1. Realise the risks, plan accordingly
Talk to your IT experts, but also other members of your organisation, to discuss the security measures already in place. Ensure they are adequate. But don’t expect them to prevent every single attack.
2. Be vigilant
Without being paranoid, learn to distrust or at least be wary of unsolicited emails and other communications made directly to you online. If in doubt about the legitimacy of a client’s instructions given via email, call or ask them in person. If it looks too good to be true … Better safe than …
3. Stay educated
Not even experts can easily keep up with the pace of change, but general awareness of current events and trends in the cyber security sphere will help you avoid falling victim to the latest scam.
4. Don’t panic
It’s best once you believe you may have been attacked to tell the authorities. While malware can remain undetected for years, time is still of the essence in identifying a threat, responding to it and recovering. Remain calm, and implement your procedures – you’ve planned for this.
5. If the firm’s trust account has been compromised, tell the bank. Tell your insurer. Tell the police. Let the Law Society know
It might be able to help. And consider informing the agencies mentioned above, such as connectsmart, NetSafe, the ORB, the police and the NCSC. These organisations were established to help protect New Zealand’s information economy.
6. Consider your professional obligations
The Rules of Conduct and Client Care are clear that lawyers must keep clients’ information in confidence. A privacy breach, even one that busts through significant defences, could leave a firm or individual lawyer liable for untold amounts of money and professional negligence claims. Take expert legal advice.
7. Do not admit liability
Consider your insurance policy and how your cover might be affected if you admit fault. There may come a time for apologies and recompense during the final recovery stage. But in the midst of an incident, prudency suggests head-down-mouth-shut is the best approach, at least until you understand what has gone wrong and how it might be resolved.
8. Recover, re-patch security gaps, and re-consider your plan
You’ve survived an attack, relax. Think about what went wrong – inadequate firewalls? Uneducated or imprudent staff? Lack of clear policy? Fix it. Get expert advice. Ask the government and non-profits for help. Accept that cyber risks are just a pitfall of the digital age that all online organisations must deal with. Whether a firm survives or dies depends as much on the response and recovery effort as it does on the sophistication of an attack.
IT expert tips from the GCSB and NCSC
The NCSC advises that there are four basic steps that organisations can take to substantially reduce their vulnerability to cyber threats. These are:
- use application white listing to help prevent malicious software and unapproved programs from running;
- patch operating system vulnerabilities;
- patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office; and
- restrict administrative privileges to operating systems and applications based on user duties.
The NCSC also publishes a range of advice for executives and boards on its website at www.ncsc.govt.nz/resources