Institutions in the U.S. were generally spared the worst of the recent ransomware attack called WannaCry. But there's no guarantee the U.S. won’t bear the brunt of the next cyber-attack that comes along.
“We have been forewarned about ransom attacks for years and that they’re on the increase," says Jennifer Rathburn, a partner with the Milwaukee law firm Foley & Lardner who specializes in cyber security issues. Rathburn says cyber-attacks on businesses are inevitable, and explains what hackers are looking for when they launch these attacks.
"I don’t mean to be a scare-monger but something is going to happen to your company one way or another, I mean this is the new age. People don’t fight people or come in and steals things on foot very much anymore; it’s all through technology. And companies need to be prepared or their secrets will be stolen," says Rathburn.
It’s a question companies need to think about in advance. “If we are going to have a ransomware attack do we know how our data is backed up? How do our systems interconnect with one another? Are we going to log? Are we going to shut down? Are we going to pull plugs? What are we going to do if we have that attack?” she posits.
Even though companies may be forewarned about specific types of attacks, Rathburn says hackers are often one step ahead. Some ransomware attacks like WannaCry will mutate into a second round. “A lot of people have theories that [hackers] were just testing this out and now they’re building more data and evidence of how it works”
With this in mind, Rathburn says it's important for companies to begin including departments besides IT in how to manage an attack. “What it’s moving more to is risk management," she explains.
Rathburn continues, “It’s figuring out what are your crown jewels that you want to protect at your company and figuring out what kind of risks are we going to accept? What are we going to mitigate, what are we going to outsource, what are we going to insure for? And that has to be pushed up to the Board of Directors. Where the Board or the C-suite really has an understanding of where that risk is.”