Cyber-Attacks: Is It Really Not If You Will Be Attacked, But When? is my new column in the Oklahoma Bar Journal.

This is a sobering subject, but it is critical for all law firms to appreciate this idea in their risk management practices. It is a bit hard to accept that it may be impossible to have such bulletproof cyber security that you can be absolutely confident you will never be breached. After all, I’m fairly certain our country’s intelligence services had some Skull and crossbones high level experts working on their security and they have suffered spectacular  breaches.  In hindsight, this article’s title perhaps should have been “Manage Cyber-Attacks: Is It Really Not If You Will Be Compromised, But When?”

We have fallible, and sometimes corruptible, human beings working with our technology systems. Computer code is vastly more complex. There are more openings. Think of the difference between fighting crime in a small town with one stop light and a large urban metropolis with high rise buildings, subway systems, subterranean sewers and other complex infrastructure.  Coders are going to write new code. Some of it will have unintended consequences and open up new security risks. And that new employee may not appreciate all of the dangers lurking in her inbox.

So does that mean give up? Game over?

Of course not, we cannot give up on security measures. We need to have good cyber-security infrastructure,  practices and training. But there will be dangers appearing online that haven’t been invented yet.

Today, a large part of good security practices includes creating Incident Response Plans and other recovery techniques. If you do not have an IRP, it is time to create one. This is unpleasant to consider and easy to procrastinate for the same reason so many people put off creating an estate plan. But this is just as important.

In the column, I take the reader through a couple of scenarios to give some examples of planning. Firms can get help with IRP’s from professionals, but each plan should be unique because the assets you have to respond are unique. I tried not to make this too threatening, but I have been on the phone with lawyers who had no plan and now have a network frozen by some malware. Planning is better!