Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The scope of WannaCry changed our perceptions of ransomware attacks. Until May 12, 2017, the more highly publicized ransomware incidents were localized targets impacting only one or a small number of businesses. WannaCry made it clear that ransomware could reach a broad cross-section of computers worldwide, at essentially the same time.
While there have been some indications that WannaCry originated in North Korea, nothing is conclusive yet, and investigations into the attack continue. Regardless of its origins, WannaCry focused the world's attention on cyber-attacks as a potential threat to everyone, not just large companies with highly valuable data. Responses to the attack around the world varied in their success recovering data, but funding in the bitcoin wallets designated to receive the ransoms indicates that only a small percentage of victims paid the ransom, even with the relatively modest demand of $300.
WannaCry was indiscriminate in its victims, affecting health care organizations, international corporations, governmental organizations, companies and individuals. WannaCry impacted more than 300,000 computers in more than 150 countries, causing countless hours of business shutdowns and IT time trying to restore the damaged systems. Despite the scope of the attack, the overall impact was relatively minor compared with the potential damage that could result from a more sophisticated attack. The attack did not result in the loss of personal data, which could have caused the social and financial costs of this attack to skyrocket.
Experts agree that the WannaCry code was sloppy, making it easier to detect and stop than the newer, more sophisticated malware that is being seen in the industry. In addition, the sloppiness in the code facilitated the accidental discovery of a kill switch that dramatically slowed the spread of the ransomware. The code's disorder may also have reduced the number of victims who tried paying the ransom because there was wide speculation that the code did not contain the functionality to release the encrypted files after payment.
While disconcerting, compared with the possible damages that could have occurred, most were lucky — this time. Now, many are hyper-focused on what to do to avoid being a victim of the next attack. These efforts reinforce the fact that it is impossible to guarantee that a system is fully secure, and highlights the idea that solid software, network and computer controls and maintenance would have protected most systems from falling victim to WannaCry.
Larger organizations devote extensive budgetary and personnel resources to cybersecurity efforts, but not everyone has the ability, or the need, to engage on that level. In the absence of a regulated industry, such as health care, that spells out the obligations for cybersecurity for those doing business in the industry, businesses should assess the data they maintain, determine its value and vulnerability and then select reasonable protections to secure the data.
Key elements of any data security protocol include:
The development and implementation of all materials in each of these categories is expensive and time-consuming, but for those not in the regulated fields that need cost- effective data security, it is possible to exercise a reasonable standard of care without breaking the bank. The key in all aspects of this effort is to identify the most critical data and focus the efforts toward more protection for this data.
Assess the Data
Not all of that data needs to be stored in impenetrable vaults requiring a dozen credentials for access, so the first step is to review all the different types of data the business retains and determine which is most important. Once the data is ranked according to risk levels, the attack methods likely to be used to target each category of data should be considered, and then the best methods for detecting and mitigating such attacks should be identified. There are many products and techniques available to detect, block and mitigate the attacks. Selection of the types of products and services are best discussed with a technical expert, but strong, up-to-date virus protection should be one of the components. These considerations shape the rest of the data security efforts.
Throughout the process of developing the security protocols, the reasonableness of the procedures should be considered along with the necessity of keeping the data secure without undermining its accessibility for business purposes.
Analyze the System
Knowing where each type of data is located within the company's system ensures that time is not wasted figuring out what data has been impacted when an incident occurs. These records of the system architecture are living documents that must be updated each time changes are made to the system. This documentation does not have to be highly technical, and the form of the records is not as important as properly documenting the nature of the data and its locations.
Because prompt responses are critical for limiting damages resulting from an incident, understanding where each type of data resides, which data was impacted by the incident, and which data is the highest priority to protect or recover, allows the response effort to be prioritized appropriately. This information can result in significant saving by limiting damages, but it costs very little to develop.
Vendors
Companies that have third parties manage parts of their computer and storage systems must have a listing of all such vendors with contact information (both during and after business hours), and that list should indicate what part of the system/data each vendor manages.
