I live on a street where we “enjoyed” seven power outages during the summer of 2016. The first few periods of extended downtime, since I had no power and nothing better to do, I just complained to my friends about them. During the third brownout, I decided to get my generator fixed, then had an electrician install some bypass switches, changed from a cable to fiber internet provider and eventually started tweeting the power company. By winter, I was able to better ride out outages, and any corrective actions were completed by the utility company.
In some ways, world events like the WannaCry and Petya randsomware attacks this summer and other data breaches can serve a similar purpose. Sure, we can worry and bellyache about them. But that’s fairly unproductive. It’s better to take the time to understand the threats – working to improve your operation is time far better spent.
At Tanenbaum Keale (TK), we are heavily dependent on technology to service our clients. Electronic calendars supporting mass tort deadlines, database systems to execute settlement analysis and support case resolutions, and the ability to efficiently access millions of pages of historical product-related documents in scores of repositories are all key aspects of our value proposition to clients. Not to mention the obvious tools like email, document management, HR, marketing and accounting systems. We’re technologically advanced, but I know many other law firms are as well. I’m not suggesting we’re unique in this area. For all of us, resources like these are absolutely critical.
Reacting to these threats in totality is quite daunting. Even overwhelming. TK, having swung open our doors in February 2017, is in a comparatively good place (new equipment, up-to-date operating systems and firmware, fully patched). In other words, nothing old, which is a weakness the hacking community looks to exploit. But even a new firm with new equipment must be incredibly vigilant. We found that, perhaps just like constructing a patio, addressing the needs one paver at a time is bit more manageable approach. So here are some simple examples of things we did to fortify our sitting area.
Whether it be Hurricane Sandy, a ransomware attack, or an emergency of a similar vein, we all understand very clearly that one’s physical office can become inaccessible. Which means not only computers, but phones, fax machines, physical files, etc. may become out-of-reach. We designed Tanenbaum Keale as a heavily cloud-based firm, meaning tools like Office 365, IMANAGE and Orion are operating outside our four walls, which is a great start. Taking time to formally implement automated rollover of VOIP office lines to cell phones, accelerating projects to create cloud-based Active Directory backups, confirming inbound Internet-based fax services were up to snuff, and refocusing on emergency communication technologies and processes were all part of this exercise as well.
Hopefully if you are reading this, you already work for a law firm or company which has a “Security Roadmap” that defines all the tasks which should be completed in this area and where your organization is in the process (if you don’t, consider putting one together ASAP!) Here at TK, being a recently launched litigation boutique, we have a roadmap which is comprised of both completed tasks and works-in-progress. For us, recent events served as a catalyst for us to formally execute a penetration test, be sure our documentation on all applications and vendors is top notch, and refine and expand our training and awareness materials. We also took the time to finalize an agreement with a data breach vendor (whose services we will hopefully will never need).
Continuing the topic of training, we conveyed our thoughts to employees internally on the Petya scenario as we followed public articles on the crisis. This was certainly not done as a scare tactic, but rather as an effort to better educate our workforce about the world in which we operate and common threats we face. We all know the core issues – deciding who to trust in email, avoiding potentially dangerous attachments, maintaining diverse and complex passwords, etc. – but the messages sometimes are absorbed a touch more completely when accompanied by supporting world events.
We used breaches, WannaCry and the like as case studies and teaching tools, both for office operations as well as for providing common sense tips to employees on handling personal data and managing personal devices outside of the office.
Data & Backup Review
Last, but far from least, was a review of our internal data and backup policies. To state the obvious, if vital data is backed up, an organization’s exposure to a ransomware attack is vastly diminished, if not eliminated. And it is equally obvious, at least to me, that virtually no amount of diligence and thought can be considered excessive as one reviews the adequacy of the different backup methodologies and data destinations. Data which is stored in the cloud, while not impervious to attack, is reasonably considered much safer than individual files at rest on an employee’s computer or an on-site server. Taking the time to painstakingly review all critical data sources and thinking about where off-site or off-line copies should be placed is a tremendously important exercise. Cloud-based backup services like EVault which move data beyond the boundaries of your offices also help a great deal. One cannot encrypt what one cannot touch. I think you’ll find that any exercise that includes systematic reviews of all sources of data for the purpose of ensuring they are available for restoration in extenuating circumstances is a useful exercise.
To sum up, power outages, malicious attacks and emergencies are always going to present challenges. But preparation, forethought and risk-mitigation actions executed in the calm before the storm can potentially pay off tenfold. Be sure to learn from events of this nature and prepare as much as possible to minimize the impact of future problematic events.