'You can never 100% avoid this' - DLA Piper hack highlights new imperatives for law firms
Experts discuss the actions firms need to take on cybersecurity in the wake of the DLA attack
June 29, 2017 at 09:31 AM
7 minute read
"What firms are still getting to grips with is the preparation – what to do when it happens," says Bird & Bird's joint international commercial head Simon Shooter of the cyber attack that crippled DLA Piper's systems earlier this week.
"In the same way you have planned operation procedures for a fire in the office, you should have your 'speed dial response unit' [in the event of an attack], including PR consultants to deal with external and internal messaging," he adds.
With malware attacks now becoming more prevalent, experts argue that while law firms and companies clearly need to take all possible steps to avoid an attack, it is almost impossible to guarantee that they will never fall victim.
This reality means firms need to place as much emphasis on responding to an attack such as this week's incident – which also affected a host of companies including advertising giant WPP, pharma company Merck and the Ukrainian central bank – as they do on prevention.
Steve Hill, previously deputy director of the UK government's national security secretariat, now a visiting senior fellow at King's College London, explains: "You can minimise the risk of being vulnerable by doing basic cyber hygiene, but you can never 100% avoid this. It's a fact of digital life that these attacks can happen – it is about contingency planning and making sure you are prepared for the day when the attack does happen."
It only takes a little gap for the walls to be breached with potentially devastating consequences
Peter Church, a counsel in Linklaters' technology team, comments: "If you are looking at cyber security you need to think about technical, organisational and supply chain measures. In relation to each of them you need to make sure you are taking appropriate measures to protect yourself.
"However, it is incredibly difficult. If you think about the perimeter of organisations – the castle walls around them – it's a very long perimeter, and it only takes a little gap for the walls to be breached with potentially devastating consequences."
Of what all firms need to be thinking of in the wake of this latest attack, Kysen PR's Clare Rodway says: "The classic response is a disaster recovery plan. This basically means thinking of potential disasters before they happen and planning your response while everything is calm, and when you know that all the people you need to help you plan will be around to give their input. For smaller firms that have less sophisticated in-house support teams, this may not be as obvious to them."
So, assuming all preventative technology measures have already been taken, and that staff have been given the right training to minimise human vulnerability to attack, what does continuity planning for a large-scale intrusion look like?
Firstly, firms need to know the cyber security companies and agencies that will help them manage a crisis.
DLA Piper, which confirmed that it took down systems including phone and email as a precaution after its advance-warning system detected suspicious activity in its network, is working with external forensic experts and law enforcement agencies including the FBI and the UK's National Crime Agency to recover from the attack and establish its source.
Firms need to ensure they have tested how attacks would penetrate their systems and, as a result of this week's attack, which may have been caused by an update on third-party software, will also have to pay more attention to such software in future.
"There are reports that one source of the attack is an infected update from a software vendor," says Church, who adds: "It is difficult to protect against this type of attack. Some updates will go through a formal change process that might detect and stop the virus, but not all software updates will."
The technological aspects are only a small part of the challenges DLA will have been facing and others need to prepare themselves against.
The message a firm puts out internally and externally about the impact of the attack; how it is being dealt with and the potential impact for clients is every bit as crucial. A serious cyber attack is potentially as damaging to brand and reputation as systems.
"[Victims] need to involve their communications teams," says Hill. "Their CEO, their management, their GC and all of the stakeholders beyond the technology team – in order to make sure they manage potential reputational damage."
Jon McLeod, chairman, corporate, financial and public affairs UK at Weber Shandwick, says speed of communication is critical. "Don't sit on it – move as early as possible to communicate the issue."
However, Gus Sellitto, the co-founder of PR agency Byfield, warns that those affected should not feel too rushed into a response.
"You need to give as much reassurance as can be given, but DLA shouldn't panic into a response. It is important not to have an information vacuum, but also important to not give news until you know the scale of the situation. [People at the firm] need to get together and assess what that risk is, and then start communicating."
People are looking for a 'holy grail' technology that gives you safety from cyber attacks – that doesn't exist
"A chain of command then needs to be established – we need to see a face put to the name, with a managing partner coming out and making assurances about the IT security. They have international offices they need to coordinate, so they need to have a number of strong spokespeople."
But will even the best laid plans mitigate against the risk of longer-term reputational damage? DLA is about to find out, but at this point many in the market believe that with so many high profile attacks taking place, the firm is unlikely to suffer too much in the longer term.
Indeed, while some joke that DLA should have paid more attention to the nine-step cybersecurity guide it published in the wake of last month's WannaCry attack, others argue its position as a go-to adviser on cyber security may actually be enhanced by the crisis in the longer term.
"It is particularly ironic that it has happened to DLA, which is extremely highly regarded as a firm providing advice in dealing with cyber attacks," says McLeod. "I'm sure they will want to take their own advice on critical steps and they should know exactly how to deal with it, which should be of great comfort to the market. They will be able to speak from real experience – people know it is tough, and all of us operate on systems that are open to the world."
"The risk is that the media forgets that [DLA and the other companies affected] are the victims and portrays them as being negligent and at fault," adds Hill. "They need to make sure they have not been negligent so they can firmly rebuke that narrative. People need to understand that it is a fact of modern life that there will be cyber attacks."
"It is the dark side of moving to a digital commerce economy, and at the moment we are struggling to keep up with adversaries who are working with agility and at pace."
As Shooter concludes: "People are looking for a 'holy grail' technology that gives you safety from cyber attacks – that doesn't exist, and is unlikely to ever exist."
Pic credit: Above The Law
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trump and Latin America: Lawyers Brace for Hard-Line Approach to Region
BCLP Mulls Merger Prospects as Profitability Lags, Partnership Shrinks
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
