6 Lessons Learned From a Ransomware Attack

Most of us have received at least a few (more likely dozens of) suspicious emails or text messages urging us to log onto a website or respond to help someone in need. Some are obviously scams, containing misspellings or a suspicious email address, but others are not so easy to detect.

With hackers and cybercriminals becoming more sophisticated by the day, organizations must be prepared for some kind of a cyberattack, write Tim Worke and Mike Schechter of Associated General Contractors (AGC) of Minnesota.

6 Lessons Learned From a Ransomware Attack

In their article “Held for Ransom: How One Organization Responded to a Cyberattack” in the May issue of Benefits Magazine, Worke and Schechter provide an account of a ransomware attack experienced by their organization and offer lessons learned from the experience. Worke is the chief executive office of AGC Minnesota, and Schechter is general counsel and director of labor relations.

1. Preparation

Organizations should have a cybersecurity plan. The plan should include steps to protect data, the purchase of cyberinsurance and procedures to follow after an attack occurs.

2. Responding to an Attack

Organizations have a number of options in responding to an attack. They can contact law enforcement or hire a computer expert to figure out how to decrypt the data. In the case of a ransomware attack, they can elect to pay the ransom, but it can be expensive and they still may be subjected to more demands or another attack. In its case, AGC decided not to pay the ransom demand and instead rebuilt its system.

Fraud Prevention Institute for Employee Benefit Plans

3. Rebuilding

AGC beefed up security in rebuilding its system. New security measures include dual authentication for all system logins and an “air-gap backup” in addition to its cloud-based backup. The air-gap backup uses a hard drive to periodically back up all documents on the server. The hard drive is then disconnected so that hackers can’t access it remotely. The fund also bought cyberliability insurance, which it did not have previously.

4. Notifications

Organizations should check federal and state law to learn what notifications they are required to provide following a data breach. Although no sensitive information was compromised in the AGC breach, Worke and Schechter said they had an ethical duty to inform friends and colleagues whose names and email addresses might be used in phishing attempts.

5. Damage Recovery

AGC’s damages were covered by its commercial general liability insurance policy. It may be possible to pursue compensation for damages from an IT provider. Pursuing damages from an employee is generally not an option unless the employee purposefully compromised the system or there is a specific state law that allows the organization to recover damages from an employee.

6. Training

Organizations should train employees on their cyberplans and policies. They should alert them of new scams and even test them by sending fake emails and documenting their responses.

Nearly every organization should expect an attack to occur, even those that don’t have what they consider to be valuable data, Worke and Schechter caution. Ultimately, “. . . your level of preparation and response will help transform the attack from a fatal to a recoverable wound.”

Learn More: International Foundation members can read the full article
“Held for Ransom: How One Organization Responded to a Cyberattack” in the May issue of Benefits Magazine.

[Related Reading: Four Common Cyber-Risks Facing Your Benefit Plans]

Kathy Bergstrom, CEBS
Senior Editor, Publications, at the International Foundation

The latest from Word on Benefits:

Kathy Bergstrom, CEBS

Senior Editor, Publications at the International Foundation Favorite Foundation Product: The Foundation magazines: Benefits Magazine and Plans & Trusts Benefits Related Topics That Interest Her Most: Financial literacy, health and wellness programs Favorite Foundation Conference Moment: Hearing attendees sing “O, Canada” at Canadian Annual in addition to hearing the anthem sung in both French and English. Personal Insight: Whether she’s collecting information for a magazine story or hanging out with her family and friends, you know Kathy is fully engaged. Her listening ear and introspective nature provide reassuring presence to those enjoying her company.

Recommended Posts

New Mental Health Parity Guidance: More Clarity, But More Compliance Obligations

Anne Newhouse

According to speaker John Barlament, Shareholder, Reinhart Boerner Van Deuren, S.C., in his webcast “New Mental Health Parity Guidance: More Clarity, But More Compliance Obligations,” held on August 30, 2023, new guidance has been “desperately needed” on the topic of mental health … Read more

Legal & Legislative Reporter: Medical Provider May Not Bring Claim on Behalf of Participants and Beneficiaries

Guest Contributor

Every month, the International Foundation releases the Legal and Legislative Reporter, a compilation of new employee benefits–related case summaries. Below is a summary we thought you’d be interested in. Content provided by Morgan, Lewis & Bockius LLP. The U.S. District Court for the … Read more

Five Steps to Nurture Belonging in the Workplace

Guest Contributor

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Visit ifebp.org/benefitsmagazine to see the latest Benefits Magazine Extras as well as the bimonthly print … Read more

Navigating Uncertainty

Christine Vazquez, CEBS

In today’s business environment, change is constant. Earning a Certified Employee Benefit Specialist® (CEBS®) designation can help benefits professionals improve their ability to manage organizational change. The self-study CEBS courses provide critical knowledge and skills to scan the environment and strategically tailor benefit … Read more