The recent ransomware attack against the Duvel Moortgat Brewery demonstrated the very real risk that cybersecurity incidents pose to the alcohol industry, reportedly halting operations for several days at four of Duvel Moortgat’s facilities in Europe and the United States. This attack comes after other major alcohol producers experienced disruptive ransomware attacks in the last several years. Incidents like these can be devastating for a company’s business and reputation, and hackers’ strategies are constantly evolving to maximize their damage. But companies can be prepared with an information security program designed to prevent successful attacks and quickly respond if one occurs. Experienced partners such as McDermott are critical resources throughout this process, enabling companies to better update and fortify their security programs.
THE GROWING THREAT OF ATTACK
Hackers have extorted companies through ransomware attacks for decades, but hacker strategies have evolved to increase the risks to companies, often resulting in a larger ransom for the hacker. A “ransomware” attack traditionally refers to a strategy in which a hacker gains access to a victim’s computer system, encrypts the information on those systems and demands a ransom payment to unlock that information. Victims may try to avoid paying the ransom by restoring most of their systems from backups, but hackers have recently introduced additional strategies that can complicate that recovery. Today, hackers often try to steal the victim’s information before encrypting it on the victim’s system, so that they can sell or publish the information if the victim refuses to pay the ransom. Hackers also may try to “corrupt” backups so that the victim cannot effectively restore its system without the hacker’s assistance. One ransomware group, AlphV, says that it also reports its publicly traded victims to the US Securities and Exchange Commission if they don’t pay the ransom.
Determining whether to pay a ransom is a complicated decision, with either choice presenting notable risks. The ransom will likely be expensive and must be paid without any guarantee that the hacker will make good on its promises. The decryption software or key may not work, or the hacker may not delete information. One hacking group, LockBit, is believed to save victims’ information after their ransoms are paid despite promising to delete it. The hacker may be willing to negotiate a lower payment amount, but doing so takes valuable time while the victim’s systems likely remain nonfunctional. The hacker may be under sanctions, in which case paying the ransom would be illegal and could result in a fine for the victim. Paying the ransom rewards the hacker, which may increase the risk that the hacker targets the victim again. There is rarely a clear path back to safety after a successful breach, so it is important that the victim make an efficient, informed decision.
OPPORTUNITIES FOR PREPARATION AND PREVENTION
Companies can minimize these risks by maintaining a security program designed to prevent incidents from occurring and to effectively respond if they do occur. The security program should utilize administrative, technical and physical security policies and procedures to enable personnel to detect and report actual or suspended incidents, aggressively monitor the company’s systems for suspicious files and behavior and protect the company’s facilities from unauthorized intrusions. The security program must be regularly tested and updated to identify weaknesses, implement appropriate detection and response solutions, and plan for evolving hacker strategies and business demands. Incident response plans should be regularly tested to ensure that they accurately reflect the company’s resources and priorities and that the responders are prepared to execute the plan if necessary.
Companies should also leverage third-party professionals to improve the effectiveness of their preparation and response. These partners can provide specific knowledge and perspective to help the company appropriately plan for an incident without needing to experience an incident first. For example, an experienced law firm such as McDermott can advise the company on its legal obligations, help identify and address risks in a security program, and investigate and respond to an incident, all while protecting the company’s privilege. By leveraging this support early, a company can find and address its weaknesses before they are exploited, better understand other companies’ approaches to these issues, and ensure that its partners are aligned on the company’s priorities. In the event of an incident, an effective third-party partner can efficiently advise victims on their obligations, options and risks; provide additional resources for a busy team; and help prioritize response activities based on the needs of the business.
CONCLUSION
Cybersecurity incidents can quickly become expensive, complicated and devastating for victims. Hackers are continuously improving their methods for obtaining larger ransoms, and after an incident has started, the victim often has no way of ensuring that it can completely remediate the problem. Companies can limit their risks by instituting systems to protect against threats and prepare to respond to any incident that arises. Companies should also consult with external professionals regularly to evaluate and improve their protections and ensure that their security program does not become outdated.