Ransomware attacks: What in-house counsel of at-risk companies need to know
Ransomware attacks are up over 148%. The average ransom is now $200,000 to $300,000 — with demands exceeding $10,000,000 — and afflicted businesses are down an average of 21 days whether they pay the ransom or not. To make matters worse, bad actors are getting more sophisticated, looking for new ways to gain access.
The good news is, there are things you can do now as in-house counsel to help your company prepare for and limit, or even prevent, a ransomware attack.
What is a ransomware attack?
A ransomware attack involves the installation of malware onto an individual’s computer or the computer systems of a business. The software provides the attacker with access and control of certain — or all — of the information in the system. The bad guys then encrypt the data so it is inaccessible to users unless the business pays a ransom for the encryption key.
Imagine everyone at your business logging on to their work email or document management tool tomorrow and finding a message that everything is unavailable until the attacker gets $1,000,000 within 48 hours — and if the ransom is not paid, the information will be destroyed or released to the public.
How do they get in?
There are several ways that ransomware attack software can get installed on your company’s systems and devices. Ransomware attackers use social engineering tricks, weak passwords, software gaps, and powerful computers to get their malware installed on your company’s machines. Sometimes there are “holes” in software that an attacker can exploit unless they are quickly and consistently patched.
Other times, the attacker is able to hack an employee’s account — usually because the employee had an easy-to-guess password and failed to use two-factor authentication. But the easiest way to gain access is to simply trick an employee into clicking on a link in an ad or in email, where that link — once clicked — installs the malware that gives the bad guys the access they need.
How to prevent a ransomware breach?
Have a plan. Crisis planning is critical to dealing with a ransomware attack. You need a written plan that lays out the key actions the company must take in the event of an attack; a step-by-step guide setting out what the company needs to do to get the right things done at the right time and in the right order, including:
- A set agenda for the team meetings so critical areas are covered each and every time.
- The names and contact information of the internal team you will bring together in the event of an attack.
- The name and contact at your cyber insurer.
- The names and contact information of the outside team, including outside counsel, forensic computer experts, public relations, etc.
- Contact information for law enforcement.
- A list of needed communications and templates for messaging to employees, the board of directors, outside media, etc.; be sensitive to attorney-client privilege and work product issues.
- A plan to shut down and isolate affected systems.
- Review of contractual obligations to customers and vendors.
- Plan to review and deal with any breach of personal data.
- A remediation and post-mortem review process.
As with any crisis plan, it is important to test it at least once yearly via a tabletop exercise.
Training is your best defense
When it comes to cybersecurity, your weakest point is your employee base. There are just too many ways the bad guys can trick virtually anyone into clicking on malware or giving up their passwords. Once this occurs, it’s off to the races and bad things are coming. This means that training your employee base about cyber risks — and how to avoid them — is your most effective and least costly way to avoid a ransomware attack.
Here are some basics on what to watch out for:
- The email contains a link and demands instant action.
- The grammar is “off” and the tone of the email seems odd.
- The email is asking for action involving passwords or bank account information.
- There is an attachment that contains an odd extension, like “.exe,” which means some type of program will run when you open it.
- The email address of the sender looks legitimate, but on closer inspection, you see they are using numbers for letters or the extension is something odd, like “gmail.com” or “outlook.com.”
Given the cost, cyber risk insurance that covers such attacks is a must. The really helpful thing about ransomware insurance is that, besides paying for any ransom, the policy typically provides professionals with the expertise needed to deal with an attack. One call to your insurer launches a team of professionals with the experience you need when it feels like the sky is falling.
Ransomware is a technology problem, so there are, of course, technological solutions to help reduce the risk:
- Back it up. The most effective way to thwart ransomware attacks is to consistently back up critical data to a separate location.
- Encryption. Encrypting data — at rest and in transit — can single-handedly defeat a ransomware attack because the data that is stolen is useless without the encryption key you have.
- VPN. A virtual private network (VPN) is a cost-effective way to prevent the theft of your data. The VPN creates a “tunnel” for your data whereby your IP address is hidden and a secure and encrypted connection is created.
- Multi-factor authentication. Multi-factor authentication (MFA) can save the day if the bad guys hack or guess your password. With MFA, the password is not enough, you must have a second item — for example, your smartphone — to complete the login.
- Label emails from outside the organization. There is a way to add a label to all incoming emails that will identify them as coming from outside the organization.
- Anti-malware software/patches. All businesses should have industrial-quality anti-malware software installed on their information systems and on the laptops of all employees. Likewise, as patches are released to fix problems in software, businesses need a systematic way to force updates onto the devices used by employees. Following the NIST security standards is an excellent way for businesses to deal with technical solutions.
- Password Hygiene. Anyone can create strong passwords by simply making them long with a mix of numbers, symbols, and letters — this method makes hacking more improbable. The longer your password, the harder it is to hack. Nonsensical phrases that are easy to remember but difficult to guess are the most effective, for example, “FrootkaKe38%!” is tough to crack but easy to remember. Require long passwords with such a mix that must be changed every 60 to 90 days.
- Testing. Your information security team should engage in monitoring, regular penetration, and other testing on a weekly basis to make determinations of whether someone has gotten into your information systems. The worst damage is done when the attacker has months of undetected time in your systems.
This is an incredibly scary problem. The absolute worst thing you can do as in-house counsel is put your head in the sand and hope it doesn’t happen to your company. However, hope is not a strategy.