Business continuity and disaster recovery (BC/DR) plans went through a universal stress test last year the likes of which have never been seen before. As we start to emerge from the pandemic, it’s tempting to immediately focus on delayed initiatives and newly identified projects coming out of it. Before moving on, pause and evaluate how your BC/DR plan performed and plan for the next disaster while this memory is still fresh.
Law firms should take the time now to seriously evaluate how their practice adapted over the past year, and most importantly, what they need to do to improve their response to the next crisis. While the global pandemic is hopefully a once-in-a-generation event, there is no shortage of other threats that require the activation of a firm’s BC/DR plans—from regional natural disasters like wildfires or hurricanes to targeted cybersecurity attacks such as ransomware.
Risk Analysis and Tolerance Drive BC/DR Strategy
For law firms, mitigating legal risk for their clients is second nature. Mitigating business risk for themselves does not come as naturally. Actively planning for and managing non-legal business risk in small to mid-sized firms often takes a back-seat to productivity and firm growth initiatives. Many business continuity and disaster recovery plans are often determined by one or two influential vectors (e.g. cost and IT partner recommendation) without proper and careful consideration for business impact.
Ultimately, your BC/DR strategy depends on fundamentally understanding business impact. Your strategy will grow and evolve over time — this isn’t a one-time exercise. By sitting down periodically with key stakeholders, we recommend at least annually, you can identify new risks and prepare a plan based on current business activities. Simply having the discussion will help you weather the storm — whether that’s a literal storm, a figurative one such as the COVID-19 pandemic, or more commonly, malicious hackers seeking profit.
Every BC/DR strategy should be informed by a Business Impact Analysis. This analysis can be formally conducted by professionals or informally done in-house, and involves asking a series of questions to help you more deliberately understand your business requirements. These requirements are operations your firm really needs to have functional during a crisis, and ultimately will inform the decisions you make with regard to budget, technology, and priorities.
Getting Started with a Business Impact Analysis
The following nine questions will get you started so you can more pragmatically determine how to build the right level of resilience throughout your organization, regardless of how big or small your firm is. Your answers will be influenced by your clientele, the size of your firm, your risk tolerance, and how you handle business risks and objectives.
The more you ask uncomfortable questions when there isn’t a crisis, the more likely you’ll be able to avoid business-shattering consequences.
1) How much risk are you willing to take on and in which areas?
Step one is evaluate your risk tolerance. How much can your business withstand and still come out the other side? In a crisis, what percentage of your clients would continue to need immediate attention? How long can your clients get by if you can’t access your systems? Are there times of the year, quarter-end for example, where a disruption or security incident has an outsized impact? What are clients’ expectations of you, and how tolerant will they be if you can’t meet them?
By answering the above, you’ll be able to more accurately map your business priorities and objectives to information security and disaster recovery efforts. If you don’t understand your risk tolerance and how that relates to your business priorities and objectives, you can’t make a BC/DR strategy and plan that ensures you meet them.
2) What types of data do you have and where is it kept?
Closely related to the first step is understanding exactly what kind of data you hold and where it’s being held. If you haven’t already conducted one, you’ll want to go through a data classification exercise. Part of minimizing your security risk is reducing the threat surface and centralizing what you can so that sensitive data isn’t scattered in multiple places.
For law firms, nearly all the data you hold is sensitive, but it might not all be stored in the same place. Your billing system, for instance, holds different information than your document management system. How much data is being shared via email or tools like Sharepoint or Dropbox? Do you have data subject to regulatory constraints, and if so, where is it held?
By clearly mapping out what data you hold, how sensitive it is, and where you hold it, you’ll be able to make decisions on a system-by-system basis of how much you can afford to invest to secure the data held within a particular application.
3) Is your technology infrastructure secure?
Operating a firm requires a blend of technologies, and unfortunately, these technologies are vulnerable to different types of malicious attacks. With few exceptions, you rely on information technology systems to communicate within your organization, deliver your services, protect client identities and data, and meet deadlines. That means that you need to think about how to secure those systems to keep your business running smoothly.
Your decisions will drive IT investments, architecture decisions, and management of IT assets. It will also help you create a security policy, including how to access your network remotely, a password policy, and a social media policy. Your tech stack enables you to run your business and securing it with the appropriate security solutions and policies keeps it running smoothly.
4) Do you have a disaster recovery plan?
