Data security risks are constantly evolving, and the past few years have only shown increases in the number of attacks faced by companies and organizations around the world. To examine these trends in depth, Sharon Nelson and John Simek welcome Craig Hoffman to look at the most recent stats from the BakerHostetler Data Security Incident Response Report. Craig offers insights into many of the report’s findings, including the marked escalation in ransomware incidents, rising risks for previously untargeted industries, whether the work-from-home shift brought about an increase in security incidents, and much more. He also shares tips for what your first steps should be if your business suffers a data security breach.
Craig Hoffman is a sought-after digital risk advisor who co-leads the Digital Risk Advisory and Cybersecurity team at law firm BakerHostetler.
Special thanks to our sponsors CaseFleet and PInow.
Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory but practical information that you can use in your law practice right here on the Legal Talk Network.
Sharon Nelson: Welcome to the 122nd edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics cyber security and information technology firm in Fairfax, Virginia.
John Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today, on Digital Detectives, our topic is Startling Stats from the BakerHostetler Data Security Incident Response Report.
Sharon Nelson: We’d like to thank our brand new sponsor CaseFleet as well as our other sponsor PInow.com.
John Simek: Today, we’re lucky to have as our guest Craig Hoffman. A sought-after digital risk advisor who co-leads the Digital Risk Advisory and Cybersecurity team at law firm BakerHostetler. Entities turn to Craig to address the privacy compliance, operational, and security related enterprise risks generated by their use of technology. Data security incidents, post-incident regulatory defense and litigation, payment card network assessments, post-incident security enhancements, incident response preparedness, security and risk assessments, technology contracts and due diligence related to transactions. Welcome to our podcast today, Craig.
Craig Hoffman: Hi, John and Sharon, thank you for having me.
Sharon Nelson: Well we’re excited to talk to you today. Tell us a little bit about the BakerHostetler Data Security Incident Response Report, Craig that’s a mouthful. How long has it been around and what is its purpose?
Craig Hoffman: Sure. We internally call it the DSIR. This is our seventh year of publishing it. We shrunk to a little acronym to make it a little easier to say. The genesis really came from watching forensic firms report on their incidents and we thought in addition to what we saw from forensic firms we had maybe a wider picture of data security incidents, matters that a forensic firm wouldn’t be involved in or the additional data points about things not related to the forensic investigation. And so the idea behind the report was to capture some data across the broad spectrum of the types of incidents we helped clients address. To then allow clients to have a better picture of what happened during an incident so they could be better prepared to respond and hopefully use some of the insights to minimize or not have the incident occur to begin with.
John Simek: Well, Craig as you go through this report, what was the most startling finding to you?
Craig Hoffman: It startling in terms of overall impact would be the change in the amount of ransoms paid. And the reason it changed started, I think at the end of 2019. For the prior few years, the primary way threat actors who used ransomware as a way to make money. They generally try to encrypt one device and get a small payment and that’s why you see in 2018 our average payment was about $28,000.00 when our clients chose to pay. In 2019, that average payment jumped to almost 300,000. It really started to spike at the end of 2019, primarily due to a tactic of one group, and what that group did was in addition to encrypting devices.
Before they encrypted the devices, they stole data and they threatened to disclose the data if the company didn’t pay, and that created a powerful one-two combination of leverage. Fine if you have backups, if you have good business continuity and you don’t want to pay to get the decryptor, okay we still have data and we will disclose it and embarrass you if you don’t pay us. And that caused more companies to make a decision to pay and that emboldened and gave the threat groups a reason to hold out for higher ransoms and to demand higher ransoms to start with, and so our average ransom paid in 2020 jumped up to almost $800,000.00.
Sharon Nelson: Part of that would be explained by the fact that you’re a big firm and you probably have a lot of big clients so that’s not necessarily the national norm, right?
Craig Hoffman: I think if you look at a firm like Coover, who does a lot of ransom negotiation, payment facilitation and additional services. You’ll see their average ransom paid is lower than ours and you’ll see other forensic firms report lower payments as well and even lower efficacy of the payment. But if you look at the distribution of our clients across revenue.
It’s pretty fairly distributed across companies with a small amount of revenue to middle size to companies with revenue above 5 billion. So, I do think it’s a pretty good reference point and it I think if you see other data sources it might be skewed based on their client mix.
Sharon Nelson: Yeah, I had wondered about that. Thanks for the explanation. Are there new subjects this year in the report?
