Here is a frame of reference: in addition to his other famous accolades, Albert Einstein is famously quoted as saying “A clever person solves a problem. A wise person avoids it." Before anyone wants to get cute with the syntax, the word “avoid” does NOT denote procrastination or intentional blindness towards a likely problem. The word “avoid” infers forethought and prevention.
For cyber incident response teams (“IRT”), a total “burn down” is the easiest job – for the incident response team. Why? Because the team gets to advise on brand new hardware, software, help design a new non-flat network, insist on fiber instead of cable, dispose of end-of-life items, and the client/victim is usually more receptive to making a stronger investment. Conversely, for the victim, a total “burn down” is usually the worst event. Depending on the malware, they lose everything except for miscellaneous paper records and, if they are lucky, air-gapped or segregated back-ups. Furthermore, they lose time, profitability (operational days), and people usually get fired (eventually).
And if you think this whole “cyber thing” will blow over or go away, you are wrong. Yes, that is a categorical statement from a lawyer, who are famous for non-committal answers like “well, it depends.” As recently explained to a group of skeptics, which seemed to resonate, unless and until people are willing to trade smart phones for hard-copy photo albums and pocket calculators, cybersecurity issues will continue.
In the last month, the FBI released a warning to K-12 schools about increased ransomware attacks that originate through remote desktop tools and phishing emails (are emails or remote access tools leaving society anytime soon?). Approximately 10 days ago, Taiwanese computer and electronics manufacturer Acer, a multi-billion dollar company, received a record-setting REvil ransomware demand of $50,000,000. On Sunday, CNA insurance, one of the largest insurers in the United States confirmed that it suffered "a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email.” And while lawyers are usually late to most parties, the Association of Corporate Counsel’s January 2021 Survey revealed the attorneys are becoming increasingly concerned (finally) about cybersecurity:
Data privacy and cybersecurity were selected as two of the three most important issue areas to the business and at the same time over half (53.6 percent) of CLOs believe that data privacy protection rules will pose one of the biggest legal challenges to their organization. In addition, nearly 80 percent say they are at least somewhat concerned about changing data privacy laws in the jurisdictions where they do business and 18 percent are very concerned. Perhaps this is why nearly 15 percent of CLOs say they plan on adding privacy professionals to their staff in 2021. We certainly expect data privacy will continue to have a significant impact on business, as do CLOs, with 90 percent believing it will only accelerate.
For future cyber event victims (again, this is everyone - me included), it is much easier to minimize the possibility of catastrophic cyber events and mitigate the damages with preventative action. If thinking, “WTF, get specific,” here are the recommended courses of action:
Hire an independent cybersecurity service provider to do an assessment of your network. This individual will advise you of each security flaw. They will often agree to a non-disclosure agreement.
Get an opinion from a cybersecurity attorney as to whether you meet minimum legal obligations concerning data privacy and data security for your state and your industry (some, but not all industries are regulated).
After completing steps 1 and 2, determine your maximum available budget to invest in the cyber hygiene of your business over the next three (3) years, minimum.
Ask the cybersecurity attorney and trusted cybersecurity service provider to work within the budget to strategically implement prioritized defenses aimed to render your business both legally compliant and as secure as possible.
These basic 4 steps will make you wise. In the words of Panic! At the Disco, it is best to approach these things with a “sense of poise and rationality.” Poise and rationality will leave you as soon as the ransomware message flashes across your screen.