What can organizations do to ensure they are prepared for a data security incident?
Bruckman: The best defense for proactively defending against ransomware, or any other cyber threat, is providing proper training to employees and oversight to ensure compliance with policies and procedures which provide administrative safeguards. That said, ransomware attacks are significantly thwarted where the encrypted data is backed-up. The off-site backup of data is critical in shifting the leverage back toward the victim of a ransomware attack because it lessens the need for the decryption of data which can otherwise be restored through backups. Partitioning networks across an enterprise to keep the most sensitive data segregated from other users can also be an effective means to thwart the propagation of ransomware across a company's network.
Connelly: To mitigate the risks to IP, companies should consider enacting policies that monitor and audit access to sensitive information in order to identify a potential cyber-attack. Additionally, it may be worth contracting with a vendor management program that specializes in data security. Constant vigilance as to who has access to secure information and how this information is secured remains an integral mitigation strategy. Also, they should frequently change passwords and establish multi-factor verification, in addition to keeping employees aware of current cybercriminal activity.
Sulkin: Best practices for avoiding ransomware threats include use of industry standard security measures to prevent intrusion (multi-factor authentication and rigorous endpoint monitoring), prompt vulnerability remediation and rigorous employee training to help minimize the likelihood of a successful phishing or social-engineering based attack. In addition, having data and applications backed-up in alternate, offline locations that can be readily restored to production and will not be impacted by a ransomware attack is critical. With this in place, it may not be necessary to pay the ransom in the first place.
What are some of the must-haves of a good incident-response plan?
Sulkin: It's critical to have a documented incident response plan and to test that incident-response plan regularly, for example, through tabletop exercises. The incident-response plan serves as a step-by-step guide for how a business will address a data security incident, including who will be involved, how the investigation of the incident will be managed, which key decisions need to be made, and how information will flow between key stakeholders at a company. A sound incident-response plan should also consider the unique business practices of the company. For example, certain technologies may require special attention due to operational need or to contain particularly sensitive data. In addition, the incident-response plan must take into account management of internal and external communications such as PR and communications to employees.
Bruckman: A good incident-response plan should include incident-response points of contact (legal, IT, insurance, C-suite, vendors); the location and storage of sensitive data (who, what, where), known applicable regulatory guidelines or statutory laws which prescribe short notification deadlines (CCPA, GDPR) and a strategic process to mitigate damage or the propagation of a cybersecurity incident (network mapping, identification of backups, other computer systems susceptible to infection on common networks).
How can companies stay on top of evolving and new cybersecurity threats?
Connelly: The need to stay "in the know" is imperative. Since risk assessment is paramount in determining the likelihood of a cybersecurity attack, there are several practices based on individualized company evaluations that can help predict potential threats. For example, the FCC provides a cybersecurity planning tool that assists companies in implementing strategies based on specific business needs and activity. Additionally, the Department of Homeland Security offers a self-assessment that can be informative in evaluating a company's operational resilience and effectiveness of cybersecurity procedures. Beyond security evaluations, companies should make use of antivirus software, specifically designed to detect constantly evolving cybersecurity threats and ensure that company devices are equipped with this software and updated frequently. Of course, attending and requiring that employees participate in training surrounding cybersecurity is essential to staying on top of cybersecurity threats.
Bruckman: Companies should go to their data privacy counsel, managed services providers, and cybersecurity IT firms, which are all good sources of information on current cybersecurity trends, campaigns and issues. Google alerts, National Law Review and various online publications are also helpful and offer a wealth of information. Cyber insurance carriers may also offer resources.
Sulkin: Information comes from multiple sources. Third-party providers of monitoring, detection, and threat hunting services provide tremendous insight regarding known attacks. In addition, software companies regularly provide updates and patches in order to address emerging threats or known weaknesses. Timely deployment of these updates and patches is of critical importance. Finally, government and law enforcement agencies release information regarding threats, and this information should be tracked as well.
Gloss