Most of us have received at least a few (more likely dozens of) suspicious emails or text messages urging us to log onto a website or respond to help someone in need. Some are obviously scams, containing misspellings or a suspicious email address, but others are not so easy to detect.
With hackers and cybercriminals becoming more sophisticated by the day, organizations must be prepared for some kind of a cyberattack, write Tim Worke and Mike Schechter of Associated General Contractors (AGC) of Minnesota.
In their article “Held for Ransom: How One Organization Responded to a Cyberattack” in the May issue of Benefits Magazine, Worke and Schechter provide an account of a ransomware attack experienced by their organization and offer lessons learned from the experience. Worke is the chief executive office of AGC Minnesota, and Schechter is general counsel and director of labor relations.
1. Preparation
Organizations should have a cybersecurity plan. The plan should include steps to protect data, the purchase of cyberinsurance and procedures to follow after an attack occurs.
2. Responding to an Attack
Organizations have a number of options in responding to an attack. They can contact law enforcement or hire a computer expert to figure out how to decrypt the data. In the case of a ransomware attack, they can elect to pay the ransom, but it can be expensive and they still may be subjected to more demands or another attack. In its case, AGC decided not to pay the ransom demand and instead rebuilt its system.
3. Rebuilding
AGC beefed up security in rebuilding its system. New security measures include dual authentication for all system logins and an “air-gap backup” in addition to its cloud-based backup. The air-gap backup uses a hard drive to periodically back up all documents on the server. The hard drive is then disconnected so that hackers can’t access it remotely. The fund also bought cyberliability insurance, which it did not have previously.
4. Notifications
Organizations should check federal and state law to learn what notifications they are required to provide following a data breach. Although no sensitive information was compromised in the AGC breach, Worke and Schechter said they had an ethical duty to inform friends and colleagues whose names and email addresses might be used in phishing attempts.
5. Damage Recovery
AGC’s damages were covered by its commercial general liability insurance policy. It may be possible to pursue compensation for damages from an IT provider. Pursuing damages from an employee is generally not an option unless the employee purposefully compromised the system or there is a specific state law that allows the organization to recover damages from an employee.
6. Training
Organizations should train employees on their cyberplans and policies. They should alert them of new scams and even test them by sending fake emails and documenting their responses.
Nearly every organization should expect an attack to occur, even those that don’t have what they consider to be valuable data, Worke and Schechter caution. Ultimately, “. . . your level of preparation and response will help transform the attack from a fatal to a recoverable wound.”
Learn More: International Foundation members can read the full article
“Held for Ransom: How One Organization Responded to a Cyberattack” in the May issue of Benefits Magazine.
[Related Reading: Four Common Cyber-Risks Facing Your Benefit Plans]
Kathy Bergstrom, CEBS
Senior Editor, Publications, at the International Foundation
The latest from Word on Benefits: