Hub - Business Continuity

12th September 2016

Business Continuity – 6 Questions You Should Know the Answers To

Turn back the clockLaw firms hold a mass of valuable client data and funds, all of which make them a very attractive target for criminals. As the number of cyber-attacks increase, firms are increasingly at risk of a breach. And it isn’t just cyber-crime that can result in data being lost or compromised. There’s the risk of physical damage to servers, lost equipment that’s not adequately protected and even human error which could cause system disruption and failure.

The reality is, at some point, it is probable that your firm will be subject to a data breach – if you haven’t been already. Beyond the initial loss of data and funds, there is the risk of fines and the reputational damage which can be significant.  Therefore, the plans and policies you have in place to protect your data are essential to your chances of recovery.


When thinking about breach recovery, you need to know the answers to the following 6 questions:

  • How long can you afford to be offline?
  • What is the cost of downtime per hour?
  • Can you roll back the clock?
  • How much data/work will be lost?
  • How do you action the roll back?
  • Has this been proven through testing?


If you can’t answer these questions, then you need to take time to consider the impact of a breach on your firm and the potential costs. If you don’t know the answers to questions 3-6, then check with your IT Department or supplier to be reassured that they have the answers and that these meet your firm’s expectations and needs. It’s vital to also test plans, to make sure that the plans and policies you have in place are fit for a real-life scenario.


When it comes to testing your plan, here are our recommendations:

  • Test for ‘worst case scenario’
  • An annual, all server shut down, should be the minimum test you undertake
  • A half-hearted test will not satisfy the above and it should not satisfy the business – always test for the worst case scenario
  • Include a representative test group
  • Junior and senior staff should be included in testing the firm’s resilience to disruption
  • Ensure the test is realistic to build confidence in your business and in your staff
  • Measure how quickly law firms return to ‘business as usual’ – and adapt if necessary
  • Test how well you meet your Recovery Time Objective (RTO) – the amount of time lost that your business can potentially sustain
  • When disaster strikes, being able to easily open and find crucial documents can make the difference between a few hours in lost fees or days, as well as keeping reputations intact


Having strong policies and plans in place isn’t just about protecting your firm from the ‘what if’ and it isn’t something that firms should take lightly. Increasingly, panels and clients are asking for evidence of the plans you have in place and asking firms to demonstrate their ability to prevent and recover from data breaches.  Good disaster recovery provision has been a real differentiator for firms and our customers have testified to the advantage this has provided over their competition.


For more information on Cyber-Security, Disaster Recovery and Business Continuity, please contact or call 0345 872 4400.


News: CTS warns law firms about Klepto Zepto – a new ransomware variant


Article: Guidance for law firms reviewing email and cybercrime security

The latest from CTS