Why DLA Piper should serve as a warning to all law firms
At this point, almost everyone in legal technology should be aware of the recent global cyberattack known as “Petya.” In particular, they should be acutely aware of the fact that one of the world’s largest law firms, DLA Piper, was a target.
DLA Piper is a multi-billion-dollar firm with one of the most impressive – and expansive – client rosters anywhere, including more than half of the Fortune 250 and almost half of the FTSE 350 or their subsidiaries.
The attack, which occurred on June 27, is believed to have originated in the Ukraine and, according to security analysts and western intelligence officials, is “the work of a hostile state, possibly Russia.” Its impact was so severe that more than a week later, the firm was apparently still struggling to recover with “employees’ access to emails and documents severely curtailed,”according to the Financial Times.
Ironically, the firm has a reputation for expertise in cybersecurity, so the attack should serve as a stern warning: If an organization of this size, scope and expertise can struggle to rebound from a cyberattack, it can happen to anyone. Law firms of all sizes and specialties should examine DLA Piper’s response and consider what lessons can be learned.
From the outset, it was clear that DLA Piper was prepared to launch a concerted response in case of emergencies. Immediately after the attack the firm issued a statement saying its advanced-warning system had detected suspicious activity on its network. The statement also noted the firm had contacted “leading external forensic experts and relevant authorities.” DLA Piper also shut down all digital operations in its offices around the world.
The result? The firm was forced to rely on text messaging, phone calls and – curiously – a good old-fashioned white board to communicate with its workforce that includes 3,600 lawyers in 40 countries.
This is not the only incident of a major company resorting to dated means of communication in response to the Petya attack. Maersk, the global shipping company, reverted to technology from the 1990s to manage its operations after the attack.
As part of its ongoing response, DLA Piper began issuing a series of statements – regularly updated via its website – offering information on the current status of its responses to the crisis as well as contact information for concerned customers and curious media.
As the last year has made abundantly clear, we are now embroiled in a level of cybercrime that was previously unheard of. State-sponsored actors with the intention of targeting everything from healthcare systems and travel operations to national elections are launching successful, large-scale attacks with alarming regularity. And if the governments of the world – armed with the greatest minds and resources – are ill-equipped to prevent such attacks, then we can hardly expect individual companies to be able to do so.
So, what can we, and law firms in particular, do to prepare? We can focus on our response – what a firm can and should do when faced with an attack.
To the credit of DLA Piper, it clearly had an incident response plan in place, including: a text-alert system so it could communicate with employees in the absence of email, immediate outreach to external and relevant authorities to understand the scope of the problem, and consistent communication to its customers (and media) throughout the process. Even the white board communication was useful, in spite of providing tongue-in-cheek fodder for Twitter. At least someone had the foresight to realize that not everyone reads their text messages in a timely manner!
In carrying out these basic measures, DLA Piper remained in control of the narrative. It was telling the story of this cyberattack and its impact on the firm.
But the fact remains the lack of document access for several days will undoubtedly have had an impact on the firm’s bottom line and its client relationships.
The Petya cyberattack affected hundreds of thousands of companies and government entities in more than 60 countries. While DLA Piper did have an office based in the Ukraine, so too did many other law firms who were not targeted. The rule of cyberattacks is that there is no rule – your firm could be a target for specific malicious reasons or just as a by-product of a larger-scale attack.
Either way, it’s no longer a matter of determining if your firm will be a victim of a cyberattack, but when. Put your crisis communications plan in place today. Do you have a text-alert system for employees if email is no longer an option? Who in your firm is the go-to leader in the event of an attack? What protocols should employees follow? When and how should you communicate to customers and the media? What is your contingency plan in the event you cannot access documents online for a temporary period?
Cyberattacks are a product of our time. Most companies have detailed plans in place for responding in the event their office building catches fire or they are the victim of a break-in. The specter of a cyberattack should be no different.