Authors: Jodi Wildeman, K.C., Kristél Kriel, Nathan Schissel
What is a ransomware attack?
Ransomware is software designed to lock or encrypt an organization’s system or data. Ransomware typically spreads through sophisticated “phishing emails,” which trick users to interact with infected emails, and/or through server or software vulnerabilities without user interaction. Once a system or data is exposed, the ransomware encrypts the system or information on the system, and requires users to pay a ransom by a specified deadline in exchange for access to the system and/or data.
Why all the fuss?
Ransomware creates real and significant risks to organizations. These risks were recently demonstrated by a global ransomware attack which infected and shut down hundreds of thousands of computers across the world.
The attack was caused by ransomware commonly known as “WannaCry” which, among other things, infected systems through malicious email attachments, and then spread through network drives by exploiting a Windows vulnerability. Once systems were infected, WannaCry encrypted data and demanded a ransom be paid by a specified deadline.
If having an organization’s system or data encrypted for a ransom is not troublesome enough, there is a real risk that paying the ransom will not remove the ransomware, and/or that the attack will be repeated on an infected system or data.
Further, even if data is recovered and further attacks are thwarted, the negative impact of a cyberattack on an organization’s assets, operations, reputation and relations, and the associated financial loss, regulatory consequences and potential liability, can be devastating.
How can organizations prepare?
Fortunately, there are a number of steps that organizations can take to minimize the chance of, and mitigate the risks associated with, a successful ransomware attack. In particular, organizations should take the following 10 steps to prepare for a ransomware attack:
- Assess and Address the Risks: The world of cyber security moves very fast, and organizations should identify and assess potential cyber security risks to and gaps in their IT systems on an ongoing basis, including by assessing what and where their most valuable information is, and then by appropriately addressing risks to that information.
- Implement Safeguards: There are a number of technical and operational safeguards that organizations can implement including, among other things, keeping operating systems and software up-to-date, installing security patches and updates as soon as they are available, installing appropriate firewalls and malware protection, incorporating appropriate administrative access controls, and implementing appropriate policies and procedures including monitoring, intrusion-detection, white knight hacking and audits.
- Make a Plan: Organizations can substantially decrease the negative consequences of a ransomware attack by preparing and regularly reviewing appropriate and customized incident response and business continuity plans that assist organizations to take appropriate steps in response to such attacks in a timely manner.
- Make a Back-Up Plan: Organizations should ensure appropriate back-ups are made of critical information, including back-ups which are performed at regular intervals and which involve the storage of information at a location not accessible by a ransomware attack.
- Do Your Due Diligence: Organizations should ensure appropriate due diligence is conducted on – and ensure that appropriate contractual protections are in place with – service providers that have access to the organization’s IT systems.
- Inform Your Users: A critical step in preparing for ransomware attacks is to implement training and awareness programs so that users are informed about cyber security risks, do not subject an organization’s IT systems and data to unnecessary risks, and appropriately respond to attacks.
- Get Insurance: There are a number of insurance options available to organizations to provide some financial protection against the various risks and liabilities associated with ransomware attacks.
- Get the Right Help at the Right Time: In addition to obtaining executive buy-in and working with internal security, IT and legal teams, there are a range of external advisers, consultants, investigators, coaches and products available to help organizations preparing for or responding to a ransomware attack.
- Respond Appropriately: If (or, as some experts say, “when”) a ransomware attack happens, it is important for organizations to follow the plans that have put in place. It will also be important for organizations to consider and meet any mandatory breach reporting and record keeping obligations.
- Be Ready for Litigation: There are various steps organizations can take to ensure that appropriate legal privileges are engaged, particularly during the investigation of a ransomware attack, to assist the organization in the event that the ransomware attack leads to litigation.
These steps should be incorporated by organizations into a customized cyber security program, which should then be reviewed, tested and updated on an ongoing basis to appropriately reflect the changing threat landscape. Organizations may wish to work with experienced legal counsel to assist them with any of the foregoing steps.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.