In 2020 professionals experienced numerous disruptions as they responded to COVID-19 and swiftly transitioned technology, processes and people to continue to provide their essential services.
As if that was not enough, we have recently seen a significant increase in the number of cyberattacks specifically targeting professionals ranging from medical practices to accounting and law firms.
Even the largest global corporations are not immune to cyberattacks.
However, cybersecurity must be a top priority for professionals to protect their information from cybersecurity breaches. Professionals typically maintain highly sensitive information, including personal health and financial information. This information is very valuable to cyberattackers who capitalize on gaps in privacy and cybersecurity programs and periods of decreased vigilance. In particular, cyberattackers are most often successful during weekends and public holidays – as you may be less likely to quickly respond.
Professionals have a number of legal and professional obligations to protect the personal information of individuals they interact with, including requirements imposed by privacy and professional regulators. As such, professionals must take proactive measures to minimize their risk of a cybersecurity attack or the impact of such an attack.
How do Cyberattacks Occur?
We have recently seen a significant number of ransomware attacks on professionals. Ransomware is software designed to lock or encrypt your system or data. Ransomware typically spreads through sophisticated “phishing emails,” which trick users to interact with infected emails, and/or through server or software vulnerabilities without user interaction. Once a system or data is exposed, the ransomware encrypts the system or information on the system, and requires users to pay a ransom by a specified deadline in exchange for access to the system and/or data.
Ransomware creates real and significant risks to professionals.
What would you do tomorrow if all of your data was encrypted and you could not access it?
If having your system or data encrypted for a ransom is not troublesome enough, there is a real risk that paying the ransom will not remove the ransomware, and/or that the attack will be repeated on an infected system or data.
Further, even if data is recovered and further attacks are thwarted, the negative impact of a cyberattack on your assets, operations, reputation and relations, and the associated financial loss, regulatory consequences and potential liability, can be devastating.
Ten Proactive Steps to Minimize Ransomware Attacks
Fortunately, there are a number of steps that professionals can take to minimize the chance of, and mitigate the risks associated with, a successful ransomware attack. In particular, professionals should take the following ten steps to prepare for a ransomware attack:
- Assess and Address the Risks: The world of cybersecurity moves very fast, and professionals should identify and assess potential cybersecurity risks and gaps in their IT systems on an ongoing basis, including by assessing what and where their most valuable information is, and then by appropriately addressing risks to that information. This often requires an external consultant who can conduct a risk assessment for you.
- Implement Safeguards: There are a number of technical and operational safeguards that professionals can implement including, keeping operating systems and software up-to-date, installing security patches and updates as soon as they are available, installing appropriate firewalls and malware protection, incorporating appropriate administrative access controls, and implementing appropriate policies and procedures including monitoring, intrusion-detection, white knight hacking and audits.
- Make a Plan: Professionals can substantially decrease the negative consequences of a ransomware attack by preparing and regularly reviewing appropriate and customized incident response and business continuity plans that assist organizations to take appropriate steps in response to such attacks in a timely manner.
- Make a Back-Up Plan: Professionals should ensure appropriate back-ups are made of critical information, including back-ups which are performed at regular intervals and which involve the storage of information at a location not accessible by a ransomware attack. It is critical that you not only have a viable off-site back up, but that you confirm that this is usable should you be subject to an attack.
- Do Your Due Diligence and Document Obligations: Professionals should conduct appropriate due diligence on – and ensure that appropriate contractual protections are in place with – service providers that have access to the organization’s IT systems. It is legally required that professionals appropriately document protections for personal information, and such documentation is important for enforcing those protections. Professionals should not only ensure that appropriate protections are included going forward, but should also review and update all existing service provider agreements as necessary.
- Inform Your Users: A critical step in preparing for ransomware attacks is to implement training and awareness programs so that users are informed about cybersecurity risks, do not subject an organization’s IT systems and data to unnecessary risks, and appropriately respond to attacks.
- Get Insurance: There are a number of insurance options available to organizations to provide some financial protection against the various risks and liabilities associated with ransomware attacks. The financial costs of ransomware attacks can be very significant and it is vital for organizations to have the appropriate insurance in place.
- Get the Right Help at the Right Time: In addition to obtaining executive buy-in and working with internal security, IT and legal teams, there are a range of external advisers, consultants, investigators, coaches and products available to help organizations preparing for or responding to a ransomware attack. Be prepared for an attack by having the right contacts in place so you can act quickly.
- Respond Appropriately: There is a high risk that you will be a target for a ransomware attack as a professional. The above steps can help you mitigate the risks of an attack being successful. When a ransomware attack happens, it is also important for you to follow the plans that are in place and react quickly (for example, to consider and meet any mandatory breach reporting and record keeping obligations). Know what your obligations are so you can respond quickly.
- Be Ready for Litigation: There are various steps professionals can take to ensure that appropriate legal privileges are engaged, particularly during the investigation of a ransomware attack, to assist the organization in the event that the ransomware attack leads to litigation. Make sure you know who to contact in the event of an attack – a breach coach who can provide you with solicit-client privilege is invaluable.
Professionals should incorporate these steps into a customized cybersecurity program, which should then be reviewed, tested and updated on an ongoing basis to appropriately reflect the changing threat landscape. Do not assume that your IT provider is doing this work for you. We have assisted a number of professionals with developing and implementing their programs and with responding to ransomware and other cyberattacks and breaches. Please contact our privacy and cybersecurity team if we can assist you with any of the foregoing steps.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.