Law firms hold a wealth of valuable client data and funds, all of which make them a very attractive target for criminals. As the number of cyber-attacks increases, firms are increasingly at risk of a breach. And it isn't just cyber-crime that can result in data being lost or compromised. There's the risk of physical damage to servers, lost equipment that's not adequately protected and even human error which could cause system disruption and failure.
The reality is, at some point, your firm is likely to experience a data breach – if it hasn't already. Beyond the initial loss of data and funds, there is the risk of fines and the reputational damage which can be significant. Therefore, the plans and policies you have in place to protect your data are essential to your chances of recovery.
But many firms erroneously believe that simply backing up documents, emails and case files is a job well done, a disaster averted, the compliance box ticked.
A well thought through disaster recovery plan that considers every possible scenario is essential and your plan needs to be robustly tested. You need to understand and be confident in how well the system stands up to threats, how people within the business respond, how you will communicate with clients and the general public, and most importantly, to check exactly what data and applications can be retrieved along with the time taken to recover.
But where do you start when it comes to testing systems to destruction? Here are our recommendations.
Test for 'worst case scenario'
An annual, all server shut down, should be the minimum test you undertake. A half-hearted test will not satisfy your clients or quality standards and it should not satisfy the business.
Include a representative test group
Junior and senior staff should be included in testing the firm's resilience to disruption and how quickly they can return to fee earning work. Run the test when it is least disruptive, but ensure the test is realistic to build confidence in your business and in your staff. Gain feedback from staff about the success and weaknesses of the test.
Measure how quickly law firms return to 'business as usual' – and adapt if necessary
Test how well you meet your Recovery Time Objective (RTO) – the amount of time lost that your business can potentially sustain. If you fail to meet your RTO, look at ways to reduce it and test again. When disaster strikes, being able to easily open and find crucial documents can make the difference between a few hours in lost fees or days, as well as keeping reputations intact.
More and more law firms are moving to a cloud environment where disaster recovery and business continuity are built in, avoiding the need to invest in, or maintain, your own off site IT disaster recovery solution. After all, having strong policies and plans in place isn't just about protecting you from the 'what if'. Increasingly, panels and clients are asking for evidence of the plans you have in place and your ability to prevent and recover from data breaches. Good disaster recovery provision is seen as a real differentiator for firms and our customers have testified to the competitive advantage this has given them.