Business continuity has long been a central concern for law firms, but our absolute dependence on information technology today makes an IT-related disaster the most likely cause for a major business disruption. An IT disaster can be triggered by a major breach that forces a systems shutdown, a natural disaster that takes down a data center or a ransomware incident that paralyzes the firm’s IT ecosystem.
Law firm management teams must be clear about the fact that their business operations are at high risk to potential IT threats, due to the highly sensitive and confidential nature of the documents that law firms retain. In fact, law firms ranked in the top 10 of most vulnerable business sectors to IT threats, according to the 2015 Cisco Annual Security Report.
Still, we find that a surprising number of U.S. law firms do not bother to create an IT disaster recovery plan — or if they have one, they toss it on the proverbial shelf and fail to simulate, test and modify it as circumstances warrant. Here is a simple five-step checklist for IT disaster recovery planning that may help you get started with your own or revisit the one on your shelf:
* What do we need to perform the recovery?
Your plan should itemize all of the components necessary to perform a recovery. This should include hardware and operating systems, communications, applications, facilities and other critical functions to keep the IT infrastructure running. Quantify your processing requirements, what would be needed to replace the component in event of disaster, alternative methods of processing information and contact information for all relevant vendors.
* What are the industry standards?
Make sure you assess your firm’s operational requirements against best practices in the industry. What do your peers view as critical and what plans might they have in place for recovery from an IT disaster? Adjust and improve your strategy based on this reality check.
* What are the components of our recovery plan?
Your IT disaster recovery plan should focus on restoring the firm’s IT infrastructure, systems and data networks within the clear strategic goals you established at the outset. This includes the specific procedures involved, assignment of responsible employees, notification requirements (internal and external), timeline for recovery and operational processes while the firm works in contingency mode. Clearly isolate and define: (1) resources; (2) actions; (3) tasks; and (4) data required to manage the disaster recovery in the event of an IT disaster.
* How does the plan perform in simulation?
Testing your IT disaster recovery plan not only allows you to identify possible weaknesses and get accustomed to disaster recovery scenarios, but it also enables everyone to gain reasonable assurance that the plan will operate effectively in the event of an actual incident. Document testing data, evaluate the results and train your staff on how to improve based on those tests.
* What changes do we need to make to keep the plan current?
The nature of technology innovation is such that IT disaster recovery plans only have a shelf life of one year, perhaps even less depending on changes in firm applications, systems and personnel. Revisit your plan on a regular basis, review changes in the firm and your IT infrastructure and update your procedures based on these changes. Maintaining the plan will help ensure that everyone in your firm will be ready in the event of a disaster.
One note of caution applies to firms creating an IT disaster recovery plan for the first time as well as those dusting off a plan that has been underutilized. Do not expect perfection with every component of your plan, including the results of your simulations and tests. That is an unrealistic bar to pass and typically encourages your team members to take shortcuts or even mask certain results to create a false perception of readiness. You want the unvarnished truth so you can identify your vulnerabilities and tighten up your plan before a disaster strikes.
Jeff Norris serves as the security officer and head of information security for Managed Technology Services (MTS) LLC, managing the firm’s security, compliance and assurance programs. Greg Inge is chief executive officer of information security consulting firm CQR, which provides cyber and resiliency advisory services to MTS and its clients. For more information: www.hbrmts.com.