Major IT failure can be fatal
Information is the lifeblood of all law firms – so a serious disaster or major IT failure can prove operationally fatal. From natural disasters to criminals in both the physical and online world, the range of risks that all businesses face is fierce.
This calls for robust plans that can be activated, if hopefully never needed. But law firms need to know the detail of what they are dealing with as precisely as possible to prevent a problem escalating into serious reputational damage − as cost-effectively as possible.
“The IT department’s under a great deal of pressure from partners to safeguard productivity, but often with little resource or understanding of how risks and costs stack up,” says Peter Groucutt, managing director of Databarracks (recently named a legal sector disaster recovery ‘niche player’ in Gartner’s Magic Quadrant analysis). “They’re responsible for implementing reactive disaster recovery plans, but they also need to be designing and managing proactive responses to emerging risks.”
All businesses face threats like fire, but Groucutt also cites the ransomware CryptoLocker, which poses as seemingly innocuous email attachments to spread infection. It’s a good example of how something with the power to take a law firm down might not even be on management’s radar, as nobody’s even heard of it yet.
A key issue is that a major crisis now has power to bring down a complexly connected group of systems, perhaps for an unpredictable period of time.
“As channels change and multiply, tracking information grows more complex,” says Groucutt. “Today’s practice and customer relationship management systems are integrated with many other ways for lawyers to collaborate – and multiple automation tools are driving up productivity.”
Firms need to know people can access data from all those pools at exactly the right time to progress cases, come hell or high water.
“It’s an age where questions demand quick replies – and law firms face much more competition providing them,” says Groucutt. “So if they can clearly demonstrate that the right lawyers will always be in front of the right information when they need it – for the shortest possible time – that capability can win them work and be a differentiator.”
Counting the costs
Information downtime and security must therefore be accurately and strategically costed. Law was once an industry in which such risk was relatively straightforward to calculate – whereas for other businesses it was a far more elusive quantity.
“If you take a hedge fund or alternative investment management house, it’s really hard to say what an hour, day or week of downtime is worth. It can depend on the particular hour, or even minute, something hits,” says Groucutt. “It’s hard to measure the extent of your risk exposure as a major trade is about to be processed, for example.”
The main reason law firms had it easier was the predictable billable hour model. You could essentially estimate that the loss of billings over a certain period amounted to a particular cost.
“There were still the ‘softer’ costs of reputation and client satisfaction risk. But unless you were at the climax of a really critical transaction for a client, longerterm reputation damage wouldn’t set in until after a week or so.”
Now that clients are after more transparent cost via fixed fees and other bespoke pricing alternatives, it’s actually harder for the firms to assess how much they ultimately stand to lose from a period of downtime.
Maintaining availability of systems also needs several options in place. Different risks need different solutions to get things back up and running again. Replication of systems to a secondary site will protect your data against flood or fire damage, but a cyber threat can lay dormant for weeks, so the offsite location can also be infected and you’ll need to recover data from backups.
“With Cryptolocker, lots of people with very resilient disaster-recovery plans were still hit very hard. They took action but the ransomware lay dormant,” says Groucutt.
“Other threats aren’t answered by activating the same solutions, either. If you lose a time-critical client email, that’s a backup problem. You wouldn’t fail a firm over for 15 minutes so they can have an email back, because that’ll cost more in terms of other time lost.
“By the same token, the loss of an entire server isn’t a restore problem. By the time you’ve restored all the data, too much time will have passed.”
Firms need the right set of tools for each job – and that means resources to understand the interplay of different elements. They also need a strategic approach to disaster recovery – building the cost of short and longer-term risks, plus the savings gained through protection, clearly into the business plan.