Manage Cyber-Attacks: Is It Really Not If You Will Be Attacked, But When?

Manage Cyber-Attacks: Is It Really Not If You Will Be Attacked, But When? is my new column in the Oklahoma Bar Journal.

This is a sobering subject, but it is critical for all law firms to appreciate this idea in their risk management practices. It is a bit hard to accept that it may be impossible to have such bulletproof cyber security that you can be absolutely confident you will never be breached. After all, I’m fairly certain our country’s intelligence services had some Skull and crossbones high level experts working on their security and they have suffered spectacular breaches. In hindsight, this article’s title perhaps should have been “Manage Cyber-Attacks: Is It Really Not If You Will Be Compromised, But When?”

We have fallible, and sometimes corruptible, human beings working with our technology systems. Computer code is vastly more complex. There are more openings. Think of the difference between fighting crime in a small town with one stop light and a large urban metropolis with high rise buildings, subway systems, subterranean sewers and other complex infrastructure. Coders are going to write new code. Some of it will have unintended consequences and open up new security risks. And that new employee may not appreciate all of the dangers lurking in her inbox.

So does that mean give up? Game over?

Of course not, we cannot give up on security measures. We need to have good cyber-security infrastructure, practices and training. But there will be dangers appearing online that haven’t been invented yet.

Today, a large part of good security practices includes creating Incident Response Plans and other recovery techniques. If you do not have an IRP, it is time to create one. This is unpleasant to consider and easy to procrastinate for the same reason so many people put off creating an estate plan. But this is just as important.

In the column, I take the reader through a couple of scenarios to give some examples of planning. Firms can get help with IRP’s from professionals, but each plan should be unique because the assets you have to respond are unique. I tried not to make this too threatening, but I have been on the phone with lawyers who had no plan and now have a network frozen by some malware. Planning is better!

Advertisements
Manage Cyber-Attacks: Is It Really Not If You Will Be Attacked, But When?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s