As a result of the COVID-19 pandemic, many more organisations have moved their business operations online. From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.
Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.
According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.
In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.
What should companies do if they experience a ransomware attack?
Upon discovering a ransomware attack, the immediate steps a company should take are to:
- Follow an internal incident response management plan with a decision-making chain
- Engage relevant stakeholders, including specialist advisors, such as cyber experts and external counsel to exert legal privilege over internal documents concerning the ransomware attack
- Establish facts, keep a log of steps undertaken and keep the evidence: Determine which servers have been compromised
- Mitigate or eliminate any adverse effects of the ransomware attack
- Contain affected servers as quickly as possible to ensure that other servers or devices are not also infected. The infected device should be disconnected from all network connections as soon as possible.
- Immediately reset credentials including passwords, especially for administrator and other system accounts
- Safely wipe the affected devices and reinstall the operating system
- Guide employees if their work will be affected on the steps to take to manage the attack
- Assess whether the relevant supervisory authority should be notified where there has been a personal data breach such as access to personal data by an unauthorised third party. In the UK, the Information Commissioner’s Office (ICO) should be notified within 72 hours of becoming aware of the breach, where feasible. Where the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals should also be notified without undue delay.
- A notification under the Network and Information Systems (NIS) Regulations 2018 may be required if the company is an ‘Operator of Essential Services’ (OES) or a ‘Relevant Digital Service Provider’ (RDSP).
- Organisations that meet the definition of OES, provide services in the energy, transport, health, water and digital infrastructure sectors and must register with their competent authority in the relevant sector.
- To be a RDSP, the company must provide a digital service (such as an online search engine, an online marketplace or a cloud computing service), have 50 or more staff and a turnover of more than €10m per year, or a balance sheet total of more than €10m per year. The ICO should be notified of any NIS incident as above within 72 hours. A NIS incident includes any event having an actual adverse effect on the security of network and information systems. Companies can make a voluntary notification to the National Cyber Security Centre (NCSC), particularly if their support will be needed to manage the incident. Depending on the nature of the incident, it may also be necessary to notify other organisations such as the National Crime Agency and Action Fraud.
- A notification to the data controller detailing what has happened should be made, if the affected organisation is a processor.
- Any other further notifications may need to be made to insurers and other third parties, including according to contractual obligations.
Ramifications for the business
The effects a ransomware attack can have on the business can be vast.
While systems are down and efforts are made to try to restore the order, there will be significant business downtime with projects and productivity put on hold, causing financial losses. There will also be a knock on effect post-attack, while the systems are rebooted.
Further financial effects may be felt if the supervisory authority decides to place sanctions on the business for how they have handled the ransomware attack.
Finally, there may be damage to the business’s reputation as there may be negative publicity and customers, suppliers, partners, and various other parties may lose confidence in the business’s ability to protect and manage their data. A business may seek to use public relations professionals to actively engage and communicate with stakeholders to manage its public presence.
What can companies do to prevent or mitigate future ransomware attacks?
- Implement strong technical measures: For example, organisations should regularly require strong authentication methodologies, run regular vulnerability scans and penetration tests to scan systems for known vulnerabilities and address any vulnerabilities identified and apply other measures suggested by the NCSC (see its Cyber Assessment Framework).
- Provide regular training to staff: Companies should make sure staff are properly trained in relation to cybersecurity and data protection so that they know what their roles and responsibilities are if there is an attack. Staff should be able to identify phishing or nefarious emails, avoid clicking on unidentified links and verify emails from senders, especially if they have strange instructions or a sense of urgency. This can help avoid common mistakes which can make employees easy targets for cyber attacks. Employees should keep their work and personal mail accounts and devices separate and incorporate strong passwords which should not be reused.
- VPN: Use a secure Virtual Private Network or VPN to protect data in transit. Utilise multi-factor authentication so that it is even harder for hackers to infiltrate the system.
- Have an incident response management plan and a disaster recovery plan: There should be an incident response management plan and disaster recovery plan already in place so that the business can act immediately if a ransomware event or other cyber attack occurs. This should be tested and updated regularly, for example, by simulating a cyber attack and seeing how long it would take to restore and re-configure the required number of devices and how the business would continue to operate critical business services. Identify where the sensitive data resides and when testing the security system assume that there is data loss and confirm how the incident would be detected, how counsel would be contacted and how the data would be returned to normal operations.
- Back-up your data! – Maintain regular and up-to-date backups of important files. These backups should be kept separate from the main system to avoid an attacker from gaining access to such backups and there should be an offline and an offsite backup or a cloud service which is designed for this purpose. These data backups should be tested at regular intervals to ensure they will perform as expected when needed.
- Security updates: Update systems and install security updates as soon as they become available which can help with fixing bugs in your products. Enable automatic updates for operating systems, apps and firmware if possible.
- Filtering: Mail filtering (in combination with spam filtering) can block malicious emails and remove harmful attachments, which can stop ransomware before the emails reach users’ inboxes. In web browsers, there can be a list of safe browsing websites and you can block access to sites which are known to host malicious content can be prevented.
- Communication strategy: Develop effective internal and external communication strategies so that the right information can reach the relevant stakeholders in a timely fashion.
The ICO has confirmed that it will be issuing guidance in the upcoming months on ransomware and incident response, in particular advising on how to prepare for such incidents, the data protection requirements and incident response plans, notification requirements and compliance with the UK GDPR. The ICO have already expressed that they will challenge companies’ compliance with the GDPR, whether there are offline repositories of data and investigate why data has not been segregated and/or why backups have not been tested.
As a starting point, organisations should consider the likelihood of risk to their data by considering factors such as criminal and malicious access, attacker threats and permanent loss of personal data. If such risks were to occur, organisations should consider how severe these consequences should be. This should assist with identifying what security measures are needed to be put in place.
If you have any further questions, do not hesitate to reach out to the Reed Smith team!