Craig Hoffman: We featured some of our additional service teams so our practice group, the digital asset and data management group has seven service teams. I’m responsible for the service team dedicated to incident response but we added some features related to our advertising and digital media team that captured some of the regulatory investigations there. We built out a section on vendor incidents and featured more details about what that timeline looked like. We also added a cross industry section where we focused on specific details from four industries to highlight how the ransom payment differed via industry.
The forensic investigation and time to provide notice differed by industry, and also time to after you’ve had a ransomware event and devices were encrypted, the amount of time it took the company to reach an acceptable restoration state. And you can see, one of the big changes that ransomware brought about, if you look back at the second, third or fourth year of our report the manufacturing industry did not show up as an industry with — it didn’t even appear.
This year the manufacturing industry accounted for 11% of our matters and most of those were ransomware related matters and then you can see in the industry breakdown, the difference in the average ransom paid across hospitality at 642,000 versus manufacturing which had our highest industry average payment of 1.4 million.
John Simek: Well Craig, Sharon and I lecture a lot about ransomware and actually we just got done doing a webinar right before recording this podcast.
Sharon Nelson: We actually were able to give them a preview of what we’re going to be doing with you today, Craig. So, I’m sure they’re all waiting for the podcast.
John Simek: But I love your description of one-two punch. I mean, Sharon I call it ransomware 2.0. You know, the next generation.
Craig Hoffman: Right.
John Simek: But what’s your reports take on, on the trends of ransomware and where do you see this going in the future?
Craig Hoffman: I think we’re still in — the trends are showing number of incidents increasing and if you look at other events that have come into the scene hit a lot of companies and stayed around for a while, if you look at the office 365 email account takeover, that lasted several years. Even just something like W-2 phishing, incidents that that took a few years before enough companies reached the point of we know what that is, we knew how to stop it. So I think if you look at the — to borrow from a pandemic era herd immunity, I think there are a fair amount of companies who still are likely to face a ransomware event.
If you look at the common factors of the companies who faced a ransomware event they either did not have a next-gen AV EDR type tool, an endpoint detection response tool deployed across a majority of their devices. They had open RDP ports or they had a vulnerable appliance like a vulnerable firewall that wasn’t patched. There are enough companies I think that still have that circumstance and the ransomware groups are making so much money. There’s no reason for them to stop and I think they will continue to look for — some groups will just pick, I know a SonicWall vulnerability and I’m going to scan the internet look, for anyone who’s running that and if I find them drop in my ransomware.
Sharon Nelson: I love your use of the word herd immunity. The phrase herd immunity, that’s great. Because I call ransomware the other pandemic when we lecture because we really did have an epidemic of two kinds.
Craig Hoffman: Yes.
Sharon Nelson: And I don’t see it diminishing either. It’s too profitable and we haven’t caught up with things which brings me to my next question, it has been widely suggested that our government is way behind in addressing ransomware and cyber security in general. What are your thoughts about that and how we can do better Craig?
Craig Hoffman: I think it’s a hard problem to tackle. We track by ransomware group, the lead law enforcement agency responsible for investigating that group. I think for a lot of these groups they know a lot about them. They’ve taken steps to attempt to disrupt them.
But the challenge is that those groups are operating in countries where we don’t have a lot of options for how we can disrupt that entity. And I think you see in scenarios like the recent pipeline incident, the group behind that seemingly announced that they were no longer operating. There’s some suggestions that things happen to disrupt their ability to operate whether that was a smoke screen by them to cover their tracks or whether there were law enforcement and government efforts that caused them to shut down because their operations were disrupted.
I think it’s just a big challenge. I am very hopeful that different task force and cooperation between the companies involved incident responders and the government can find ways to really shut this down. But it until that happens there are companies who still have these crises occur. They need help and if they don’t have good business continuity their backups are either encrypted or deleted by the threat actor. They’re going to be in a position where they have to seriously consider making a payment.
Sharon Nelson: Well, I kind of agree with you and how difficult this all is but it seems to me that when these folks say, “Okay, we we’ve resigned. We’re going out of business.” They’re really engaging in a game of whack-a-mole because they emerge somewhere else in some different gang. That they’re not really dead in the water. They just are – I think they’re just trying to escape the wrath of the authorities and so that’s what they do is go down underground and come up somewhere else.
Craig Hoffman: Yeah, I think whack-a-mole is a great analogy for this.
