🔒 Cybersecurity for lawyers

Cybersecurity is not just about keeping bad guys out and keeping your data safe. It’s also about keeping your business running in the face of unexpected network or system outages.

• [Start with a plan|Start with a plan]]

You carry out threat modelling to determine what cybersecurity measures are necessary and proportionate for your firm.

The same approach applies to resilience and business continuity planning: work out what risks you and your firm face, work out what you can do to mitigate those risks and which solutions are proportionate to the risks you face, and prioritise your response.

Prepare a document listing your key devices and systems, and, against each, set out what you would do if the system failed or the device got lost, from a business continuity perspective.

For example, if you use Dropbox, and Dropbox just decided to stop operating one day, or kicked you off the platform. What would you do? Or if your email hosting provider shut up shop?

What would happen if your computer died, or your phone got stolen?

Your aim in doing so is to plan for these eventualities before they happen, so that, if they do happen, you know what to do. Planning in advance means less panic and stress when the bad thing happens, since you know just what to do, and increases the chance of you making rational decisions, since you did your planning in a less pressured environment.

There is no point having a plan if you do not test it. It might look great on paper but, if it does not work in reality, it is worthless. Worse, it offers you a false sense of security.

If your plan relies on you being able to restore a backup, test that you can do it. Learn what it means to restore your backup in practice, and how long it takes.

If you do not work remotely on a regular basis, schedule in time to do it, so you know what to do if your normal work place becomes suddenly inaccessible. Even if your plan is just to head to the nearest coffee shop, give it a trial run — you might find that you've overlooked having a spare power supply in the bag with your laptop, so your battery runs out mid-way through the day, or that the coffee shop you had in mind is fine for a chat but no good for trying to get any work done.

Regular, automated, backups are essential.

If your budget permits it, and if your needs require it, consider having a spare computer, always synced with your documents and files and your settings, ready to go.

The idea being that, if your main computer dies, or gets stolen, you are not rushing out to a store to buy another device: you break out the backup computer, and carry on working seamlessly (or very nearly seamlessly).

If you work from home using a second computer, you may already have this in hand. Similarly, if you also have a tablet or phone and you can get by using just that for a while, while you source and configure a new computer, that might suffice.

There are, of course, downsides to this. It is another machine to keep patched with security updates and, clearly, you end up buying two machines rather than one. You may also have to buy additional software licences, if you rely on software which is licensed on a per-machine, rather than per-user, basis.

But consider how much downtime (and thus lost revenue) you would incur if you only have one computer and it stopped working one day. What would happen if you were in the middle of something time-critical?

Whether you go for a spare computer, or you plan to rely on a secondary device while you get your main computer sorted, regularly test out your plan. Check that you can actually do your job for a day from your iPad or phone, if that is your backup plan. Make sure your spare computer is kept in sync, and that you haven't made a pertinent change on your main computer which is not replicated on your spare, such as a new piece of software.

Nearly every device in a law firm other than a notebook and pen relies on power.

Having a plan to deal with power outages is likely to be very sensible. What is proportionate to protect yourself will depend on how often you have power outages, and how long they typically last.

Laptops have their own batteries, so you shouldn’t lose any work in the event of a power outage.

It would be sensible to find out just how long your laptop will keep going, under realistic test conditions, so you know how long you've got if that is your main plan.

If your plan involves tethering your phone to your computer, to connect to the Internet (as a power outage is likely to bring your modem and router, and thus Internet connection, down, unless you have a plan in place for those), do this as part of your battery life test. You might find you get much less time out of your laptop's battery when doing this.

Have a plan and test it Kill the power and test your UPS Restore your backups, so you know they are good, and you know how to do so Practice working from a remote location (if you don’t do it as a matter of course) UPSs Power banks Car adapter Cellular backup