Imagine that you have twelve (12) hours to pay or your files will be permanently destroyed.  You are the victim of a Ransomware attack. What will you do? Clocks-a-ticking.

Ransomware, like WannaCry and CryptoLocker, have proven to be a common, lucrative, low-risk, criminal-enterprise.  Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid.  Ransomware and similar cyber-attacks have exploited, and continue to exploit, companies, and individuals around the world.

So what can be done to prepare for the not-so-rare chance of walking into work on Monday only to stare at a computer screen that is demanding money and unable to access any files?  The best response is no response because you have prepared for the attack in advance.  For example, if IT has a byte-by-byte backup of the infected system, IT only needs to wipe the infected computer and it’s back to business as usual.

However, mitigation does not end with just enhancing your technical security measures. According to Verizon’s 2017 Data Breach Investigations Report, a majority of attackers gain access through employee error by social engineering and/or phishing tactics.  The prevalence of these attack methods actually provides low-tech, less costly opportunities to mitigate data breach risk.  In other words, you don’t have to spend millions in enhancing your IT infrastructure to have a meaningful impact on your cybersecurity posture. In fact, you can close a significant gap in your security through end-user awareness, training, and a comprehensive approach to employee policies and procedures.

Yet, given the sophistication of attacks, companies must be prepared to implement a contingency plan for an unfortunate, albeit probable, data breach event. Be sure to familiarize yourself with data breach notification laws. Michigan law, for example, requires specific content to be included in the security breach notice.

Mitigating risk also includes obtaining collectible cyber-risk insurance. In doing so, it is extremely important that internal policies and procedures track coverage requirements contained in such policies.  Worse yet, failing to maintain internal policies and procedures can potentially act as a barrier to coverage.  For example, some policies excluded coverage arising out of:

Please contact any member of Miller Johnson’s Privacy and Cybersecurity team if you have any questions or would like assistance evaluating whether your policies, procedures, and incident response plans are compliant, and if your cyber-risk insurance is best tailored to your cybersecurity network.

Authored by Jason Crow, CIPP/US and Tiffany Kim, a Summer Associate working with Miller Johnson’s Privacy & Cybersecurity team.  Before law school, Tiffany was the Homeland Security Planner for the Kent County Sheriff’s Office, and Co-Chair for Homeland Security Region 6, West Michigan Cyber Security Consortium.