“No Company is Safe” — White House Urges Private Sector to Act Now in Hardening Defenses Against Growing Ransomware Threats
Stites & Harbison Client Alert, June 10, 2021
Following the most recent slew of high-profile ransomware attacks, the White House deputy national security adviser for cyber and emerging technology, Anne Neuberger, issued an open letter to the private sector urging action to increase cyber defenses to match the nation’s increasing ransomware threat. The letter to corporate executives and business leaders outlines a number of practices businesses can implement to drive down risk, warning that “[a]ll organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”
Neuberger’s June 2nd letter is one of a number of recent actions underscoring the Biden Administration’s view that cybersecurity risks in both the private and public sector present threats to U.S. national and economic security. On May 12, 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity and announcing that the “prevention, detection, assessment, and remediation of cyber incidents” is a top priority. In an effort to lead by example, the Executive Order states that “[a]ll Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth and issued pursuant to this order.”
Neuberger’s letter urges the private sector to implement “five best practices” currently being implemented across the Federal Government to reduce the risk of a cyber-attack:
- Use of multifactor authentication;
- Endpoint detection and response;
- Encryption;
- A skilled security team; and
- Sharing and incorporating threat information into your defenses.
In addition to implementing the practices above, Neuberger’s letter urges businesses to take the following actions:
- Backup your data, system images, and configurations, regularly test them, and keep the backups offline;
- Update and patch systems promptly;
- Test your incident response plan;
- Use a third-party pen tester to check your security team’s work; and
- Segment your networks.
Now is the time to assess (or reassess) your risk of a ransomware attack, develop an action plan to mitigate that risk, and plan for an incident in case you become a victim. If you experience a ransomware attack you should not go it alone. There are many benefits to seeking professional help, including gaining information on the type of ransomware infection at issue and obtaining assistance in identifying your attacker to better direct your response. Paying a ransom without due consideration of the specific circumstances of your attack can leave you vulnerable to future attacks and may lead to additional legal woes. In October 2020, the Office of Foreign Asset Controls (OFAC) issued guidance that any company paying a ransom to a criminal threat actor that is a sanctioned entity or that operates in a sanctioned jurisdiction, and any entities that facilitate such payment (including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response) may face penalties for violations of OFAC regulations. The OFAC warning increases the risk of making a ransom payment and necessitates due diligence into where your payment may be going.
Working with professionals, including legal counsel, experienced cyber professionals, and ransomware negotiators, can not only improve your response and ability to recover from an attack, but can also help you navigate the increasingly complex process of paying a ransom if no viable alternatives exist and assess whether you have legal data breach reporting obligations stemming from the attack. Stites & Harbison attorneys are ready to assist you with your questions about ransomware and steps you can take to improve your organization’s defenses.