No sector is immune
If the cyber attack on Colonial Pipeline was a wakeup call, then someone is sleeping too soundly. Ransomware attacks have proliferated against all industries in the past eighteen months. We’ve seen ransomware affecting the financial sector, tech firms (even cyber response firms), healthcare and now the energy sector, among others.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a specific warning about such an attack to the pipeline industry over a year ago (Ransomware Impacting Pipeline Operations | CISA). The hacker group responsible for the attack, DarkSide, claims it was shut down by the end of last week, but the repercussions will be felt for many months to come.
When malicious hackers find an industry that is susceptible to ransom demands, they pounce. Think of hyenas circling a wounded lion.
What do you do?
You keep hunting for those hyenas. Threat hunting is the name of the game today given how sophisticated hackers have gotten. A good hunting program will go well beyond the traditional indicators of compromise and look for anomalous activity in the system.
Another step to take is a full cybersecurity risk assessment. This can provide both the technical teams and senior management with a roadmap of security items to address. And, of course, you need to be prepared for ransomware locking up your systems with effective backups and effective incident response protocols.
These steps may not sound like legal activities, but they do have significant legal impact. Regulators have responded to reports of ransomware with additional cybersecurity requirements and oversight, and plaintiffs emerge soon after ransomware attacks. We have already seen responses from regulators to the pipeline attack.
Addressing the legal impact of a cyberattack can create its own risks. In the US federal courts continuously add to a growing body of case law regarding the many nuances impacting the applicability of attorney-client privilege and work product protections to data breach investigations, so it may be prudent to re-evaluate the process of engaging cyber firms.
More importantly, while any claim of privilege can be rejected by the courts, involving attorneys that understand the practical needs of a cybersecurity incident response can nevertheless help ensure that investigations can be conducted in a manner that is both effective in light of an organization’s business needs, and generates the least amount of downstream litigation risk.
Read more in our DigiLinks post US: Three lessons from the Colonial Pipeline breach
Ransomware risk is a topline concern for virtually any company housing sensitive digital information, or operating critical control systems. …. it is not enough to be ready for ransomware attacks, but to document that readiness in a consistent manner not only to answer questions from external sources, but to be able to continuously revisit and improve your security posture