[BreachExchange] Preparing for Ransomware Attacks: Your Company Is a Target

[Audrey McNeil]

http://www.corpcounsel.com/id=1202782779554/Preparing-for-
Ransomware-Attacks-Your-Company-Is-a-Target?mcode=1202617073467&curindex=1&
curpage=ALL


The U.S. Department of Justice has reported that an average of 4,000
ransomware attacks occur in the United States each day. According to the
Federal Bureau of Investigation, U.S.-based ransomware victims reported
more than $209 million in losses in the first three months of 2016 alone.
Given the potential legal and financial consequences of such an attack,
in-house legal teams are well-served to build an understanding of what
ransomware attacks are, what preparations can minimize the impact of an
attack, and how to respond when an attack occurs.

As the name implies, the goal of a ransomware attack is to hold a company's
vital data hostage through the use of malware installed on the company's
systems until the company pays to release that information. The malware
encrypts the targeted data, generally preventing anyone other than the
attacker from accessing the information until the company accedes to the
attacker's demands.

Hackers use a variety of creative means to introduce malware to a company's
computer systems, including:

• Phishing attacks, which use seemingly legitimate email messages to lure
employees into providing login credentials or clicking on a link that
installs a keylogger, ransomware, or other malware later used to introduce
ransomware into the computer system.

• Physical ploys, such as impersonating an employee or authorized guest to
gain access to a building and thereby a computer. Hackers also may "plant"
a malware-laden thumb-drive on company grounds, hoping a well-intentioned
employee connects the drive to a computer.

The availability of relatively anonymous digital cryptocurrencies, such as
Bitcoin, facilitates fast and remote payment from the attacker's
often-desperate victims with minimal likelihood of the hacker's detection.

Although a company may see no recourse but to pay the ransom, doing so does
not guarantee that the hacker will unlock the encrypted data or that the
hacker will not have corrupted, altered or sold the data already. Paying a
ransom also can encourage future attacks on the victimized company and may
embolden the hacker to launch similar assaults on others.

Like any significant cyber incident, a successful ransomware attack can
give rise to an increasingly broad array of legal, regulatory and financial
impacts. To determine the root cause of the incident, sometimes-arduous
internal investigations into the victim company's policies and operations
are a given. Class actions and related litigation from affected individuals
are real possibilities. Following particularly significant cyber incidents,
publicly-traded companies face the prospect of shareholder litigation.
Victim companies also may find themselves subject to investigations and
potential enforcement actions under various overlapping federal and state
privacy regulations, including those enforced by the U.S. Federal Trade
Commission (FTC) and the U.S. Department of Health and Human Services
(HHS). Additional information on ransomware is available from several
federal agencies, including the FTC , HHS and U.S. Department of Homeland
Security (DHS).

9 Steps to Getting Prepared

As sophisticated hacking schemes continue to evolve, well-constructed data
management and information governance strategies can help mitigate the
impact of such attacks. Planning ahead is essential, and legal teams should
consider the following when assessing their companies' readiness:

1. Coordination between the company's legal, security and IT teams to
conduct periodic cyberrisk audits to identify any areas of weakness,
ranging from vulnerability to external penetration to susceptibility to
insider actions. Companies may consult third-party professionals to
supplement their in-house expertise in conducting these assessments.

2. Cross-functional coordination between legal and other
departments—including IT, security, communications and business
operations—to develop, codify and train personnel on a comprehensive data
breach response plan with clearly-assigned responsibilities.

3. Among other things, this plan should consider best practices on how to
engage with law enforcement and regulators following a breach or other
cyber incident. Because these communications are often sensitive and can
impact future litigation and regulatory investigations, the legal team may
want to engage in such communications through experienced outside counsel.

4. Evaluation by the legal, IT, security and human resources departments of
sources of ransomware risk, education of personnel on common strategies
employed by hackers and implementation of basic supporting mechanisms, such
as training personnel on how to avoid phishing techniques and whom to alert
if they observe suspicious activity.

5. Development of a mature information governance program to inform
stakeholders of the scope and location of valuable information stores. This
information governance program frequently includes a defensible disposal
strategy that tiers or eliminates the retention of data that is not needed
for company operations, to minimize the scope of data potentially at risk
in any compromise.

6. Maintenance of proper computer system hygiene, including the
implementation of regular system and application updates to avoid exposure
to malware through outdated, unsupported or improperly patched software.

7. Implementation of robust data backup systems, including systems that
segregate backups from other company systems. If properly segregated, these
backups can remain insulated from malware encryption and can facilitate
restoration of data.

8. Installation of mechanisms for quick system restoration from backups
when required. The ability to restore information quickly may eliminate any
need to pay the attacker's ransom and minimize the potential for collateral
damage from data unavailability.

9. Regular policy and procedure reviews and updates to incorporate lessons
learned and to stay abreast of current trends.

No defense is airtight, but these strategies can help organizations prepare
to respond, should a ransomware attack occur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170406/c0d595c7/attachment.html>