Ransomware discussions mostly revolve around protection against attacks, but how should we view an attack in the context of regulatory compliance?
As the technology-focused law firm Orrick explained in a recent blog, “ransomware attacks may create a data breach notification event.” This means if you suffer a breach, you may be obligated under state and federal law to notify customers, partners and other parties about the event. What the notification should entail depends on the relevant federal regulation or the state in which the breach occurred.
The U.S. Department of Health and Human Services is among the federal agencies that has issued a position on ransomware attacks, reminding companies they must comply with HIPAA (Health Insurance Portability and Accountability Act) security requirements and that, should they suffer an attack, they must disclose it in accordance with the law.
Meanwhile, the Federal Trade Commission says it is actively participating in prosecutions against attackers, but also warns it may penalize companies that suffer a breach. According to Dark Reading, the FTC “has made at least 60 enforcement actions around companies not protecting consumer data.”
The FTC’s warning is clear: Fail to properly protect your data against ransomware and there will be consequences. “Ransomware attackers can access extremely sensitive personal information such as medical data, financial account numbers, and the contents of private communications, some of which may be sold on the dark web,” FTC Chairwoman Edith Ramirez said at a recent conference.
Ransomware is responsible for an estimated 4,000 cyber attacks daily since the beginning of the year. It has become Cyber Threat No. 1, and companies need to treat it as such.
From a compliance standpoint, Orrick says, “organizations should proactively conduct vulnerability assessments to identify potential security weaknesses and gaps that ransomware attackers could exploit, and develop a structured mechanism to stay abreast of the most recent ransomware variants and the means by which attackers are injecting malware into the enterprise’s network.”
Organizations need a combination of technology, policies and user training to protect against ransomware. On the technology front, preventing ransomware incidents requires a multilayered approach that includes endpoint protection, email security, user authentication, patch management, behavioral analysis and threat intelligence, as well as a reliable data backup solution.
Your policies should cover all incident-response procedures. For instance, if a user’s machine is hit with ransomware, employees need to know what to do in response – shut down the machine and report the attack to the security team. The security team – or the incident response team, if you have one – needs a response plan that covers remediation and notification as mandated by applicable laws.
Don’t underestimate the need for user training. Besides educating users on how to respond to an incident, you must also address prevention. Users need to be taught how to spot suspicious emails that may contain ransomware downloads, and report them to the security team.
Ransomware attacks are costly, not just because you may have to pay cyber-extortionists to regain access to your data, but also because remediation and recovery may carry a hefty price tag. Add to that the costs of non-compliance, and your organization could be in serious trouble.
If you haven’t conducted a ransomware vulnerability assessment yet, you need to make it a priority. If you lack the internal resources to do it, consider working with an MSSP (managed services security provider) that will analyze your security posture, make recommendations on how to improve it, and even manage your security solution following implementation.
Read about protecting your organization against ransomware attacks