Beyond security, think about what you’ll need in the event of a disaster. This could be isolated, e.g. a single critical system going down, or it could be more impactful like a crisis that affects the entire region.
Considerations here include whether your systems are cloud-based and redundant and whether your employees can work remotely. Have you determined your minimum level of access and service? Which systems/data/business functions are mission-critical? Do you have the processes, policies, and technology to deliver the absolute necessities?
A policy for remote working helps with natural disasters, pandemics, and personal emergencies. You’ll also want to consider the criticality of the services you provide and how much of it can be conducted remotely. A law firm may be able to conduct the majority of its business and client interaction remotely, but you may still have some business that you typically do in person, such as court-related activities. Investigate alternatives – are there new ways to conduct in-person activities remotely if absolutely necessary?
Disaster recovery plans describe how you and your team can get back to work quickly after an unplanned incident to help you minimize the impact on your business and decide which investments make the most sense to keep your business running when the unexpected happens.
5) How long can your firm survive without access to its systems?
To help you make your disaster recovery plans, you need to consider downtime. Based on your analysis, you may determine the need to invest in a secondary set of infrastructure that you can fail over to in case of a disaster. You may also decide that it’s worth risking a few hours or days of downtime to save on the high ongoing costs of a secondary site.
Consider:
- What does it cost your business to be down for 15 minutes?
- What about being down for a day?
- What’s the cost of keeping a site recovery option, with full failover (meaning your systems go down and switch immediately to a backup — with no downtime)?
- Do you need full environmental failover, or does application failover provide enough functionality for your business?
In the abstract, more security and immediate failover always sounds like a great idea, but in reality, the costs for immediate failover are likely to be more than double what you’re currently spending. You need to really weigh the likelihood of risk and the cost of downtime against the cost of immediate recovery.
In BC/DR terms, there are two critical factors to determine:
- Recovery Time Objective – this is the amount of time it takes to get systems back online and operational. Put another way, how long your firm is non-functional.
- Recovery Point Objective – this is how much data loss can you withstand. For example, if you restored your systems as of 11:59 PM last night, you will have lost all of the work your team has done today. Is that acceptable or do you want a system that would lose at most an hour or two of work?
Making clear-eyed decisions about this when you’re not under extreme stress will help you make choices that work to keep your business functional long into the future. And the reality is that by NOT making a decision about this, you’re still making a decision. If you haven’t prioritized your critical systems now, then when a disaster hits, it will be too late to take action.
6) Do you work with clients in regulated industries? If so, what kind of security controls do you need to impose given your access to client data?
Different industries have different regulations that impact your business operations and requirements. If you work with clients in highly regulated industry, your work and data may be subject to the same regulations that theirs is.
Even without that consideration, for the legal industry, downtime results in clear practical risks; if you can’t access documents, you can’t meet client requirements. The biggest risk in the legal industry, however, is data exposure. Clients hold legal counsel to a high standard, and expect that any information about them remains protected, regardless of cyberattacks or data breaches.
7) What risks can you solve with technology?
While headlines about data breaches and cyberattacks might lead you to think that technology only causes risks, it can actually solve them as well. Managed service providers can take a lot of the technology questions off your plate, but you still have some responsibilities that technology can help with. This blog series will help you understand more about how to protect your mission-critical assets through policy management, monitoring and response, data security, application security, endpoint security, network security, and perimeter security.
8) Have you reviewed your technology partner’s security posture?
If you’re outsourcing, make sure you ask your third-party providers about how they protect you and your business. Does your partner have controls and plans in place that meet your business requirements?
Simply asking these questions will help you understand what to expect from managed services and what you need to handle internally. If you don’t know who’s responsible for handling a risk, chances are that no one is.
9) What risks do you solve with internal training?
Training seems like a minor issue, but it can solve big problems. Employees make innocent mistakes, and your training and policies can significantly reduce those risks. You’ll benefit by training employees in basic security principles, such as requiring strong passwords, discussing appropriate internet use, establishing rules for handling and protecting customer information, and how to avoid phishing and other social engineering attacks. Internal training can prevent a lot of confusion, and even cyberattacks, which will save you time, money, and stress.
Build a framework that makes your business more secure and resilient
Upfront planning and thoughtfulness around what is critical to you and your firm (rather than generic recommendations) will help you build a cybersecurity strategy and information security framework for what to do in case of emergency, regardless of what that emergency is. And you can keep it up to date by just having a regular check in to see how your answers to these questions might have changed.