Posted by Rob Stevenson, CEO and founder of Legal Futures Associate BackupVault
In its 2020 cybersecurity review, the Solicitors Regulation Authority (SRA) found that 75% of law firms have suffered a cyber-attack. And in early August this year, the Law Society updated its guidance on cyber-insurance, warning law firms that due to the amount of sensitive data they hold, they are vulnerable to cyber-attacks and must take steps to protect themselves.
But cyber-attacks are not the only threat to law firms’ data. Incidents like power outages, equipment failures, terrorist attacks and natural disasters all pose a risk to business data and infrastructure.
Preventative measures – such as external back-up, strong passwords and multi-factor authentication, and staff training – are of course essential, but it’s also crucial for law firms to have disaster recovery plans in place.
Should the worst happen, a disaster recovery (DR) plan will help minimise disruption and provide a roadmap for returning to business as usual.
What is a disaster recovery plan?
A DR plan sets out the specific procedures needed to restore your IT infrastructure and business-critical data, and resume operations after an incident. It should form one aspect of a wider business continuity plan, where business continuity (BC) refers to the entire process of getting your business back up and running.
How to build your disaster recovery plan
Conduct a risk assessment. Document all the threats and causes of disaster you can think of and note down how they could affect both your IT infrastructure and any cloud storage you have in place. You should also evaluate the likelihood of each threat affecting you – and if there are any measures you can put in place immediately, you should do so.
Ensure you have a robust data back-up plan. How well your firm recovers from an incident depends largely on how effective your data back-ups are. Having regular encrypted back-ups, ideally on offsite cloud datacentres, will help you determine two important features of your DR plan: recovery point objective and recovery time objective.
Recovery point objective refers to how much data you can afford to lose and will be dictated by the frequency of your back-ups.
For example, if you back up overnight, you’ll only be able to restore data from the last back-up, which may mean losing a whole day’s work. You need to know whether you can afford to lose that much data and if you can’t, you should arrange to back up more frequently.
Recovery time objective refers to how much time you can afford to spend on recovery. When working it out, you’ll need to consider the budget you have available for restoring applications and systems, how much an outage will cost you per hour, and an order of priority for restoring systems.
Identify a DR site. If a disaster requires you to relocate your operations to a different site, you will need to ensure all your critical data can be accessed from the new location.
A DR site can be ‘cold’, ‘warm’, or ‘hot’. A cold site is simply storage for IT systems and any physical back-ups, with no other data available until your DR plan is fully underway. A warm site enables you to access critical IT tools and systems, but not your client data.
A hot site is essentially a replica of your existing set-up, with all the required hardware, software and data that allows you to operate more or less normally. A hot site is more costly in terms of both time and money, but the advantage of establishing a hot site is that it will drastically reduce your downtime.
When considering your DR site, this may be the point at which you decide remote or homeworking is the most practical and affordable course of action.
Document your DR plan. Note down all procedures, processes, timescales, key contacts and their responsibilities in a document, and make sure that document is printed out and stored safely away from your office.
Test your DR plan. It’s vital that you know how well your plan works before a real disaster strikes, so you should test it regularly – at least yearly. You may need to adjust your recovery point and recovery time objectives after you test, as it’s likely the amount of data you’re dealing with will change from year to year.
This may seem like a lot of work and preparation, but it will be invaluable to your business. Look at it in a similar way to paying insurance – you don’t need it every day but those of you who have needed to make a claim will no doubt have been grateful you had insurance to fall back onto.