White House to Business: “Take Ransomware Crime Seriously”

Advertisement

As we come out of the COVID-19 pandemic, it appears that another type of infection is threatening business and ransomware continues to spread.

  • Colonial Pipeline
  • JBS (world’s largest meatpacking company)
  • Massachusetts Steamship Authority
  • Scripps Health
  • City of Tulsa

A roll call of entities suffering major ransomware attacks just in the few weeks.    After the Colonial Pipeline attack, President Biden issued an Executive Order establishing some baselines for cybersecurity with respect to government contracts and improving detection of cybersecurity incidents on federal government networks, among other things.   The White House has now issued a rare “wake-up call” to private business in the form of an open letter “to corporate executives and business leaders.”

Advertisement

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger wrote that while the Biden administration has placed an emphasis on resilience, the “private sector has a distinct and key responsibility.”

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.  But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy.”   Neuberger continued that private companies that “view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”

Advertisement

The letter encourages business to do what regular readers of this blog, or attendees at our webinar events, have heard for many years:  understand your business risk, convene leadership teams to discuss the ransomware threat, and review corporate security posture and business continuity plans.

Advertisement

Neuberger’s letter highlights best practices to help defend against ransomware attacks:

  • Implement the best practices from the President’s Cybersecurity Executive Order
    • Prevent Intrusion (Section 3 – multi-factor authentication)
    • Minimize impact of intrusion pre-detection (Section 3 – data encryption, zero-trust environment)
    • Detect and respond to intrusion (Section 6 – incident response playbook, Section 7 – endpoint detection and response, centralized threat-hunting, Section 8 – logging)
    • Learning (and disseminating) lessons from intrusion
  • Backup your data, system images, and configurations, and keep the backups offline
  • Regularly test your data resiliency
  • Update and patch systems promptly
  • Test your incident response plan (do you have one?)
  • Check your security team’s work using a third party pen tester
  • Segment your networks

In April, the Federal Trade Commission published a Business Blog post entitled “Corporate boards:  don’t underestimate your role in data security oversight”   This piece, combined with today’s open letter from the White House, should be mandatory reading for board members.   The need for proactive and preventative measures increases by the day.   We can assist with a wide range of activities, including:

  • Cyber Risk Assessment/Management
  • Employee Training
  • Incident Response Planning
  • Disaster Recovery/Resiliency Planning
  • Cyber Liability Insurance Placement

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Advertisement

ARTICLE BY Cynthia J. Larose of Mintz
For more articles on cybersecurity, visit the NLRCommunications, Media & Internet section.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.