Recent news reports highlight an oft overlooked cybersecurity threat impacting law firms: data unavailability / business interruption. While lawyers are beginning to appreciate that information security vulnerabilities can impact client confidentiality through exposure or loss of confidential information, far less attention is often paid to data availability threats.
The recent news headlines demonstrate how an attack impairing data availability can quickly become highly problematic. In late December 2022 Joe Patrice reported a large ediscovery vendor was forced to shut down “external access” while investigating a possible cyber breach. Reports indicate that this vendor was not back online until January 4, 2023. As a former complex commercial case trial attorney, I can imagine the stress that this type of disruption could cause to busy trial teams.
For most lawyers, most of the time, information availability and information confidentiality are equally important concerns. As the pace of law practice has quickened, being deprived of ready information access, whether it be ediscovery files, data rooms, or draft pleadings and documents, can quickly and sharply degrade the quality of client service. Even if information confidentiality is preserved, deprivation of information access can quickly cause mounting damage.
Unfortunately, the prevalence of these availability attacks is growing. It’s not hard to understand why. Stealing somebody’s data with the hope of re-selling it on whatever dark market has become, in many cases, more time consuming and less lucrative; the fifth dataset containing my social security number, for example, is not worth nearly as much to thieves as the first dataset was.
Economically smart attackers realized, however, that the value to an organization of having access to its data may well be significantly higher than the actual resale value of the data. Examples abound: the widget factory being able to run its computerized manufacturing equipment; the law firm having access to case materials; the accounting firm having access to its tax prep software (particularly during tax season). As a bonus, the attacker cuts out the need for a third-party buyer, instead going directly to the victim for the cash.
Thus, ransomware and other availability-centered attack vectors continue to grow in popularity. What steps can lawyers and firms take in response?
First, lawyers must acknowledge and understand the problem. It’s no longer appropriate to only focus on cybersecurity = preserving confidentiality. Lawyers must accept that they face a grave cyber availability threat. Only after this is acknowledged can firms make smart decisions regarding what’s next.
Second, lawyers must ask: “given my firm’s information profile, what measures can cost-effectively enhance protection of information availability?” The possible answers to this question will vary according to both the types of information the firm needs to protect, and the firm’s “technology stack” (e.g. cloud, on premise, hybrid).
Third, lawyers must take a hard look at vendor relationships. Make an inventory of the firm’s service providers. Then, for each vendor, ask the question: “What would be the impact on our operations and client service if this vendor went down for a week?” Once the firm has prioritized vendor relationships in this way, having meaningful conversations with important vendors regarding their security is critical.
Finally, remember that resiliency is a core cybersecurity domain. Bad things will happen no matter how many barriers are erected. Detailed, scenario-based planning can turn a weeks-long disaster into an hours-long problem.