Risk Mitigation: What In-House Counsel Need To Know About Ransomware
According to the Wall Street Journal, ransomware attacks quadrupled in the early part of 2016 with an average of 4,000 per day. Any company that collects, stores or relies upon sensitive financial or other data is a target. In addition, from a cyber-criminal’s perspective, the larger the company the more likely the company has the resources to pay a ransom. Last year, the Federal Financial Institutions Examination Council (FFIEC) issued an alert detailing the increasing frequency and severity of extortion cyber-attacks, including ransomware. Given this growing threat, it is important that in-house counsel understand what ransomware is, how to prevent infection, and what to put in place now to deal with future security incidents.
What is Ransomware?
Ransomware is a type of malicious software – known as malware – that infects a computer or network and restricts access. Ransomware attempts to extort money from victims by alerting the user that their files have been encrypted. The cyber-criminal then demands that a ransom be paid to restore access. The consequences of ransomware include:
How are computers and networks infected?
Like most malware, ransomware is typically spread through phishing emails that contain malicious attachments. There are also reports of “drive-by” ransomware infections which occur when an employee unknowingly visits an infected website and malware is downloaded and installed without their knowledge.
Should I pay the ransom?
No. While payment of the ransom is tempting given the low amounts (less than $1,500) often requested by attackers, payment does not address the underlying security vulnerability that may allow the attacker to implement a subsequent ransomware attack. Additionally, payment encourages the attacker to do it again. Instead, retain a security forensic firm to help you identify and remediate the malicious ransomware files and restore your system with a secure backup file.
What two things can my company put in place now to protect its computer and network from ransomware?
Training –The first line of defense against a ransomware infection is a well-trained workforce. Employees should be trained to identify potentially suspicious emails. In addition, policies should be put in place and employees should be trained regarding the types of websites appropriate to visit in the workplace, and the signs that a seemingly safe website may in fact be a repository for malware.
Update Software– The most basic structural protection against infection is to maintain up-to-date anti-virus software and ensure that your operating system and any other software is updated with the latest security patches.
What threethings can my company do now to mitigate risk and prepare for a ransomware infection?
Incident Response Plan – Companies and their in-house team should have a plan in place to deal with a data security incident. The team that prepares the plan should be led by outside counsel (to maximize potentially applicable privileges) and include key stakeholders from information security, operations, compliance, legal, marketing, and HR. As part of this process, companies should pre-engage outside vendors such as security forensic firms, credit monitoring services, and call center/mailing services. A tabletop exercise is a good way to test your plan on an annual basis.
Data Back-Up and Testing – Companies should perform regular back-ups of all critical information. This will limit the impact of data or system loss and will help expedite the recovery process. Segregate back-ups from the network in multiple places including a file server, a local hard disk, a cloud based backup and/or a remote access center. Further, to minimize the risk of disruption, test back-ups on a regular basis to confirm that the data is restorable with full functionality of the replicated network systems.
Compromise Assessment – Every company with sensitive data should retain an outside security firm, at the direction of counsel, to perform a compromise assessment. These assessments allow the company to know whether they are, have recently been, or are about to be the victim of a cyberattack. The average time from when a hacker penetrates your system to when your information is exfiltrated is 209 days. A compromise assessment minimizes this risk.
Need additional Information?
The FFIEC website (www.ffiec.gov/cybersecurity.htm) has informative reference materials, including a useful cybersecurity assessment tool.
Info on Authors
Dan Rohner and Camila Tobon are attorneys in the Denver office of Shook, Hardy & Bacon LLP, and are members of Shook’s Privacy and Data Security Team. Dan is a commercial litigator that has represented corporations and financial institutions for nearly 20 years. Camila is the Director of the firm’s International Data Privacy Task Force and assists clients in developing and managing privacy programs.