March 2021
There has been no shortage of ransomware reports and data breaches affecting companies from all sectors all over the world, accelerated, in part, during 2020 as the COVID-19 pandemic caused a mass move to remote work and many organizations raced to accommodate the new normal. The City of Albany was hit with a ransomware attack where hackers demanded cryptocurrency as payment to recover encrypted files. Jackson County, Ga. paid a $400K ransomware payment to hackers as the breach kept prison guards from being able to remotely open prison cells. At the end of 2020, T-Mobile announced a data breach which its cybersecurity team had discovered and shut down malicious, unauthorized access to some information related to T-Mobile accounts. Reported phishing scams impersonating FedEx, UPS and Amazon skyrocketed during the holiday shopping boom. The U.S. Energy Department and National Nuclear Security Administration was reportedly hacked when threat actors accessed their networks as part of a major cyber-espionage operation that affected many U.S. federal agencies. Huntsville City Schools in Alabama closed for a week amid a cyberbreach and Baltimore schools also closed due to a “catastrophic” ransomware attack earlier in 2020. These examples are just the tip of the iceberg as major cyberbreaches and ransomware attacks are being reported in every sector of business and organization public and private.
In particular, phishing scams and ransomware scams are on an upward trend in terms of incidents reported. Though both types of security incidents have been around for many years, because more people are working remotely due to COVID-19, more sensitive documents are being shared over email and sensitive data may be unprotected in an organization’s network, says Michael Waters, member of the Tech Transactions & Data Privacy group at law firm Polsinelli.
Enterprises and organizations across all sectors can take heed from two lessons learned: one, no one is immune from a data breach, and two, preparing for a potential breach of data is crucial. Fortunately, there are a few steps that organizations can take to prepare their organization when it comes to data protection, say Waters and Bruce Radke, Co-Chair of the Privacy and Cybersecurity practice group at Polsinelli.
“One of the first things organizations should do is recognize that remote workers can pose a security issue and take steps to protect data, such as implementing endpoint monitoring and engaging employees in phishing training,” Waters advises.
Another important mitigation strategy for data privacy protection is taking a look at how an organization is managing the backup of its data. Having a segregated encrypted backup, along with making sure those backups are uncorrupted and up-to-date, can help organizations recover from an attack quicker and potentially save them from paying ransom. “One of the mistakes some organizations make is they want their backups ready in the event of a disruption and they don’t segregate it from the original data,” Waters says. In this case, a threat actor can potentially gain control of both the enterprise’s original data and its backups, leaving no choice but to pay a ransom to recover the data.
Protection measures aside, organizations need to plan in advance. If security or IT takes the lead role, legal, human resources, communications and other departments need to be in on the strategic planning and tabletop exercises, Waters says. Security or information security may be primarily focused on mitigating the impact of an event and remediating from a technical standpoint. They may not be considering whether the organization needs to reach out to law enforcement or the insurance company, what notification obligations the company has, and whether they will communicate to customers and employees.
“It makes sense to engage in specific incident response planning,” Waters says. He adds that organizations should answer specific questions such as: How can the business carry on if it doesn’t have access to certain data or systems? Would the organization ever pay a ransom and in what circumstances? If you would make a payment in a certain scenario, how would you make that payment, (i.e. through bitcoin, another cryptocurrency, a bank transfer)?
“Given the time crunch of a ransomware incident, incident planning can be tremendously helpful,” Waters says.
It’s important to engage the organization and run various tabletop exercises with different focuses too, Radke says. For example, one ransomware exercise may focus on how the organization would respond to a ransomware matter in a remote environment; another exercise might determine how they would communicate and involve key roles within the company if everyone is working remotely.
After mitigation steps and preparation — or perhaps before mitigation steps and preparation — a critical focus for every risk management leader should be on the data itself. A best practice for workplace data privacy, and indeed as required by some sectors such as healthcare, risk analysis will help organizations identify where sensitive data is residing within their organization, such as certain databases, applications or vendors, and pinpoint the risks associated with holding data in those places.
And the best place to start is by focusing on the applications where the most sensitive data resides within the organization, such as human resources or accounting.
“Then, the team can come up with technical controls to mitigate those risks. It helps an organization allocate time to certain projects and can also help from a liability standpoint if they ever have to deal with potential litigation,” Waters notes. “As you go through application by application, you can give thought to the risks associated with that data and come up with a plan to mitigate that risk.”
For instance, if an organization determines that it has a lot of sensitive data within its email accounts, the organization can look at mitigation factors specific to that risk such as multi-factor authentication or choosing other ways to share sensitive data.
One data privacy trend that Radke is seeing within an organization is data minimization. “We are seeing a lot of risk assessment leaders consider what is needed for regulatory requirements or usefulness, and giving thought to, if and how to, systematically get rid of information that is no longer an asset to the company; because then it is a potential liability. What information is unnecessary or no longer needed should definitely be considered,” he says.
Ultimately, it’s the best practices in terms of risk analysis and incident planning that will best prepare any organization for how to handle data and what to do in the case of a breach. “We can continue to build higher and thicker walls,” Radke says, “but threat actors will continue to get more sophisticated, so it’s the planning, detection and recovery that has to be hand-in-glove with the prevention.”
march 2021 | securitymagazine.com