With ransomware attacks on the rise, partner Gina Greenwood recently met with members of the Georgia Chapter of the Association of Corporate Counsel (ACC Georgia) to share her lessons from the trenches. Along with co-panelists Brett Anderson, chief operating officer of Tracepoint Forensics, and Bennett L. Cox, general counsel of the University of Tennessee Medical Center, Greenwood urged attendees to take steps now to prevent and prepare for attacks in order to reduce risks to their company brand and data.
Of the key points discussed at the event, Greenwood emphasized a multi-layered security approach remains essential. She urged attendees to consider robust strategies, yet to focus on employee education and the development of practical policies, procedures and plans to ensure successful outcomes. Greenwood further commended the tireless work of IT professionals to avoid and mitigate the ever-increasing onslaught of attacks, and the panelists agreed attendees should keep their boards abreast of these activities to maintain a productive and understanding relationship.
Ransomware is a threat to companies across industry sectors. Data and operational systems are often the most valuable assets of a company. Companies are often forced to resolve cyber attacks with payments as high as $50 million to $70 million and still are unable to avoid the loss of sensitive proprietary and consumer data.
Threat actors are launching attacks more frequently, as seen in the Colonial Pipeline and numerous other headliner events. The threat actors are targeting multi-service providers and outside vendors that provide services and products to other companies and consumers downstream, and the threat actors commonly exfiltrated data — crippling large numbers of businesses and consumer with one attack.
I recently had the privilege of discussing ways to prevent and manage these incidents at a continuing legal education event at Truist Park before an Atlanta Braves game. It was part of an event Nelson Mullins sponsors each year with the Georgia Chapter of the Association of Corporate Counsel.
Before about 70 attorney attendees, Greg Heller, the Braves’ General Counsel, gave a wonderful keynote address, and then I joined two experts in a panel discussion on ransomware attacks. My co-panelists were Brett Anderson, the COO of Tracepoint Forensics and Incident Response; and Bennett L. Cox, the General Counsel of the University of Tennessee Medical Center.
Here are some of the more important points that were made:
Ransomware attacks are not necessarily inevitable. There are many steps an organization can take to prevent and prepare for attacks in order to reduce risks to the company brand and data.
Security should be a multi-layered approach and should include robust, and yet practical, policies and procedures, incident response plans, disaster recovery plans, end point monitoring, encryption, and multi-factor authentication – among other protections that we often find are lacking. Employee education should also be an area of focus.
Think Before You Click
Companies are spending millions of dollars to monitor their computer systems to prevent cyberattacks, but often forget to educate their employees on basic concepts for preventing threat actors from accessing the IT environment. Credential harvesting scams that appear to require the employee to change a password are an easy way to trick an employee into giving away a password — allowing unauthorized outside access into a company’s IT systems. Scammers also have perfected phishing emails that appear to be legitimate messages regarding package deliveries, telephone messages, file sharing, invoices, etc. When an employee clicks on a link within the phishing email or a document attached to malicious email, the employee in essence has opened the door to the threat actor and undermined their employer’s sophisticated IT defenses.
The lesson learned is that companies need to devote more resources to educating employees on how to spot these lure.
Educate Your Board Before an Attack
Cybersecurity systems are blocking millions of attacks quietly every day, but boards of directors may not realize how often and to what degree their company’s IT systems are under siege. It is important to educate the board before an attack so that if an attack succeeds, board members won’t be surprised and make out-of-context judgments or rash, uninformed decisions about the company’s cybersecurity weaknesses. Utilize outside professionals to explain the risk and help obtain the funding needed to support the IT staff and infrastructure.
Know Where the Family Jewels Are Hidden and Hide Them Well
Data mapping is a compliance requirement in many jurisdictions, and yet, most companies do not have an updated inventory and map of where essential data is stored. Some attacks only affect certain servers or parts of a company’s infrastructure. A solid data map will help a company quickly assess whether key data has been accessed or exfiltrated in the event of an attack.
More sophisticated IT security programs go so far as to take steps such as using artificial intelligence technology and storing sensitive data and essential intellectual property (e.g., manufacturing formulas or other key information) using a code name for the file to make it more challenging for threat actors to find the valuable data.
Cyber professionals can guide companies on the best keep secrets for protecting data and highly recommend that companies run tabletops led by these attorneys or IT professionals to test the company’s response systems that are in place.
What to Expect If an Attack Happens
If an attack succeeds, the victim company can expect data will likely be exfiltrated, some or all of its data will be encrypted, and a significant demand for payment in exchange for decryption keys and a list of files that were taken will be made. Some laws require measures be taken to mitigate the damage, and it is essential to work with skilled professionals to understand the process and not make a legal or public relations misstep in the handling of an attack, in communications with staff and the outside world, and/or in notifying affected consumers and regulators (if required by law).
If the company has cyber insurance, know what the policy requires and allows. Ideally, the company should seek to retain trusted, experienced legal counsel and forensic providers. It is important to build a relationship pre-event and to ensure that trusted, experienced counsel is added to the company’s cyber policy (if not already approved by the carrier) so that these professionals can render services under attorney–client privilege in the event of an attack.
Ransomware threat actors are particularly scary – especially those backed by foreign governments and other well-funded supporters. Some are also erratic and will surprise you. Less sophisticated or lesser known attackers are often the most dangerous, because it is harder to predict whether they will follow through with threats — or promises. Odd reports of attackers saying that talks would have to resume after their Christmas holidays and reports of criminal groups disappearing in the middle of negotiations do nothing to help alleviate concerns.
It is critical to follow federal laws and guidelines and to work with experienced cyber legal counsel and forensic providers to be able to gain intel on the threat actor’s propensities prior to making a ransom payment and prior to taking any steps in the event of an attack. Knowledge is power and the best hope for survival of any company under attack.