Sharon Nelson: Good, I worked on that one.
John Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Sharon Nelson: What could be more important than knowing the facts of your case inside and out. CaseFleet’s powerful software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full text search and built-in document review, CaseFleet makes fact management easy. Sign up for a 14-day free trial at casefleet.com/DigitalDetectives and get 10% off your first subscription.
John Simek: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one-of-a-kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.pinow.com.
Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Startling Stats from the BakerHostetler Data Security Incident Response Report. Our guest is Craig Hoffman, a sought-after Digital Risk Advisor who co-leads the digital risk advisory and cyber security team at law firm BakerHostetler.
John Simek: So Craig, does the report touch upon how we’re doing at securing employees now that we’re in this work-from-home world?
Craig Hoffman: It does, and I think going into writing this year’s report we were looking to see, okay, did moving to a work-from-home environment create a lot more incidents. Would that be the underlying reason these issues occurred, we didn’t really see that in our data. But we did see other impacts from working from home that came out some were very practical maybe not anticipated or expected but when you look back at both the pandemic and then the pandemic of ransomware you can see why the work-from-home created a lot of challenges to response.
So yes, in the outset of spring of 2020, there were definitely some unfortunate decisions made to support work-from-home that allowed security incidents to occur. Then, you had the — all right, we have a lot of employees who are either not working for us anymore or not actively working from us. They have devices at home, we don’t have a mobile device management solution. We can’t ask them to bring their devices back in.
How do we address having a lot of devices with our data on it, in the hands of people who no longer work for us? So we had kind of the next phase of addressing the challenges of work-from-home. When you got into the late summer of 2020 and the amount of ransomware events really started to pick up.
You saw the overall impact of the volume of ransomware events really stress the incident response industry, forensic firms, law firms, negotiation and payment facilitation firms, insurance carriers, the amount of new events, the large demands being made really stressed the people who were in the industry of working with companies to help them when they had to address an incident like that and it stressed the incident response teams at companies as well.
So they were often facing reduced work schedules, reduced amount of team members available to help them, then you have very practical I need to get into the data center to make an image except I can’t get into the data center. So there were a lot of really practical challenges to incident response that occurred over the summer or fall and winter of last year.
Sharon Nelson: It was a very tough time and I know the thing we were saying right after the pandemic hit was drop everything and secure your work-from-home environment. I mean, that’s what we told all of our law firms because they were so focused on making money that they had lost sight of the importance of security at home. So that remains still a problem because we have a lot of entities now that are beginning, just beginning to open up.
We have some law firms that have mandated people back in our area but it seems like — and some are working just from home for a while but it looks like most people are going to emerge with a hybrid environment at least from what I can tell right now. So, assuming that my posit is true, what are the cyber security implications for a hybrid environment?
Craig Hoffman: I think it’s driving more people to evaluate the zero trust principles. We are no longer going to assume that our job is to build a great firewall around a tightly controlled network and our most important job is to limit who gets in, and rely on things like usernames and passwords or even a second factor of authentication as a way to trust access. And so you’re seeing more organizations evaluate tools that support implementation of zero trust principles. You’re seeing more organizations use identity access management and privilege access management tools.
You’re seeing more deployment of EDR tools and you’re seeing more evaluations of attempting and I think segmentation is one of the harder things I hear companies attempt to implement effectively and do it continuously. But I think you’re seeing more of those efforts to say between moving to the cloud, work-from-home and the increased use and reliance of vendors to manage what organizations are doing. Coming up with ways to leverage the zero trust principles to improve their security, I think is what we will just continue to see more of.
Sharon Nelson: I think you’re right because defending the perimeter is awful tough when there’s no real perimeter anymore.
John Simek: There’s no perimeter.
Sharon Nelson: There is no – it’s a – we’re always singing the same choir song on zero trust. So I’m glad to hear that you guys are doing the same thing.
Craig Hoffman: Well, our first challenge is defining zero trust for our audience so they know what the heck it even means.
Sharon Nelson: Well, it’s not a product, it’s an architecture, right?
John Simek: Craig, I know the report includes a checklist for some of the things you should do the first day after ransomware incident. Can you tell us what some of those major things would be on that checklist?
