Lessons from the Colonial Pipeline Ransomware
Thankfully, it appears that the Colonial Pipeline ransomware attack is behind us and the panic over gas lines and hoarding can subside. But after an episode like this, it is helpful to take stock and search for what we can learn.
To start, everyone has now heard of ransomware, but to give a bit fuller background, this kind of malicious software is delivered into an information system—such as a computer or a database—and then renders all of the information inaccessible. Backups can sometimes help restore functionality unless the ransomware's operator or programs decided to wait to activate the malicious software for long enough that it is in the backups. Once the information is rendered inaccessible, the person or group behind the malicious software demands payment in exchange for returning the information. Recently, there has even been reporting that the person or group behind a ransomware attack will begin calling the clients and consumers whose information was exposed as a pressure tactic to get the business to pay up.
Events like the shutdown of Colonial Pipelines, which generate a torrent of media attention, can create a false impression that it is only large or geopolitically sensitive businesses are at risk of these kinds of attacks. This is simply not true. In his 2020 Data Breach Report, North Carolina Attorney General Josh Stein found that there were over 1600 security breaches reported to the North Carolina Department of Justice. Compromising email constituted 40% of all security breaches reported, and ransomware constituted 22% of all security breaches reported. So there is a wide array of businesses in North Carolina that are susceptible to these issues, and small businesses are getting caught up in the mess.
For example, last year, the News and Observer reported that the Food Bank of Central & Eastern North Carolina was the victim of a widespread data breach, and just this past April, WCNC reported that a Charlotte parking app had a serious data breach exposing users' personal information.
However, while no business can ever prevent all possibility for data breaches, there are steps that any business can take to prepare themselves, and relative to the cost of a breach, these steps have a significant return on investment. For example, making sure a business avoids compliance failures can sidestep significant cost increases in the event of a breach. Identifying an incident response team, creating an incident response plan, and testing both can give certainty and ensure that a business responds as rapidly to an incident as possible. And aligning a business's internal practices with an established cybersecurity framework can decrease the risk that the business experiences and give strong arguments against any regulatory investigations that suggest the business was negligent.
That being said, cybersecurity and compliance expertise are critical to making sure that these plans do what they are meant to do.