Today, vendor contracts, particularly software and system maintenance and support agreements, are often drafted to provide rules for what each party must do in the event of an incident. While there is often a perception that including this detail in the agreement may extend the contract negotiation process, taking the time to specify those rights and responsibilities can save significant time and expense in the event of an incident.
In addition, it is important to keep in mind that certain vendors may need expanded access to a system following an incident. Setting up the basic terms of an engagement for assistance responding to an incident, including confidentiality obligations, whether as part of the primary services agreement or as a separate agreement, is key to allowing the identification, containment and remediation efforts to move as quickly as possible in the event of an incident.
Update/Patch
The single action that would have best prevented businesses from being victims of WannaCry is patching software. Cyber-criminals and nation state actors regularly seek to exploit security weaknesses and/or bugs in software, and by not taking the time to patch software as patches become available, businesses leave the door open for the hackers to attack. If businesses maintain their systems internally, they should have standard procedures for evaluating all new patches, developing a business appropriate strategy for applying the patch, and a communication protocol to ensure the patching is properly completed.
For those using third parties to manage their software, it is important to ensure that software maintenance and service contracts include access to such updates or patches, specify who is responsible for applying the update, and state a time frame for completion after a patch is released. While it can take a little time to coordinate everything necessary to implement a patch in a large or even mid-sized organization, it should be done as soon as possible, giving appropriate consideration to the balance between taking the time to implement the patch with the risks of waiting and leaving the door open for a cyber-intruder.
Plans and Procedures
Security plans and procedures should be implemented, but this is more about establishing a culture of security throughout the organization than it is about having hundreds of pages of policies and procedures. Balancing the cost of the efforts to develop these policies against the cost of not having the policies is critical in this category. In order to minimize costs of these efforts, once again, the focus must be on the most critical data and what steps must be taken and documented in order to protect that data. Businesses may, and should, choose to implement different protocols for different types of data, but it is also important to limit the different policies and procedures to a manageable level.
Rather than leaving the data at risk, the decision should be made to put security procedures in place. When deciding on such procedures, consideration should be given to segregation of data, access to information, remote access to information, required authentication, and physical access to the data.
Each company's policies and procedures should be at least somewhat different, depending on the nature of its operations and the types of data it maintains. Identifying pre-existing policies and procedures can be good starting points for this documentation, but it is of little value if they are not reviewed and customized for the organization's systems.
Regardless of the type(s) of data, once draft policies and procedures are developed, the organization should evaluate the interaction of those policies and procedures in conjunction with the existing business procedures. If the security procedures do not work with the business objectives or unreasonably limit access to the data, adjustments should be made.
To be effective, the security plans and procedures must become part of the organization's day-to-day operations, and all personnel must internalize the importance of complying with such procedures.
Incident Response Plans
All organizations can benefit from some type of incident response plan. This does not mean that every organization needs a 100-plus page document detailing every element of what will be done in the event of a data security incident, but it does mean that some basic documentation to guide the response to an incident is helpful. The most important objective is having everything that will be needed to respond to an incident in the same place and accessible when it is needed to all who need it.
Key items to include in the plan are:
While an incident response plan can certainly include a lot of additional information, if nothing else, having this basic information handy will help the organization stay on the right path and work together without issue in the event of an incident.
Depending on the size of the business, the incident response team may include: the information technology manager, chief information officer (CIO) or chief information security officer (CISO) (or all of them); legal counsel (internal and external); human resource manager; operations manager; communications personnel; forensic consultants; and anyone else appropriate for the particular business.
One or more of the team members should have responsibility for regularly updating and reporting to senior management and the Board of Directors, where one exists. It is helpful to talk to those individuals in advance and include in the plan a description of how and when those groups want to be notified.
