Preparing for a cybersecurity incident is a must in today’s threat landscape. Yet, many organizations don’t consider themselves at risk for hackers or ransomware: “We’re a movie theater/apartment complex/shopping mall; why would anyone want to hack us?”
The answer is because these businesses count as critical infrastructure, according to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). The agency considers sixteen sectors to be at risk for a cyberattack, including the defense industrial base responsible for U.S. military weapons systems, the energy sector, nuclear reactors, transportation systems and healthcare facilities. But CISA also classifies sites that draw large crowds of people for shopping, business, entertainment, or lodging as “commercial facilities” — which are targets for malicious actors. Specifically, the following sectors are at risk:
- Entertainment and Media: motion picture studios, broadcast media
- Real Estate: office and apartment buildings, condominiums, mixed-use facilities, self-storage businesses
- Lodging: hotels, motels, conference centers
- Outdoor Events: theme and amusement parks, fairs, campgrounds, parades
- Retail: retail centers and districts, shopping malls
- Sports Leagues: professional sports leagues and federations
- Public Assembly: arenas, stadiums, aquariums, zoos, museums, convention centers
- Gaming: casinos
Businesses that normally don’t consider themselves to be vulnerable to hacking by nation-states or cybercriminals need to be aware that they have particular vulnerabilities and responsibilities to shore up their defenses.
President Biden signed the Strengthening American Cybersecurity Act into law in March 2022, where all “covered entities” within the critical infrastructure sectors will eventually be required by law to notify CISA within 72 hours of suffering a “covered cyber incident,” or within 24 hours of making a ransomware payment.
While CISA has yet to define which “covered entities” will be required to make these notifications and what a “covered cyber incident” will be, it’s a good idea to start making an incident response plan now to avoid getting caught flat-footed in the event of a data breach or ransomware attack. This is especially prudent given that there are myriad other data privacy laws in effect that require breach notifications and other remedial measures depending on what kind of business suffered the cyberattack and whose personally identifiable information (PII) is affected.
Before a Cyberattack
Business leaders will want to understand the data and systems that are crucial to their operations and take steps to secure them before being hacked. Key players in these sectors need to think through what kind of data/information makes their businesses run and understand the processes by which that data is transferred within and outside the organization.
After identifying what data the company can’t function without, determine how that data is maintained. Is the data saved on one person’s desktop computer? If that computer is compromised, the hack will leave the company with zero copies of any critical information required for the business to function without disruptions.
If that’s the case, ensure that the company has up-to-date backups of crucial data stored in another location — ideally not connected to the internet, so it is not vulnerable to a cyberattack. If copies of crucial documents are stored on a network or in “the cloud,” the company could still be vulnerable to malware that encrypts all data so that it can’t be accessed without a decryption key that a malicious actor holds ransom.
Regardless of how the company maintains its data, this point can’t be stressed enough: having up-to-date backups of crucial data stored separately from the rest of a network is the key to business continuity in the event of a major cyberattack.
A business should also have a process in place to determine when an attack is happening in the first place. Most often, an information technology (IT) professional will first notice unusual activity on the network, which can indicate a security breach. There should be an established understanding with the IT provider, whether in-house or a third-party vendor, about who should be contacted in the event of an intrusion.
A system should be in place, phone-tree style, whereby it is clear who needs to be notified and what their responsibilities are upon learning of a breach.
Ideally, companies should have an established relationship with a cybersecurity and data privacy attorney, whose guidance will most likely be needed to navigate the incident response process. Some organizations with cyber insurance can select from an insurance company-approved panel of attorneys. However, cyber insurance is by no means a necessity, and there are plenty of attorneys who specialize in this type of law who opt not to be on insurance panels. What does matter is that there is a plan for an attorney to be called to assist with incident response in the event of a cyberattack, including conducting a forensic investigation into what happened, mitigating any damage, possibly liaising with law enforcement, and assisting with notifying the proper parties of a data breach when necessary.
The adage, “An ounce of prevention is worth a pound of cure,” most definitely rings true. Consider employee training and education to maintain awareness about possible phishing attempts or other areas of vulnerability. Of course, whether a company decides to go this route will depend on its culture, but one upside is that people will get real-life practice in spotting a scam email, potentially priming them to refrain from clicking on a real phishing email and inadvertently giving a malicious actor their login information.
During an Attack
Once management gets that dreaded call from IT about suspicious activity within a network (or once a security professional sounds the alarm), time is of the essence. The company then needs to work as quickly as possible to understand what components of the network were compromised and how, and take steps to mitigate any damage or exfiltration. In other words, stop any bleeding, assess the damage, and treat any “wounds” to the network.
Also, understand what, if any, data or documents have been taken by the bad actors. Does that include sensitive trade secrets or other confidential business information? What is taken will dictate what kind of notifications need to be made.
If an entire network has been encrypted and a ransomware demand is made in exchange for the decryption key, engage a professional who can help navigate the delicate situation. According to guidance issued by the Department of the Treasury in September 2021, “[T]he U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands.” However, if that route is chosen, an experienced attorney can advise on the possible repercussions of paying a ransom to a cyberattacker, such as running afoul of Office of Foreign Assets Control (OFAC) regulations. And there are companies whose entire purpose is to negotiate with ransomware actors, which should not be done without professional guidance.
After an Attack
Once the immediate emergency is under control, it’s a good idea to do an after-action assessment to identify lessons learned and shore up measures to prevent and protect against future cyberattacks.
Malicious actors in the cyber world are ever-evolving, necessitating businesses’ and security professionals’ evolution and vigilance.