Workplace Strategies Watercooler 2025: A Ransomware Incident Response Simulation, Part 2

Announcer: Welcome to the Ogletree Deakins podcast, where we provide listeners with brief discussions about important workplace legal issues. Our podcasts are for informational purposes only and should not be construed as legal advice. You can subscribe through your favorite podcast service. Please consider rating this podcast so we can get your feedback and improve our programs. Please enjoy the podcast.

Ben Perry: Welcome back, everybody. Thank you for joining us again for part two of our discussion about the incident response simulation that we covered at Workplace Strategies. Again, Ben Perry, a shareholder in our Nashville office and Co-Chair of the Cybersecurity and Privacy Group, and I’m joined by Justin Tarka in our London office, who is also a member of our Cybersecurity and Privacy Group. Justin, thanks for being back with us again today.

Justin Tarka: No problem. Glad to join. To kind of bring this to our final topic, the final area we dealt with was essentially the post-mortem. So, what should happen after the incident’s been resolved and kind of contained and notification obligations have been complied with and so on. And we prepared a highlight slide or document during a presentation where we flagged things that should have perhaps been picked up in terms of the attack and the content of the relevant email involved in our scenario. And this all points down to one of the key takeaways from our talk, and one of the key takeaways from this podcast is the importance of training. And that is as basic as teaching all staff, particularly senior managers or those that are particularly vulnerable to attack, how to issue spot, how to see any red, or identify, any red flags.
So, in this scenario, if you recall, we had an email that was sent late in the day on a Friday. In our example as well, we had an outdated non-company slogan at the bottom of the email. We had an external email tag on the email from someone who was allegedly internal. The way the information was conveyed was in an unusual manner, and it’s not that we’re saying people should become forensic experts or become experts as a result of any training, but you are kind of training them to be suspicious and where they are suspicious or are not sure about the content or nature of a particular document for them to ask for help, not to interact with the document or try and resolve the issue themselves or look into it themselves because that’s typically what or an attacker wants, but just teaching them to, okay, where you’re not sure or you’re suspicious, how to seek help and who to seek help from.

Ben Perry: Yeah, I mean employees are the first line of defense, and as we’ll kind of talk about in a moment, they can’t be the only one, but it is super important that employees are looking at everything. Especially externally, where they may have to be prompted to enter credentials or download some sort of file that they are thinking critically about anything that may be suspicious with those sorts of emails. Because the reality of it is these threat actors are getting increasingly sophisticated, and with the advent of generative AI tools, it’s getting much easier to create these sorts of very believable phishing emails at scale and to send them to a ton of people. And also, there’s just so much data out there that they have in terms of prior breaches that have happened where they may have intel into the specific person that you’re working with at a customer.
So, they may have a prior email chain that you’ve had with this person. So, they can look at this email and say, “Okay, well I know what this person’s email domain is. I know what these two have been talking about or what sorts of projects they’ve been working on.” And they can try to insert themselves in that process. And if you’re not paying close enough attention, I mean they’re going to say things that you would think only this person would know, right? And so, we’ve seen that a lot with trying to redirect vendor payments, especially with real estate closings, trying to divert funds, all those sorts of things. So, even simple things like that where if a vendor is changing their payment instructions, that’s one of those things that regardless of whether that email looks suspicious on its face, it’s one of those things you should contact that person not by replying to the email, but by contacting your person via a known contact method and confirming those change payment instructions.

Justin Tarka: And separate to that, part of the kind of post-mortem assessment is looking at what parts of your incident response process went smoothly. These can be very pressurized situations, and it’s rarely the case that it goes as initially planned. So, it’s looking at what can be done better next time there’s an attack, how can the company minimize the likelihood of another attack? Naturally, what steps can be taken to remedy whatever the cause of the data breach in this case was? And that again, links to the training point we’ve emphasized and what type of long-term changes or infrastructure changes can be made.
The first step or what a lot of companies realize is particularly after they’ve been under an attack, is the importance of understanding what data you have. So, we technically refer to it as data mapping, and it’s essentially an audit exercise. And it’s something that every organization, if they haven’t done so already should be doing, which is just being clear on what data you have, where is it stored, who has access to it, what purpose is it for, because that’s often key. Pulling relevant information or sourcing relevant information is usually a very time-consuming part of responding to this type of attack. If you’ve done that initially, it helps or goes a long way to being able to deal with an attack when it comes up in the future.

Ben Perry: Well, yeah, in terms of data mapping, I mean obviously that’s an extremely important piece of any sort of privacy and data security governance plan. Not every company may have the resources to retain a vendor to do the sort of scan you’re talking about where it kind of goes through the system and identifies all of the locations within each device where sensitive data may be stored, right? But even for companies that can’t afford that type of vendor, there are things that you can do by trying to focus in on, “Okay, well, which employees maybe have access to more sensitive information like HR? Can we do some sort of manual scan of HR’s devices and see are there a bunch of W2s that are being saved in a specific portion on this person’s desktop or payroll reports or something that may have more sensitive information and focusing on those individuals that are maybe considered higher risk?”
And then, if there is lots of sense of information being stored locally on those users devices, maybe need to think about some process changes in terms of a better way for users to either manipulate that information when they’re using it locally or have it in a more secure form where maybe it’s in some sort of encrypted storage location or something like that? But every company is different and the resources that they have and how their HR and different departments operate are all going to be different. But it’s important to be thinking about that early and often so that when you do have an incident, you’re not dealing with 15 terabytes of data. Because I can tell you from experience that when you’re trying to do data mining after the fact on that much data and figure out who you need to notify based on what’s in there, that is really expensive because these vendors charge on a per gigabyte basis generally.