For example, incidents may be divided into different levels based on how critical they are, and senior management may only be notified if the incident rises to a certain level. There may also be a different level of criticality that triggers notification to the Board. These determinations are a balance between the need to inform management and the need to avoid over-communicating every time something might constitute an incident. Clearly defining what constitutes an incident also helps facilitate communications during a response.
An incident response plan with the items identified above is relatively easy to establish, and the smaller the organization, the less it usually costs to develop the plan to this point. For those investing more in an incident response plan, it is helpful to create (or find and customize) a checklist for documenting an incident and the steps that are taken by the team once an incident is identified. Combined with this tracking system, a checklist of items to investigate and assess during the identification and containment phases of the response can be very helpful. These items help ensure that necessary evidence is preserved even while efforts are underway to identify, contain and remediate the cause.
In general, a more basic incident response plan that is updated regularly and reviewed and practiced for understanding can be far more valuable than a lengthy document created once and placed on the shelf and not touched again until an incident. The quick actions of a response team can go a long way toward mitigating damages from an attack, and a well-rehearsed incident response plan expedites actions in the event of a breach and facilitates thoughtful, coordinated decision making both internally and with vendors.
Training
Because the very large majority of cyber-incidents involve some element of human error, it is critical to invest resources in training personnel to identify suspicious emails, websites, links or behaviors. There are vendors providing this type of training at all different price points, and the wide range of options makes it very easy to implement such training. If even the lower-cost vendors are out of the price range or formal training, or it does not make sense given the size of the organization, there are materials freely available online that can be used to train personnel.
Assigning one or more members of the organization to review such materials and provide an overview of recommendations during a scheduled meeting or circulate links to key materials is better than nothing. The chances of human error can be minimized but can never be eliminated, and therefore, training should be ongoing. From a cultural standpoint, all personnel should be encouraged to understand that there is a balance between ease of access to information, the usability of that information and securing it. The organization must make certain choices for the security of its information; however, personnel who understand the reasons for the security measures and the limitations placed on access to the data are more likely to comply with, and not circumvent, such measures and limitations.
Continuing Improvement Plans
As many businesses are doing in the wake of WannaCry, conducting a “lessons learned” session at the end of any incident is critical to ensure the business is better prepared for the next attack. The business should assess: what was well handled in the response; what could have been done better; what, if anything, completely failed; and how additional training, changes to the systems, updates to the incident response plans, or other actions can improve future responses. Once this analysis is completed, all plans and documentation should be updated as appropriate so the organization is ready for the next incident.
Why Do All of These Things Matter?
The cost of remediating a breach is much greater and much more detrimental to the health of a business than the cost of any of these measures, no matter how expensive they may seem at the time. Hundreds of thousands of dollars –€” and even more –€” can be spent investigating an incident and covering directly related costs, such as the cost of reporting a breach, but that is not the greatest risk to most businesses. When an incident of this nature is reported, consumers are likely to lose faith in the business and may take their business elsewhere. For most businesses, the loss of market share is significantly more important than the direct costs incurred from the breach.
WannaCry upped the public awareness of potential consequences from a ransomware or other cyber-attack targeting more than a single organization. Everyone must be cognizant of the risks and the fact that deciding not to do anything about cybersecurity is itself a decision to place one's business at greater risk. Simple steps can go a long way toward protecting an organization, and for most businesses those can be implemented and managed in a cost-effective manner that reflects the size of the business and the nature of the data.
It would be nice if we could confidently say that future cyber-attacks will be prevented or that measures are in place to ensure such attacks will not impact businesses, but WannaCry made it clear that all businesses and individuals (and all computing devices, including computers, servers, networks, mobile devices and computer enabled things) are at risk from the right attack. Accepting that fact and learning to work within the new risk profile is going to be part of business operations for the foreseeable future, but it is a risk that can be managed.
***** India E. Vincent leads the Cybersecurity Practice at Burr & Forman, where she is a partner in the firm's Birmingham, AL, office. She may be reached at 205-458-5284 or [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.