By its very nature, the ARM industry is founded on data and information management. Whether assets or accounts are considered on a macro or micro basis, businesses ranging from debt collection and debt buying, to collection law firms, and repossession partners supporting the industry, are controlling or processing troves of sensitive personal information. While (within regulatory bounds) the ARM industry is poised to leverage the benefits of digital innovation, the scourge of ransomware, the challenges of navigating a working from home or hybrid work environment, and the always evolving cybersecurity risk landscape make a bit of attention and planning now a highly worthwhile endeavor. To that end, consider the following risks and trends we observed across 1,250+ incidents handled in 2020, which are more fully addressed in BakerHostetler’s 2021 Data Security Incident Report (DSIR) – link available at the bottom of the article.
The Scourge of Ransomware
Ransomware matters surged in 2019, with the primary tactic being to simultaneously encrypt as many devices as possible within a network. Then, the Maze group changed tactics – it started to steal data before encrypting files, which afforded the threat actor two pressure points (data encryption and data theft/threat of publication) to leverage a ransom payment even when the organization successfully restored their systems through available backups. This new tactic paid off handsomely, and other threat groups quickly began adopting similar tactics in 2020. Ransom demands, unfortunately, increased exponentially. See Figure 1 below.
Across hundreds of ransomware engagements last year, we observed more threat actor groups engaged in ransomware activity than ever before, many splintering from other groups – as a result, extortion tactics became widespread and demands significantly increased, sometimes to the eight-figure range. Additionally, threat actors are becoming more skilled and finding and encrypting backups. All of these factors contribute to not only the increased ransom demands, but also lengthen an organization’s overall recovery timeline.
Most organizations are aware of the risk of ransomware and the need to prepare for an event. But organizations that have not experienced a ransomware event are uncertain about what actually occurs, which hinders preparation. Building a ransomware playbook and conducting a tabletop exercise facilitated by a person experienced in responding to ransomware events are good preparation measures beyond security recommendations discussed a bit further in the DSIR.
To help with both, you can use the ransomware matter data from the DSIR and the list of considerations an organization facing a ransomware attack may have to address all at once on the first day of a ransomware matter. Contents of your playbook, which you should test in a tabletop, should include strategies to assess and respond to business continuity impact and potential theft of data with a threat to release the data publicly if the ransom is not paid. You can then identify the key response actions, the internal team responsible for managing the response and the third parties you would bring in to help. There are some actions you can take ahead of time, such as identifying how you would assess revenue impact.
Cybersecurity Challenges of a Work from Home/Hybrid Environment
Information Technology teams at organizations across the country scrambled in the Spring of 2020 to enable remote work under challenging circumstances. In the haze of that initial move to a remote environment, shortcuts were taken and unfortunate events occurred. For instance, IT teams plugged in unpatched appliances, resources were diverted from threat monitoring, and organizations across the country found unexpected security gaps. Additionally, the pandemic’s impact on an organization’s finances, personnel, and shifting priorities further redirected attention away from its security roadmap. As a result, unexpected vulnerabilities existed, and security events were not discovered as quickly. When a security event was discovered, some of the most significant difficulties our clients encountered included core components of any successful incident response, such as appropriate communications with employees and stakeholders, facilitating administrative and electronic containment measures, and deploying appropriate resources to efficiently and effectively investigate the scope and extent of unauthorized activity.
While the logistics of an incident response can be challenging to manage under the best of circumstances, doing so within the context of a remote or hybrid work environment magnify the logical hurdles an organization faces. To facilitate an efficient and effective response, an organization should consider developing an incident response plan (IRP) that identifies your legal counsel, insurance, forensics, and IT support partners. Keep a copy of the IRP on your network and another copy off network to ensure it is always accessible. Ensure that your organization maintains a communications strategy that allows you to reach employees off of corporate email so they can remain apprised of appropriate developments and assist in the investigation and response as needed. Additionally, consider your environment and the merits of remote management tools and EDR solutions to help ensure visibility and the ability to identify and terminate unauthorized activity and collect forensic evidence for investigation.
No Easy Answers
Unfortunately, addressing cybersecurity risk is an always evolving effort – to stay one step ahead of sophisticated threat actors is nearly impossible. However, an organization that invests time and resources to develop plans and take deliberate actions to implement them will find itself ahead of the curve and well positioned to facilitate an efficient incident response. This process starts with an effective risk assessment – understanding who is likely to target the organization; what gaps exist in controls that may detect, prevent, or limit an attack; and which of these threat/gap combinations is most likely to lead to a significant incident if not addressed? From that baseline, an organization should assess and test its incident response plans and take an honest look at its cybersecurity roadmap to understand and implement appropriate measures and controls to help mitigate prioritized risks.
Every year, the BakerHostetler Digital Assets & Data Management Practice publishes a Data Security Incident Response Report (DSIR) that compiles statistics from the cybersecurity incidents we handled the prior year in order to draw meaningful conclusions and insights about security incidents, regulatory enforcement actions, litigation, transactions, digital innovation, compliance projects, data governance, and advisory matters to help organizations develop solutions and address issues that data and technology create.
David Sherman is a member of the firm's Digital Assets and Data Management group. He works closely with clients to proactively assess and mitigate cyber risk, facilitate incident response preparedness, and develop privacy and information security policies that comply with state, federal and international privacy and cybersecurity laws, including the California Consumer Privacy Act (CCPA) and E.U. General Data Protection Regulation (GDPR). He also works with clients to enhance enterprise security posture and manage responses to any digital crisis that may be present.
David also has substantial experience drafting and negotiating service provider agreements on behalf of customers and vendors and analyzing clients' existing agreements to evaluate and optimize contractual allocation of risks, rights and obligations in the event of a security incident.