Craig Hoffman: Yes, so if you look at why ransomware events are so disruptive? Why they create such stress and why so many of our clients are saying, “My board members just came back. They asked what we’re doing about ransomware events.” It’s because people hear the horror stories about what companies deal with when they occur and if you look at just the key things you have to account for on the first day of a ransomware event, it’s really startling to see how much you have to do and it shows why you need a very thoughtful enterprise-wide approach.
This isn’t something that the security team or the legal team can manage on their own and it’s why you have to identify the third parties you’re going to use and build relationships with them ahead of time. If you just start with day one, what are the key things you have to account for impact assessment. What’s down, what is the impact in terms of loss of revenue and income by that item being down and what is the likelihood of you restoring it soon. What are the third parties you need to bring in? Do you need a forensic firm? Do you need a payment negotiation and facilitation firm? Do you need a helping hands firm to help you deploy an EDR tool or to change firewall rules or just set up a segmented VLAN? If you want to consider making a ransom payment you have to identify —
And start your diligence process on the threat actor. Is this a threat actor you have a likelihood of being able to make a payment too? You have to build your ransom negotiation strategy. Do you want to pay today? Can you stretch out negotiations to get more of a discount because timing really is the only key leverage point a victimized company has.
Then you’re thinking about, are there workarounds? Are there things I can do to restore from backups or things I can do to survive while I restore. Then, you’re thinking about the second part because the ransomware event isn’t just a business disruption, it’s unauthorized access to your network. How do I get visibility? How do I determine where the threat actor is? How do I build a plan to contain that access? Stop it and make sure I’ve effectively kicked out the threat actor.
Then, you have to account for some of the legal concerns. What data do I need to preserve? Sure my IT team would love to wipe re-image and rebuild all these devices quickly but if you do that, you lose the ability to identify findings that may be important for determining obligations later. Then, you have to start to assess based on where the threat actor went. Did they reach areas that have data that might trigger notice obligations? Then you have to consider things like legal holds and the overall communication plan for people who will notice the impact of whatever is not operational. That’s a lot to do over the course of typical 30 to 45-day incident response life cycle. That is a whole lot to do in the first few days of a ransomware event.
John Simek: You know I could definitely see the headless chicken mode. Given everything you described.
Sharon Nelson: Well that’s what you see more than you don’t. I mean, that’s the problem but that checklist, I’m sure seems ominous to our listeners. So they may be forgiven if they quote Jimmy Buffett and say, “It’s five o’clock somewhere I need a drink.” That would be a very logical reaction.
How many incidents did you your firm handle in 2020 and how many required filing data breach notifications?
Craig Hoffman: We collected data and reported on 1,250 incidents. We handled more than that we just didn’t capture data for all of them. Out of those 1,250 incidents, our clients provide a notification 543 times.
John Simek: So then finally Craig, what haven’t we asked you that we should have and what would those answers be?
Craig Hoffman: I think one thing that stands out people always, it’s like the home run in baseball. Everybody wants to know the home run stats. An instant response, everyone wants to know are we going to get sued. And so if you take the number of incidents, then the number of notices and look at out of those how many times were our clients sued, it changes kind of the viewpoint and helps address the headless chicken and the initial paralysis that sometimes happens where people think we’re all headed down a really tough path.
So out of, if you distill the numbers 1,250 incidents we provided notice 543 times, our clients were only sued in 20 of those 543 matters. So not every incident ends in catastrophic litigation, regulatory investigations. Not every incident results in financial impact where you see others report hundreds of dollars per record as the impact of the incident. Many of the matters we work with clients on go through an investigation result in either closing the incident or providing notice and after notice is provided the incident gets closed and there’s not additional items that develop after notice is provided.
Sharon Nelson: That’s actually a very calming thought. I hadn’t previously seen a phrased exactly that way and I think everybody is sometimes they want to reach for the headlines and they’re not talking about this. This is a very important fact for people to know is that you don’t always get sued, it’s not always the end of the line for your business or law firm company whatever, so that’s very helpful.
And thank you so much for being our guest today, Craig. I’m a big fan of the annual report. Look for it every year. Please encourage your colleagues to keep up the good work and you are a delight to have as our guest today. Thanks for being with us.
Craig Hoffman: Sharon and John, thank you so much. I enjoyed it.
John Simek: That does it for this edition of Digital Detectives and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. If you enjoyed our podcast, please rate us on Apple podcast.
Sharon Nelson: You can find out more about Sensei’s Digital Forensics Technology and Cyber Security Services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.
Podcast transcription by Tech-Synergy.com