Cybersecurity is not just about keeping bad guys out and keeping your data safe. It’s also about keeping your business running in the face of unexpected network or system outages.
You carry out threat modelling to determine what cybersecurity measures are necessary and proportionate for your firm.
The same approach applies to resilience and business continuity planning: work out what risks you and your firm face, work out what you can do to mitigate those risks and which solutions are proportionate to the risks you face, and prioritise your response.
Prepare a document listing your key devices and systems, and, against each, set out what you would do if the system failed or the device got lost, from a business continuity perspective.
For example, if you use Dropbox, and Dropbox just decided to stop operating one day, or kicked you off the platform. What would you do? Or if your email hosting provider shut up shop?
What would happen if your computer died, or your phone got stolen?
Your aim in doing so is to plan for these eventualities before they happen, so that, if they do happen, you know what to do. Planning in advance means less panic and stress when the bad thing happens, since you know just what to do, and increases the chance of you making rational decisions, since you did your planning in a less pressured environment.
There is no point having a plan if you do not test it. It might look great on paper but, if it does not work in reality, it is worthless. Worse, it offers you a false sense of security.
If your plan relies on you being able to restore a backup, test that you can do it. Learn what it means to restore your backup in practice, and how long it takes.
If you do not work remotely on a regular basis, schedule in time to do it, so you know what to do if your normal work place becomes suddenly inaccessible. Even if your plan is just to head to the nearest coffee shop, give it a trial run — you might find that you've overlooked having a spare power supply in the bag with your laptop, so your battery runs out mid-way through the day, or that the coffee shop you had in mind is fine for a chat but no good for trying to get any work done.
Regular, automated, backups are essential.
If your budget permits it, and if your needs require it, consider having a spare computer, always synced with your documents and files and your settings, ready to go.
The idea being that, if your main computer dies, or gets stolen, you are not rushing out to a store to buy another device: you break out the backup computer, and carry on working seamlessly (or very nearly seamlessly).
If you work from home using a second computer, you may already have this in hand. Similarly, if you also have a tablet or phone and you can get by using just that for a while, while you source and configure a new computer, that might suffice.
There are, of course, downsides to this. It is another machine to keep patched with security updates and, clearly, you end up buying two machines rather than one. You may also have to buy additional software licences, if you rely on software which is licensed on a per-machine, rather than per-user, basis.
But consider how much downtime (and thus lost revenue) you would incur if you only have one computer and it stopped working one day. What would happen if you were in the middle of something time-critical?
Whether you go for a spare computer, or you plan to rely on a secondary device while you get your main computer sorted, regularly test out your plan. Check that you can actually do your job for a day from your iPad or phone, if that is your backup plan. Make sure your spare computer is kept in sync, and that you haven't made a pertinent change on your main computer which is not replicated on your spare, such as a new piece of software.
Access to the Internet is essential for most law firms, and all the more so if you rely on "cloud-based" platforms to run your firm.
Work out what you would do if your office's Internet connection became unavailable.
Nearly every device in a law firm other than a notebook and pen relies on power.
Having a plan to deal with power outages is likely to be very sensible. What is proportionate to protect yourself will depend on how often you have power outages, and how long they typically last.
Laptops have their own batteries, so you shouldn’t lose any work in the event of a power outage.
It would be sensible to find out just how long your laptop will keep going, under realistic test conditions, so you know how long you've got if that is your main plan.
If your plan involves tethering your phone to your computer, to connect to the Internet (as a power outage is likely to bring your modem and router, and thus Internet connection, down, unless you have a plan in place for those), do this as part of your battery life test. You might find you get much less time out of your laptop's battery when doing this.
If you suffer from frequent power outages, and or even just occasional power outages, consider buying an uninterruptible power supply or “UPS”.
This is a big battery, which connects to the mains electricity at one end, and which has sockets at the other end, into which you plug your devices. Ideally, you'd plug in your networking kit, so you stay connected to the Internet, along with any servers. Consider also UPSs for desktop computers, which don't have the benefit of integrated batteries.
When the power is working correctly, your equipment is powered by the mains electricity. When the power fails, the battery kicks in very quickly, so that your equipment keeps running unless the battery is depleted or the power is restored (or else it does whatever you've told it to do when running on battery power, such as shutting down gracefully).
Not only does this mean that you can keep on working through relatively short outages, as the battery-powered kit will continue to operate, it should also save your machines from unexpected shutdowns, and potentially lost data or corrupted file systems.
The batteries inside a UPS are consumable items, and degrade over time. Replace them in line with the manufacturer's recommended schedule, or once they stop offering adequate performance.
Test your UPS regularly. If you've set it up properly, you should have absolutely no qualms in pulling out the plug to the mains.
Warning: although they help from a resilience point of view, a UPS can make a computer more vulnerable in a break-in / theft situation, as an attacker can steal the machine connected to the UPS along with the UPS, and so remove it from your premises without shutting it down or crashing it, giving them time to connect it back to the power. If the machine is vulnerable to an attack while turned on (e.g. because the disk is only encrypted when it is turned off), keeping it attached to a portable UPS increases the risk of compromise / data exfiltration in a theft situation.
Smaller batteries, in the form of power banks, are cheap and convenient, if you need to prolong the battery life of a mobile device.
As well as battery packs for phones and tablets, some manufacturers offer batteries capable of powering, even recharging, computers.
The key issue, from a business continuity perspective, is making sure that they are charged ready for when you need them.
A UPS or battery bank might bridge you for relatively short power cuts, depending on how quickly your devices drain them.
If you have occasional longer outages, a 12v to AC inverter may be useful. This is a small device which plugs into the “cigarette charger” port in a car, ending with a main plug socket, into which you can plug devices. You power it by running your vehicle's engine.
If you need more protection than all of these, then you probably also need a generator.
Make sure you have someone to keep it securely, and that you refresh the fuel in line with the manufacturer's recommendations.
You walk into your office one day, and find that it's flooded. Or on fire. Or occupied by trespassers. But you absolutely must get some work done before tending to that (or else can rely on someone else to take care of it). Do you know where you would go, and what you would do?
If you work from a remote location as a matter of course (e.g. from home, or from court), then you might already have a tested plan. If not, now would be a great time to work out where you would go, and then actually get on and do it. Spend a day working from your chosen place, and decide if it meets your needs. If not, find somewhere else, and give it a try.
Basically, do not wait until you absolutely have to work from somewhere else before doing so.
If you have colleagues and are used to collaborating around a table in the office, work out how you will continue to work together remotely. If nothing else, work out how to do multi-party calling on your phone, and practice it. Try running a meeting over the phone, or via video chat, and see how you get on.