Law Society Provides Guidance On What To Do If Your Firm’s Website Is Hacked
A new report by the Law Society of England and Wales has looked into the issue of website hacking. Highlighting that website related attacks remain in the top three categories of the most commonly reported cyber breaches, the report includes some pertinent advice on how to protect your practice.
As well as looking at the steps legal firms can take to stop an attack from happening in the first place, in the document there are also some valuable recommendations about what to do if a hack has already occurred.
Evaluate the situation
According to the experts, one of the first things you should do on discovering that your firm’s website has been hacked is to “investigate, confirm and understand the extent of the hack”. Crucially, it is vital that you don’t panic and delete any files as that could make the situation worse.
If your firm has invested in a website hacker protection service, the report asserts that you should have an early lead on the escalating situation. Indeed, according to the advice, where such protections exist, warnings provided by the monitoring service could buy you the necessary time to establish a plan of action before the hack accelerates into a crisis.
Where your IT team is not able to diagnose and fix the website, an expert service provider such as a website hack cleaning service should be able to help. If there is any doubt it is always worth bringing in the experts.
If your website holds personally identifiable information (e.g. client data via contact forms etc.), then you must establish if this has been accessed. If a notifiable breach has occurred, then under the GDPR you will need to notify the ICO and any other affected parties. A failure to respond correctly and promptly could make a bad situation even worse.
Decided whether you need to take the website offline
If the severity of the attack warrants it, the report suggests that it might be best to take the website down to minimise any further reputational damage. The guidance from the Law Society also advocates having an ‘under maintenance page’ ready to go. This would mean that, in such situations, you won’t lose valuable time creating one.
Keep the channels of communication open
The report also recommends letting your client-facing team members know about the situation as quickly as possible. This will help them to handle any questions from confused clients proactively. It is a good idea to draft a set of Q&As to cover off any queries.
Backup your site
Your website should be backed up regularly as a matter of course. However, if an attack happens and you don’t have a backup plan in place, contact your hosting provider as a matter of urgency. They can take an instant backup and inform you as to when this last happened. Backing up your website is a vital step if you want to protect your data as much as possible.
Finally, the report also emphasises the importance of a post-hack review once the dust settles. Only by understanding what happened, how it happened, the success of the response, and the impact of the attack can you say that lessons have been learned. And reduce the likelihood of a similar attack happening in future.