In the past months, damaging ransomware attacks have swept across the globe and infected tens of thousands of computers. The hackers transmitted the ransomware via a phishing e-mail, and then, once the user clicked the bait, the hackers used methods thought to have been developed by the United States National Security Agency, and locked businesses out of their systems. The ransomware impacted businesses both large and small, notably including multiple hospitals in Great Britain, forcing them to turn patients away, FedEx, the Russian Interior Ministry and a large Spanish telecommunications company. In the United States, law firms also have been targeted.
In the wake of the attack, affected businesses must focus on damage control and clean-up. Unaffected businesses also need to react and take steps to protect themselves from becoming a victim of not only the next round of large-scale attacks but smaller attacks and phishing efforts that are on-going all the time. Accordingly, here are five things that all businesses can and should do.
- Install All Patches and Upgrades to Systems When Issued. In the case of the most recent global ransomware attack, Microsoft had released a patch weeks before the attack hit. Installing the patch would have protected systems by not permitting the ransomware to take hold.
- Back-Up All Vital Data on a Continuous Basis. This is of particular importance in ransomware attacks. Ransomware encrypts a victim’s data and will only provide a key for access upon the payment of ransom. The payment of a ransom, however, may be unnecessary when up-to-date backups are available.
- Employee Training. Employees should be trained on a regular basis on how to identify phishing e-mails and how to avoid cyber-attacks.
- Purchase and/or Examine Cyber Security Insurance Policy for Compliance. If your business currently has a cyber security insurance policy, ensure that the policy adequately covers your needs and ensure that your business meets the security requirements attested to in such policy. Not meeting the insurer’s security requirements may make your insurance worthless. If you do not have insurance, consider whether you should secure insurance.
- Perform a Risk Assessment and Develop a Response Plan. Assessing current systems will help to identify vulnerabilities that can be addressed proactively. For health care providers, HIPAA requires that covered entities perform a “risk analysis” to identify risks and security vulnerabilities and implement security measures that are sufficient to reduce such risks and vulnerabilities. Lack of up-to-date risk analysis and security failures have led to fines in the hundreds of thousand dollars. Actual breaches have resulted in multi-million dollar fines and of course, all the costs required to be incurred to correct or address the breach. Further, the assessment or analysis will assist with the development and implementation of a Security Incident Response Plan that is designed to ensure expedient and appropriate responses to cyber-attacks and to mitigate damage whenever possible.
Kevin C. Murphy is a member of the Wladis Law Firm, P.C., located in Syracuse, New York. Should you be confronted with data security or data breach issues, please feel free to contact Attorney Murphy or Attorney Timothy Lambrecht of the Wladis Law Firm to determine if we can be of assistance to you.