Cyberattack Recovery: Easier Than You Think

It’s finally happened. Your firm has been the victim of a cyber attack. Whether it was a phishing, malware, or another type of attack, you couldn’t prevent the malicious acts by hackers. What happens next? From movies, articles, and informal discussions with colleagues, you may believe that you can do little or nothing to recover.

Fortunately, that’s almost certainly not the reality. You can take steps before, during and after an attack that will speed recovery and allow your firm to get back to work faster than you may have thought possible.

Planning is the key. With some research and preparation, you and your firm can anticipate an attack. By understanding what causes attacks, along with working to prevent them, you will be able to minimize damage and get the firm back up and running as quickly as possible in the aftermath.

Step 1) Be prepared.

Somewhere in your offices, you most likely have a glass box embedded in the wall. It has a hose or ax in it and says, “Break here for emergencies.” You need the same type of approach for cyber attacks. A cyber attack response plan will plot out what steps to take and what resources you will need to complete those steps. The plan should include contacts, communications, and more.

Your response will depend on the kind of cyberattack that you experience, so you need to understand the different ways that hackers can break into your systems. The most common types of threats include malware, ransomware, and password phishing attacks.

“Malware,” short for malicious software, refers to a range of deliberate attacks against organizations and people. It can include viruses, adware, and other forms of software.

Chili’s was a recent victim of this type of attack. The restaurant company announced in May that it suffered a data breach caused by malware that compromised some patrons’ credit card information. According to Chili’s parent company, Brinker International, “[W]e believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants.”

“Ransomware” (also known as crypto-ransomware) is a type of malware that locks users out of their systems or data until they pay a ransom. In some cases, hackers require users to make online payments to get the decryption key. Law firms aren’t immune from these attacks. Last year, hackers launched a successful ransomware attack on DLA Piper. According to Fortune, it took days for the firm to resume operations.

A “phishing” attack tricks users into opening an email, instant message, or other communication with a malicious link that installs malware on computers and networks. Once the malware is installed, hackers can steal sensitive information. In 2017, Gannett Co. fell victim to a phishing attack that potentially compromised the accounts of 18,000 current and former employees. According to USA Today, which is owned by Gannett, the attack originated in emails to human resources staff.

Once you understand the most likely types of threats, you can form a cyber attack response plan. The essential components include knowing who to involve, which equipment you will need, which vendors to contact, and the names of technical experts who can guide your firm through the situation. Your plan should also involve a checklist that will help you determine if and how to notify clients. With this plan at your fingertips, you won’t be flying blind in the immediate aftermath of a cyber attack.

Step 2) Communicate and contain.

During cyberattacks, the security risks will proliferate within your network. As soon as a firm learns of an attack, it is essential to quickly inform attorneys and staff about what they should and should not do. It’s crucial to avoid the instinct to communicate through email. You may risk significant damage if you rely on email or other networked communications devices, or if attorneys and staff unwittingly share the virus or increase its reach when they log in. To avoid this type of risk, you should create a phone tree or develop the ability to send mass text instructions to everyone at the firm.

Step 3) Call in reinforcements.

If your firm doesn’t have in-house security experts, you need to call one as soon as you learn of the attack. This consultant can help evaluate options, recognize potential outcomes, and execute a recovery plan. Imagine that your firm has been infected with ransomware. The hackers have encrypted the network’s files and will not relinquish the encryption key until you pay up. A security IT expert may know whether the firm can simply rollback to the latest data backup, which will allow attorneys to get back to practicing quickly and negate the need for a ransom.

The critical step is to identify your expert ahead of time. You don’t want to be calling around for recommendations while your systems are under siege, your attorneys are in a panic, and your clients are starting to ask a lot of questions.

Step 4) Evaluate.

Once the firm and its experts have defeated the cyberthreat, it’s time to take a critical look back at the firm’s response. What weak link made the attack possible? What part of the cyber attack response plan worked? How could the firm have responded better? Attorneys, administrators, staff, and outside security experts should be queried about their experiences and asked to provide feedback.

Step 5) Prepare once more.

This step may seem like revisiting your initial plans, but now you can expand and refine your preparations through hard-won experience.

You can be even better prepared for future cyber attacks in several ways, including taking advantage of cloud security. Many firms are putting their entire operations in the cloud, which means they no longer must wrangle with local servers and software updates. It’s critical to find a provider that will improve security, rather than worsen it. To do that, look for cloud providers that offer truly enterprise-level security, which includes compliance with PCI, NIST, and ISO 27001, anti-virus software, automatic software updates, and more. These types of security measures will help to deter hackers.

Another bonus of moving to the cloud means that none of the firm’s data is stored locally. If one laptop or mobile device becomes infected, the threat can be contained, and the cloud environment will still be safe. In this capacity, the cloud safeguards data by preventing the attack from spreading to other users.

The firm should also reevaluate training techniques. Often, cyberthreats occur because of human error: an official-looking email asks recipients to click on a link; a staff member mistakenly visits an infected website, or an attorney enters their password into what looks like a legitimate login site. When the firm invests time and money to train staff and attorneys on warning signs and protocols, it minimizes the chances of future attacks.

Additional security measures can also help. For example, multifactor authentication (MFA) requires additional verification measures and acts as a barrier against attacks. With this approach, users must complete more than one step to access the firm’s project management and other systems. The system then notifies the user that it is sending a text message, and the code in the text message must be provided before the user can complete logging in. Another example is the use of security questions. If users have trouble logging in, the system will prompt them to answer specific questions they have already provided the answers to. That verifies that the person logging in is who they say they are.


With the prevalence of cyber attacks, you and your firm can no longer plan to ward off threats. You need to prepare for the eventuality that one will occur. By taking a few steps, you can be ready to respond quickly, minimize damage, and get back to work as soon as possible.

About the Author

Joe Kelly is the founder and CEO of Legal Workspace, a leading provider of cloud-based work environments for law firms.

Send this to a friend