Outside General Counsel™ Solutions Legal Alert: 3 Tips On How To Protect Your Company From Ransomware Attacks
At the beginning of July, software service provider Kaseya reported some shocking news that made headlines throughout the globe: It was attacked by hackers who embedded malware into the company’s network, allowing them to carry out ransomware attacks on Kaseya’s clients, paralyzing hundreds of businesses on five continents. It’s estimated that up to 1,500 organizations throughout the world were impacted, ranging from a supermarket chain in Sweden to dentists’ and accountants’ offices in the United States. The hackers initially demanded $70 million to restore all the affected businesses’ data
The most troubling part? “At first, many of the mid-market companies who were affected didn’t even realize their systems had been compromised,” says Alexander Anglim, a partner at Santomassimo Davis LLP Outside General Counsel™ Solutions, a New Jersey-based firm with offices in New Jersey, Philadelphia, and New York. That’s because Kaseya provides software tools to IT outsourcing shops— companies that handle back-office work for businesses too small to have their own technology departments. “Imagine these businesses’ shock when, after reading about one of the largest data breaches in the news this year, they discover their company might have been one of the victims,” Anglim says.
Ransomware—a type of malware that prevents users from accessing their systems until a ransom is paid—is a growing threat: 37% of mid-sized organizations across the globe were affected by ransomware attacks in the last year, according to a recent report by Sophos, a cybersecurity firm.
So, how to avoid being the next victim? “The single best tactic smaller- and mid-size companies can use to safeguard themselves is to know their IT vendors and their capabilities,” advises Anglim. Follow this three-step process to ensure your technology providers are sufficiently prepared to protect your company against a ransomware attack:
1. Perform A Vendor Audit
Anglim and his associate’s colleagues at Outside General Counsel™ Solutions, which provides customers with outside general counsel at a fixed monthly fee, often work very closely with clients to assess whether or not their IT vendors have the capabilities to protect against ransomware. “Sit down and interview them to see what their competencies are,” he recommends. “Are they focused on just providing you with the tools you need to do day-to-day business, or do they have the technical capabilities of a true cybersecurity firm?
“You can find ways to probe their expertise without being a technology expert yourself,” he says. Try open-ended questions, like:
- What resources can you provide in the event of an attack or other breach?
- What options do you have for dealing with my specific security concern?
- Which cybersecurity capabilities do you have in-house, and which do you outsource?
“You may learn that what you thought your vendor was providing and what they’re actually providing aren’t the same thing,” Anglim says.
2. Interview Other Vendors
Contact more specialized cybersecurity providers and see how your IT vendor stacks up. Anglim recommends interviewing some of the leading cybersecurity providers in your area. “Ask them what they do that most general IT vendors don’t or can’t do,” he says. Then, go back to your existing provider and ask them if they can perform the same services. “Let’s face it: no vendor is going to start off by telling you the holes in their expertise,” he says.
3. Leverage Your Legal Partner
When contracting with a new technology partner, be sure to engage your legal counsel to evaluate the partnership agreement and contractual terms. “Your legal advisor can be the point-person for managing your IT partnerships,” says Chris Santomassimo, founding partner at Outside General Counsel™ Solutions. The firm also works with its clients to evaluate their cyber insurance policies and coordinate with IT providers to understand who does what in the event of a ransomware attack.
“Clients consider us the quarterback in managing their cybersecurity challenges,” he said. Often, Santomassimo and his colleagues will sit down with a client and conduct tabletop exercises to see how they’ll respond in the event of a cybersecurity threat. “It’s like playing baseball,” he says. “You don’t go on the field without practicing.” Similarly, he said, companies shouldn’t approach cybersecurity without a well-thought-out, practiced plan in place. “If a worst-case scenario happens, at least you’ll be prepared.”