As has been the trend for some time now, organizations across all industries and sectors are increasingly at risk of being targeted by bad actors online. Now, the adage espoused by IT security professionals is to prepare for when, not if, a cyberattack will occur. To that end, organizations of all types and sizes would be well-served to consider a multi-layered approach to cybersecurity and incident preparedness early and often.
Understand the risks and potential harms of a cybersecurity attack
Given that ransomware and other types of cyberattacks typically involve the unauthorized encryption of IT assets, disruption of network services, and other disruptive effects, it’s no surprise such attacks present an immediate challenge to operational capacity, and potentially business reputations. Additionally, where encryption alone was once the name of the game for ransomware attacks, cyber criminals have expanded their focus over recent years to also include the theft or exfiltration of sensitive data from victims’ networks. So, victims must be able to quickly identify and assess potential impacts to sensitive personal information and potential rapid reporting along with other legal notification obligations arising from the attack.
To manage risks effectively and put your organization in the best possible position should a ransomware or other cyberattack take place, there are several proactive steps any entity can take to prepare for the worst.
Develop and practice an incident response plan
Much like reading a recipe for the first time after the ingredients are already in the mixer, organizations that wait until an attack is underway to plan their response can find themselves frustrated by a lack of clarity, increased uncertainty, and an overall uneffective response process, all while losing precious time.
To avoid this, consider implementing an Incident Response Plan (IRP) and disaster recovery plan now so your stakeholders will have the knowledge and confidence to respond quickly and appropriately as soon as an attack is discovered. Although the contents and complexity of an IRP varies based on each organization’s needs, the overall purpose and benefit of preparing any IRP before an event happens, as described by National Institute of Standards and Technology (NIST),  is to allow decisionmakers to respond decisively to begin containing an event as quickly as possible and avoid getting bogged down in the middle of a crisis.
Just as many organizations plan for business disruptions from severe storms and power outages, ransomware and other cyberattacks are now so prevalent that organizations must have systems in place for creating and storing backup copies of critical IT systems in segmented environments that cannot be accessed by malicious actors. This plan should also identify workaround plans that would allow operations to continue in some manner until IT systems are restored.
And as with any mission-critical policy and procedure, the IRP and disaster recovery plan should be practiced and refined frequently to ensure they continue to meet the changing needs of the organization and that decisionmakers understand how to implement them when needed. The performance of a simulated attack through a tabletop exercise is a popular method for testing response plans.
Reassess data retention policies and update data inventories
Simply put, one of the best ways to avoid unnecessary risks to sensitive information is to avoid storing it unnecessarily in the first place. After all, threat actors can’t take what an organization doesn’t have. Thus, it is crucially important to consider the types of information stored on your network and retain only such sensitive personal information as is required by law or legitimate business need. Further, to the extent an organization does have a need to maintain sensitive personal or other information, understanding how and where that information is stored ahead of an attack can significantly decrease the time and expense of responding to a potential data exfiltration situation by limiting the potential need for and/or scope of e-discovery to identify impacted information.
Engage outside legal counsel and prioritize attorney-client privilege from the outset
As part of an organization’s incident response planning, outside legal counsel should be identified who will assist with overall incident response in the event of an attack, including directing a privileged investigation and advising on any attendant compliance obligations and/or legal risk that may arise. Contacting legal counsel promptly after a cyberattack is essential for limiting an organization’s potential legal exposure from an incident, and preselecting and engaging counsel beforehand means no time will be wasted on screening and engagement once an event has been discovered. Outside counsel can also be an essential resource in developing and finetuning an organization’s IRP and training stakeholders to implement it correctly.
Moreover, in order to properly contain an event, clean up the affected portions of the environment, and restore the network, as well as determine the root cause of the event and scope of malicious activity in order to assess legal risk, most organizations will need to engage outside third-party experts for assistance. However, because the risk of class action and other litigation arising from cybersecurity incidents involving data breaches continues to grow, organizations should take every precaution to protect these engagements and all aspects of the investigation under the attorney-client privilege by involving legal counsel prior to engaging any outside vendors, especially forensic investigation firms.
To preserve the privilege, organizations should be mindful of the following best practices when retaining an outside forensics firm:
- Legal counsel should engage the forensics firm directly on behalf of the organization.
- All services performed should be at the direction of legal counsel, and the scope of work should be clearly defined as having been undertaken in anticipation of potential litigation.
- Any reporting on the forensics investigation should be separated from containment and remediation work.
- Conclusions from the forensics team should only be delivered and shared with a limited audience of upper-level stakeholders within the organization.
- Written reports should be obtained only if necessary and should be handled as attorney work product.
Develop a communications plan
While much of the work of containing and remediating a cyberattack will necessarily be internal, organizations also must be prepared to respond to inquiries, both internal and external, regarding the incident. In the case of a ransomware attack, rank-and-file employees who discover ransom notes left on their devices by the threat actor may learn of the event before upper-level management and can raise alarms with other employees, with family and friends, and via social media. Customers and outside vendors may voice concern if the attack has altered the organization’s usual communication channels, online presence, or anticipated service or delivery times. And threat actors themselves are increasing efforts to publicize cyberattacks on the Dark Web where bloggers and cybersecurity journalists may pick up the information and disseminate it more broadly. To minimize the risk of reputational harm, as well as to avoid potentially damaging admissions or misstatements regarding the event, organizations should consult with their outside legal counsel and develop an appropriate communications strategy to be implemented in the event of an attack.
Consider data privacy and security laws and regulations that may apply to the organization
Because the United States does not currently have a single, comprehensive set of laws and regulations that are generally applicable to data security incidents, or a centralized regulatory body charged with enforcing potential legal notification obligations, an organization may need to be aware of, and take prompt steps to comply with, a variety of overlapping requirements depending on its location, the nature of its operations, and the scope of its business activities. To the extent an organization must comply with rapid-reporting obligations to multiple authorities, understanding these requirements ahead of an attack can help with compliance and limit the risk of potential fines and penalties.
Many organizations try hard to prevent cyberattacks, and yet threat actors continue to find new ways to penetrate even the most well-designed IT networks. To be truly prepared, an organization must assume it will more likely than not fall prey to a cyber event at some point and begin thinking and planning proactively to best position itself to respond robustly, to speed up recovery from an event, and to mitigate potential harm. No one can predict when their organization may be targeted with a cyberattack, but any organization can implement the above steps now to ensure it is as prepared as possible to deal with the fallout.
 See https://csrc.nist.gov/glossary/term/incident_response_plan
 This post has been adapted from a forthcoming article in the Winter 2023 issue of the Mississippi Defense Lawyers Association’s The Quarterly.