A cyberattack can easily cripple your law firm so even a basic plan can save your firm in the long run. Learn how to build a plan that will protect your firm from being damaged.
3. The Importance
• 1 in 4 law firms have reported being breached
according to ABA survey
• Regulatory, insurance, and client confidentiality
concerns
• Remove the paralysis and get back to business
faster, safer
• Demonstrate the firm is serious about
cybersecurity
www.accellis.com
4. The Three A’s of Incident
Response
1. Ammunition: Incident response tools are the first
line of defense. Check lists, trained teams, IT support,
and more are the ammunition of an effective
Response.
2. Attribution: Understanding where an attack is coming
from can help you understand an attacker’s intention
as well as their technique, especially if you use real-
time threat intelligence.
3. Awareness: The most fundamental security control is
an educated and aware user. Effective incident
identification AND recovery often starts and ends
with a well-informed end-user.
www.accellis.com
6. The Members
• Security Manager/Security Committee: Point for
coordinating the Incident Response
• IT Director/Staff: Provides technical support and
response to contain the threat while preserving
forensic data
• Marketing/Public Relations: Coordinates efforts
related to client communication
• Managing Partner/Exec. Committee: Makes
business decisions regarding the firm’s response
www.accellis.com
9. Response Planning
www.accellis.com
Response
Stage
Identification/
Investigation
Containment Eradication
/Recovery
Communications/
Reporting
Document
Update
Response
Team
• End-users
• IT Staff
• Security Manager/
Committee
• IT Staff
• Security
Manager/Committe
• Forensics
Group/IT
Staff
• IT Staff
• Security
Manager/Co
mmittee
• Security
Manager/Committee
• Firm Leadership
• Authorities, Insurance
• Security
Manager/Com
mittee
• IT Staff
Key
Questions &
Tasks
• Is this an incident
that requires
attention now?
• Which assets are
impacted?
• When did the
event occur?
• Is the threat
isolated?
• What are the
containment
options?
• Initiate containment
plan
• First stop the
spread or close
NW gap
• Determine if
the fix will
delete forensic
evidence (if
needed)?
• Will new
equipment be
required?
• Is Response team
required?
• Notify Firm
Stakeholders
• Will outside counsel be
needed?
• Do authorities need to
be contacted?
• What systems
and data were
affected?
• How did it
happen?
• What can be
done to
mitigate the
risk in the
future?
10. What's Unique To Law Firms
• Law firms are data driven
• Practice areas dictate specific approach to incident
response
• Health Law: HIPPA obligations
• Tax Law: IRS regulations
• Specific Client Requirements: Large banks, IP, etc...
www.accellis.com
11. Malware Infection
www.accellis.com
Response
Stage
Identification/
Investigation
Containment Eradication
/Recovery
Communications/
Reporting
Document
Update
Response
Team
• End-users
• IT Staff
• Security Manager/
Committee
• IT Staff
• Security
Manager/Committee
• Forensics
Group/IT
Staff
• IT Staff
• Security
Manager/
Committee
• Security
Manager/Committee
• Firm Leadership
• Authorities and
Insurance
• Security
Manager/
Committee
• IT Staff
Malware
Infection
• Immediate action
required to
review affected
assets
• Knowing the date
helps in finding
how long the
infection has
been going on
• Isolate the infected
PC/Server from the
network. This
prevents the
infection from
spreading or causing
more issues
• Preforming
Viruses scans
or complete
wipe and re-
install
• If required,
forensic
imaging is to
occur first prior
to re-imaging
desktop
• Response team is
notified
• Depending on type of
virus and if information
is accessed, stake
holders should be
notified
• Update virus
signatures
• Document
unique
identifiers of
the infection
to create new
rules/alerts
12. Unauthorized Access
www.accellis.com
Response
Stage
Identification/
Investigation
Containment Eradication
/Recovery
Communications/
Reporting
Document
Update
Response
Team
• End-users
• IT Staff
• Security Manager/
Committee
• IT Staff
• Security
Manager/Committee
• Forensics
Group/IT
Staff
• IT Staff
• Security
Manager/
Committee
• Security
Manager/Committee
• Firm Leadership
• Authorities and
Insurance
• Marketing
• Security
Manager/
Committee
• IT Staff
Unauthorized
Access
• Immediate action
required to find
the point of entry
and what systems
were accessed
• Discovery of
affected systems
will also aid with
corrective and
preventative
controls in the
future.
• Disable user account
and notify affected
user
• Review of file audit
logs to determine
what information
was accessed.
• Change all
passwords
associated with
the affected
users account
• Incorporate
account lock
out policies
• Gather and
preserve all
access log
information
• Response team notified
• Stakeholders and
clients are to be
notified depending on
information that was
accessed.
Document the
incident
13. Mobile Device Loss
www.accellis.com
Response
Stage
Identification/
Investigation
Containment Eradication
/Recovery
Communications/
Reporting
Document
Update
Response
Team
• End-users
• IT Staff
• Security Manager/
Committee
• IT Staff
• Security
Manager/Committee
• Forensics
Group/IT
Staff
• IT Staff
• Security
Manager/
Committee
• Security
Manager/Committee
• Firm Leadership
• Authorities and
Insurance
• Security
Manager/
Committee
• IT Staff
Mobile
Device Loss
• Immediate
attention is
required
• Determine end
user and what kind
of device was lost
• Resetting end user’s
account access
• Remote wipe of the
lost device (Laptop,
tablet, smart phone)
• Replace device • Notifying the Response
team is optional
• Stakeholders should be
notified if sensitive
information was on the
device
• Update asset
inventory
• Update
insurance
policy if
necessary
15. Key Tips
• Get executive and partner buy-in
• Document everything you can BEFORE an incident
• Fully understand your cybersecurity insurance
policy
• Know the response notification laws where you
practice
• Write it out, then try it through table-top exercises,
make adjustments, and practice it again
• Keep your response fully documented
www.accellis.com
16. Key Tips
• Incident response plan isn’t just an IT thing, it
requires multiple people on many levels
communicating together
• Reduce downtime through quick responses
• Clients and other stakeholders are reassured the
firm takes cybersecurity seriously
www.accellis.com
17. About Accellis
Technology Group
Specialized IT Services Company providing
• Managed IT Services
• Cybersecurity & Risk Management
• Software Consulting
• Application Development & Integration
Target market: small to mid-sized firms (5-250 users)
Target verticals: legal, financial and non-profits
20 Employees in Ohio office
www.accellis.com