Surge in Ransomware Attacks Demands Vigilance
By Jon Goldberg
Last year’s massive disruption from the pandemic and the resulting shift to work-from-home arrangements left organizations more exposed than ever to another kind of infection: the sinister virus of ransomware, a malicious computer software that encrypts a victim’s information and holds it hostage until a ransom is paid.
Set off when someone inside a company clicks a link in a fraudulent email message, ransomware can paralyze an entire organization. The growing threat generates billions of dollars in payments to cybercriminals every year.
According to Boston-based cybersecurity firm Recorded Future, in 2020 U.S. companies endured 65,000 attacks in which cybercriminals held their data hostage.
Payments to organized-crime groups in Eastern Europe and elsewhere that are behind most of these attacks rose by 300 percent last year, despite the mounting pressure that law enforcement and national security authorities have placed on companies not to meet the extortionists’ demands.
To prepare for these increasingly sophisticated cyber-threats, mitigate the damage when attacks occur and deal with lawsuits and other lingering fallout after systems and data are restored, companies today need experience and expertise beyond that of their usual crisis teams. To better prepare your company for cyberattacks, consider these six points:
Build a dedicated cyber-crisis team.
The first step in strengthening a company’s cyber defenses is to build a team with the necessary skills to simultaneously defend the organization’s systems, reputation, customer relationships and its legal and financial interests.
In addition to IT, operations, finance, HR and crisis and reputation management counsel, the team needs members with expertise in computer-systems architecture, data security and forensics who can identify the source and scope of a breach. Other members of the cyber-crisis team should be expert in insurance, to identify potential sources of coverage for cyber risks under existing policies and ensure that the company is adequately protected; and in privacy law, to ensure the company complies with the tangle of federal and state laws that a breach of sensitive consumer data can cause.
Assembling this extended team, getting it ready and placed on speed-dial before it’s needed will save precious time should a ransomware attack occur.
Make important decisions in advance.
When ransomware attacks first started in the late 1980s, the perpetrators simply encrypted a company’s data and then demanded payment for a key to unscramble it.
Today, beyond encrypting data and holding it hostage, a typical attack can involve multiple levels of extortion, such as threatening to expose customer data on the dark web, overwhelming company networks and servers with traffic to wreak further havoc, and even contacting customers and investors to embarrass the company and increase the pressure to pay.
While law enforcement and other experts strongly advise against paying ransom, the decision rests with the company and possibly its insurance carriers. Executives should agree in advance on the circumstances that would justify payment — such as risk to human life, evidence that criminals possess and might release sensitive data, or situations in which the potential consequences of not paying would conflict with the company’s values.
Have a ‘plan C.’
Companies should also consider how an attack on their IT infrastructure could quickly upend their established crisis plans, procedures and lines of communication. To ensure that executives and crisis-team members can still communicate safely if the company’s email servers are compromised, it’s a good idea to set up dedicated communication channels ahead of time in a secure messaging app.
Likewise, companies should maintain up-to-date backups of their crisis plans, protocols and materials in a secure, off-site location, completely isolated from company servers and networks. While using a third-party platform to store such documents in the cloud may seem like a good option, it takes only one login from a company computer or network to expose the crisis plans themselves to harm.
Understand legal, communications priorities.
To avoid liability landmines when responding to a ransomware attack, an organization should scrutinize everything it says and does ahead of time. For example, a preapproved media statement that refers to an attack as “cyberterrorism” could cause an insurance company to deny claims if the policy lacks coverage for terrorism.
Bringing a company’s lawyers and communications experts together before a crisis strikes will help balance legal and reputational priorities should an attack occur. Each side needs to understand how the other prioritizes the complex array of risks that a cyberattack presents — and what success looks like through the other side’s lens.
If a company’s legal and communications teams meet for the first time when an attack is already underway, the stress of the crisis will only increase.
Since most ransomware attacks start when an employee unwittingly clicks a link in a spam email, a company’s workers are its first line of defense. Companies protect themselves when they encourage employees to pause and look carefully for potential warning signs of phishing emails and other malicious messages before opening them.
It also helps to distribute regular updates to employees about the latest methods of deception that cybercriminals are using. This communication keeps employees on their toes and reminds them of the crucial role they play in protecting the company, its customers and other stakeholders from harm. To test whether employees can spot suspicious messages, companies might periodically send them simulated phishing emails and see how they respond.
Conduct regular drills.
Along with helping employees recognize suspicious email, companies can use tabletop crisis exercises to familiarize executives with different ransomware scenarios. Such exercises force company leaders to think through the myriad technical, operational and reputational questions they would confront in an actual crisis.
The best-prepared companies conduct comprehensive, live cyber-crisis drills at least once a year. This training helps put people, processes and technology through their paces under conditions of escalating stress, while keeping crisis plans and teams at peak readiness.
Consider these tips to prepare your organization for cyberattacks:
• Create a cyber-crisis team
• Make key decisions in advance
• Familiarize employees with cyber scenarios