Navigating cybersecurity risk takes on new urgency today
Multi-million-dollar ransom demands. Wire transfer fraud. Massive data theft.
According to Beth Burgin Waller, Chair of the Cybersecurity and Data Privacy law practice at Woods Rogers, “the bad guys are only getting more sophisticated.” Clearly, this fall’s Risk Management and Insurance Program Trends Talk could not have come at a better time. In fact, just as Waller was preparing her presentation, a single compromised password took down the largest fuel pipeline in the U.S.
“Today, it’s no longer old-school ransomware; it’s ransomware 2.0,” she said. “It used to be that cyber criminals would encrypt data in place. It was a pain, but you could usually get to your back-ups. Now they take data off the network as well and either sell it on the dark web or place it on a shame website.”
Meet the Bad Guys
Waller carefully traced the steps taken by today’s “threat actors” — entry; recon; exfiltration; encryption. “First, the criminals just come in and hang out. They look for vulnerability, hiding out on the network. You don’t know they’re there until they take your sensitive data off the network, encrypt it, and leave their contact information. And what you see now is only the tip of the iceberg.”
Ransomware gangs are spread out all over. Even when they are discovered, they simply scatter and regroup. What increases the danger today is that many are PR savvy. Once they steal a company’s data, they take the news to the press, so the company must not only attend to its own internal crisis management but deal with embarrassing negative publicity as well.
Meanwhile, remote workers on home computers pose an added concern for their employers, so multi-factor checks to access company information are recommended to add a layer of safety. Third party contractors need their own insurance if they are using company data.
Costs involved in data breach incidents can be prohibitive. Based on an actual case involving 40 servers and about 2500 impacted individuals, Waller estimated $35K for PR, $100K for incident response, $50K for forensics and $10K for credit monitoring. Then, of course, the largest cost driver is whether a business pays the ransom demanded. It is clearly worth a significant up-front investment for companies to take the protective measures needed to avoid such a potential financial set-back.
So, how to fight back? Many companies have entire departments of cybersecurity experts on staff. Yet Waller cautions it’s good to have a lawyer because attorney/client privilege affords an advantage. Lawyers can help set up a pro-active plan to ward off disaster. Right now, the legal landscape is favorable. There are potential laws pending to protect businesses, and a federal law seems likely. At this time, Virginia is one of only three states that has passed data privacy legislation – all of which is a help, but not a guarantee.