[BreachExchange] Cyber crime attacks reputations as well as systems

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 25 19:11:55 EDT 2017


https://www.solicitorsjournal.com/comment/201704/cyber-
crime-attacks-reputations-well-systems

Ask any in-house PR what they see as the biggest reputational threat for
their law firm and the risk of a cyber attack is likely to feature high up
on their list. Indeed, the very words ‘cyber attack’ are enough to induce
fear into any custodian of a law firm’s reputation. And that fear seems to
be increasingly validated by data which shows such attacks are on the rise.

This year’s Natwest Legal Benchmarking survey generated a few more column
inches than usual because of its findings on cyber crime. It shows that one
in four of 269 law firms have fallen victim to cyber attacks. Larger firms
have been most affected, with 36 per cent of London outfits having suffered
at the hands of cyber criminals. PwC’s 2016 Law Firms Survey reported that
73 of the top 100 firms experienced an attack during the last financial
year, up from 62 in 2014/15.

The fact that law firms hold valuable data about high-profile organisations
and individuals – as well as large sums of client monies – makes them an
obvious target. This hasn’t escaped the attention of both the Information
Commissioner’s Office and the Solicitors Regulation Authority. Moreover,
from May next year, when the EU’s General Data Protection Regulation is
enforced, all businesses handling EU citizens’ personal data will have just
72 hours to notify data subjects of a breach. This means we are likely to
see more data protection breaches being played out in public, with the
added risk this type of exposure poses to law firms’ reputations.

Apart from the usual risk and compliance procedures firms invest in to try
to prevent and plan for cyber attacks, they also need to think carefully
about how they communicate in the wake of an attack or a data breach. Here
are some of the steps we advise firms to undertake when devising reputation
management plans around cyber risks:

Create communications protocols detailing how you respond in the wake of a
cyber attack. They should include internal and external communications with
identified spokespeople and a chain of command for escalating enquiries,
together with scripts for reception staff;

Map out the various scenarios that could play out in the event of an attack
and, in turn, how each scenario could impact your stakeholders (e.g. staff,
clients, the media). Prepare a Q&A document which rehearses and responds to
the questions each group might ask you;

Prepare reactive media and client statements to have ready to distribute,
if the need should arise; and

Rehearse and revise your communications plans, protocols, and statements in
light of your firm’s risk profile, new legislation, and wider technological
and economic developments.

All the planning in the world won’t prevent these attacks from happening,
as the criminals who perpetrate them become ever more sophisticated.
However, having a suite of information ready to send out in an emergency
means a firm will be much better equipped to communicate effectively during
a crisis situation.

A cyber attack or a data breach can have a profound and negative impact on
a firm’s business. Good communication planning and response in such
situations can at least help to mitigate against enduring damage to your
reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170425/63fe0b01/attachment.html>


More information about the BreachExchange mailing list