Ransomware attacks on high-profile organizations in both the public and private sectors grabbed headlines throughout 2021, but it’s not just high-profile organizations that are the target. Even more common than most people think, ransomware attacks occur globally every 10.2 seconds, according to experts’ estimates. [1] And over 55% are aimed at small businesses. With an average ransom payment of $170,404 plus recovery costs estimated at 10 times the size of the ransom payment, the cost for any company, but especially for a startup, can be devastating. [2]
As ransomware attacks continue to increase in number and hackers become more sophisticated, it’s essential that you take action now to avoid being the next unwitting victim. Here are some steps to increase your company’s line of defense:
1. Buy cyber insurance. Invest in a policy that covers ransomware, wire-fraud spoofing, and anything else your company and insurance broker think might be applicable.
2. Understand what your IT provider is actually providing you. If you outsource all or part of your IT, ask the provider to specify how the contract addresses what happens if you are breached, who is responsible for restoring the systems, notifying affected customers and employees, responding to regulators and regulatory action, defending lawsuits, who pays, what their cyber insurance policy states, and whether you are covered (and have it written down).
3. Understand what your internal IT provides you. If you handle your own IT internally, then ask IT to show you:
- The company’s written data inventory. Maintain documentation of what data the company has, where it is kept, and how old it is. If you don’t know what you have, you cannot protect it or respond in an informed way if it is stolen (or lost).
- The company’s “WISP” or written information security plan. Review the plan to ensure that it covers all of the data on the inventory you just reviewed. Update it periodically, either when a material change occurs or at least yearly.
- The company’s data breach response plan. Know who is doing what, how they are doing it, who to call or how all of it will work. Role play different scenarios via a tabletop exercise to make sure you have thought through the problems.
- The company’s data retention plan. Determine what data you need to keep and for how long. A previous client that you haven’t worked with in many years is going to be upset if you notify them that their data was stolen and is being ransomed. Old data that you are not using is only a liability, not an asset — don’t be a data hoarder.
- The training plan. Create a plan for educating your employees about your data security, including what they need to be aware of, as well as what to do when there is or isn’t a problem (i.e., proactive security and routine security practices).
4. Review your patch log. Regardless of internal or external IT management, ask to see your company’s patch log. Confirm that it is up to date, and if it is not, be sure to put in writing a reasonable explanation and a plan for remediation with a due date. Items that are not patched for a valid reason should then be dealt with, with a “compensating control”, i.e. something that compensates security-wise for the lack of patch. Failing to patch is a consistent theme in data breach.
5. Confer with a privacy or cybersecurity attorney. An attorney who focuses on privacy or cybersecurity can help ensure that you are prepared for any type of cyberattack and that you have taken the necessary precautions to prevent the cyberattack in the first place. Spotting critical issues in advance may save you in the event of a breach.
Ransomware attacks are only expected to increase in the future, so it’s wise to get a strategy in place now to minimize the threat of being held hostage by a crippling attack.
For more about Lowndes’ technology law services and how we can help you achieve your business goals, visit lowndes-law.com.
Founded in Orlando, Florida in 1969, Lowndes is a multi-discipline business law firm. Our attorneys represent corporate, entrepreneurial and individual clients across multiple industries locally, nationally and beyond our borders, from our offices in Florida, and through Meritas, a global alliance of independent law firms.
Drew Sorrell is an attorney and chair of the Data Governance Group at Lowndes. With expertise in technology, cybersecurity and privacy issues, along with an MBA in marketing and finance, he advises CLOs, CIOs, CTOs and technology owners at companies of all sizes in every phase of their legal needs. Reach him at drew.sorrell@lowndes-law.com.
[1] Data from Silikn
[2] Sophos 2021 State of Ransomware