Defending Your Business Against Ransomware: Strategies to Minimize Risk

The threat of ransomware attacks isn’t going away anytime soon

By Nancy Henderson | Reviewed by Canaan Suitt, J.D. | Last updated on October 20, 2023 Featuring practical insights from contributing attorneys Brenda Sharton and Jason C. Kravitz

Use these links to jump to different sections:

Few surprises cause more panic in the workplace than when a ransom note pops up on a computer, blocking access to critical files and threatening to publish sensitive data on the dark web unless the business owner pays up.

To make matters worse, says Brenda Sharton, global chair of privacy and cybersecurity at Dechert in Boston, attacks are on the upswing, ransom amounts have soared, and—as was the case in 2021 when hackers brought Colonial Pipeline operations to a halt and created fuel shortages—they can stop customers in their tracks, too.

So how can you avoid a ransomware catastrophe?

Sharton suggests a shift of focus from ransomware prevention to risk mitigation. “The short answer is that they can’t be prevented,” she says. “The question is: How do you reduce your risk?”

How Cyber Attacks Typically Begin

Attacks typically begin when threat actors gain access to a company’s network through phishing emails containing links that employees unwittingly click on.

After installing sophisticated malware, ransomers search files for sensitive information and encrypt at least some of the company’s servers. Holding the data hostage, they demand payment in exchange for the decryption key.

The short answer is that [ransomware attacks] can’t be prevented. The question is: How do you reduce your risk?

Brenda Sharton

Essential Ransomware Protection: From Incident Response Plans to Multifactor Authentication

That’s why, no matter the size of your company, an incident response plan is crucial, says Jason Kravitz, head of the cybersecurity and privacy practice at Nixon Peabody in Boston. “Companies that don’t have them are going to be completely paralyzed from a business perspective. The basic communications we’ve all been spoiled by, whether it’s email or text or company messaging programs, are going to be offline if your company is hit with a ransomware attack.”

Create and print a hard copy of your response plan with a list of alternate email addresses and phone numbers for staff members and a good cybersecurity attorney. Never assume that you can just download your Cloud data backup if threat actors block your original files.

Review your vendors’ cybersecurity protocols since those vulnerabilities can affect you too. Change passwords often and train employees on how to spot and quarantine phishing emails. If possible, install EDR (endpoint detection and response) software. While endpoint security is expensive, it offers a higher level of protection than standard antivirus programs. “The No. 1 thing a company can do to reduce risk is to have multifactor authentication on all company accounts,” adds Sharton.

Finally, recognize that small businesses are targeted, too. “I’ve seen many of them get hit,” Kravitz says. “Sometimes the ransom may only be $5,000 or $10,000 as opposed to the multimillions that might be asked of a Fortune 500 company, but the attacks can be just as debilitating.” Security awareness and implementing security best practices are essential for companies of any size.

Assume you’re going to get hit at some point. Some people like to think it’s the equivalent of lightning striking, that it’s only going to happen to one in a million companies. It’s not.

Jason C. Kravitz

Acquiring Insurance Against Cyber Threats

Acquiring cyber insurance, despite its mounting cost, should be at the top of your to-do list, says Kravitz.

“I have never had a company that got hit by a ransomware attack that wasn’t kicking themselves afterward for not spending the money,” he adds.

What To Do if Your System is Compromised by Malicious Software

If your system is compromised, contact your insurance company and cybersecurity attorney immediately. You’ll need the benefit of attorney-client privilege since there are legal consequences if medical, financial, or other client information is disclosed.

Your lawyer can quarterback other facets, too, from dealing with regulators to coordinating an outside forensic investigation team. “There’s a ton of chaos in the aftermath of a cybersecurity attack,” Kravitz says. “I tend to bring a little bit of calm to the situation.”

You’ll also need to notify the FBI through the Internet Crime Complaint Center, an online portal. And your cyber-insurance company may require a local police report.

Responding to Cyber Criminals’ Extortion

While there is some debate surrounding the best response to extortion, most companies pay the ransom, Sharton says. “The two biggest questions that we get are, ‘Is it legal to pay?’ And ‘Will they honor it?’”

In general, she says, the answers are “yes” and “probably.”

“I’ve been dealing with ransom attacks for over a decade, and I’ve not had a threat actor who’s reneged or not honored the deal,” Sharton says. “Their business model depends on honoring it because if it got out that they didn’t honor it, no one would ever pay again.”

Find an Experienced Cybersecurity Lawyer

Increasingly, business owners can’t afford to be naïve about ransomware, the attorneys agree. “Assume you’re going to get hit at some point,” Kravitz says. “Some people like to think it’s the equivalent of lightning striking, that it’s only going to happen to one in a million companies. It’s not.”

To prepare your business against the threat of a ransomware attack or for legal help in responding to a cybersecurity incident, use the Super Lawyers directory to find an experienced cybersecurity lawyer in your area. For more information about preparing your company for current and emerging legal technology needs, see our overview of technology transactions and related content.

What do I do next?

Enter your location below to get connected with a qualified attorney today.

State Technology Transactions articles

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you