information Governance practice group supports law firms and corporate legal departments with pre- and post-breach technical and governance services, including incident response planning and virtual CISO programmes. To learn more, visit our Information Governance page.