Justin Tarka: And linked to that is the point about what data are you retaining, what procedures, what processes do you have in terms of retention of data? Are you keeping information longer than you actually need it? Because having at least some form of process for systematically reducing the amount of data you have is often helpful and can reduce the headache later on, especially if there’s an attack. And another brief point about on the cyber hygiene topic so to speak, is security measures. So, things like multifactor authentication should be standard these days, but it’s not in itself a silver bullet as Ben has alluded to earlier. These attacks are increasingly more sophisticated, particularly with the advance of technology. A lot of listeners may be aware of man in the middle attacks, for example, where essentially attackers are intercepting communications, and you seemingly think you’re communicating with someone within the organization and that’s not the case. And then as a result, you have a data breach.

Ben Perry: Yeah, I mean we’ve been seeing that a lot, especially targeting HR individuals, right? Because they’ve had quite a few data breaches where they target the employees and basically get them to enter their credentials and then, all of a sudden, even if you have MFA, they’re in because it’s redirecting the traffic to the legitimate website. But we’ve also seen them targeting HR because HR often has access to sometimes all of the employee’s information that’s contained in your HRIS system, like social security numbers, payroll information, like their bank account numbers. And we’ve seen not only does that create a data breach risk and potential notification requirements, but they’ve also been doing that in an attempt to redirect payroll by changing people’s direct deposit information. And then not only are you paying a third party, but your employees are not getting paid and you’re having to deal with the aspect of employees not getting paid on time. So, it’s kind of that dual threat that we’ve been seeing a lot.

Justin Tarka: Yeah, exactly. And so, we’ve touched a lot on things that can be done internally. Turning quickly to considering what perhaps can be done in terms of external risk management, are there any key takeaways that you think we should highlight for this?

Ben Perry: Yeah, I mean, hopefully every company has some sort of third-party risk management framework that they use. That’s going to become increasingly important as a lot of vendors are pushing AI-based products that companies may or may not fully understand the implications of, especially in terms of whether that information is being processed by the AI-based system locally or whether that’s transmitted to a server outside of the company’s networks. That’s why it’s critical to have some sort of map of all of your vendors, the types of information they’re processing. You can kind of use that tracking mechanism to also look at are there any sort of unique notification obligations for this customer? What are their security controls that they have in place? All those sorts of things.
And as part of that, just doing that due diligence on the front end, and we always say this, but due diligence is more than just sending the vendor a spreadsheet. They fill it out and send it back to you, and you tuck it away and you’re like, “Okay, we’re done.” Because there are some certifications that are better than others, like anything that’s going to be self-certified in terms of a certification that a vendor has may not be as valuable as, for example, having some sort of independent third-party audit of their systems. That becomes more important, obviously, depending on the type of data they’re dealing with and how much. But what we’ve seen is even in the case of the HRS provider that we talked about, a lot of these companies are washing their hands of these incidents and saying, this was your responsibility to notify.
Also, we make certain tools available like MFA and SSO, but ultimately, it is your responsibility to tell us what you want to implement. And so, it’s important for HR to be having those conversations early and often with vendors, figuring out who’s actually responsible for putting these sorts of data protection measures in place, and figuring out if it is on the company or HR, having those discussions both with the vendor and figuring out what else should we have in place to maybe make sure that we’re reasonably protecting this data. Justin, so I know we kind of briefly touched on incident response simulations earlier, and if people are listening to this, I guess that’s a good first step, but what should companies be doing to prepare their teams for this? Because it’s an evolving threat, and it’s not going away anytime soon.

Justin Tarka: We can kind of summarize it in terms of three key points. So, the first point is training. Often, that comes in the form of tabletop exercises, which is essentially running through in person or in real time what an attack looks like and what the response will be. And that’s with members of your incident response team or SWAT team, so to speak, and perhaps with the help of external lawyers who can help you run through the exercise. So, the first point is training, as I mentioned earlier, focus on people on how to issue spot is a key part of that. The other point which we touched on earlier as well is consider who’s part of your incident response team. Make sure that’s staffed appropriately.
For a lot of organizations, we do appreciate that’s easier said than done in terms of available resources and time and just capacity generally. But to the extent you can, it’s important to have a clear idea of, “Okay, whose part of the team that will be dealing with any incident that comes up in the future?” And then the third part is your incident response plan to the extent, in addition to the initial step of data mapping, looking at data retention processes, and so on, that you have. Having something in writing in terms of an incident response plan is crucial in terms of navigating a response to an attack. And again, you could know that there are external lawyers or forensic experts that can help with the content of that. And it’s essentially to address points we’ve gone through on today’s podcast.

Ben Perry: Yeah, I always tell our clients that they need to be doing incident response like tabletop exercises at least once a year. And I can always tell when we’re dealing with an incident response whether or not the company has done this before, because we often have to pose questions to them in terms of judgment calls and how we’re going to handle any particular wrinkle. And it’s very clear which companies have not thought about it before and which ones have. And it’s one of those things where if you’re not thinking about it in advance, you end up just relying on your outside counsel making that judgment call, or you end up delaying the process because you have to run it up the chain to your board or whoever has to ultimately approve these decisions, whether that’s the private equity company or whomever. And that often results in delays in this process. It could result in missing notification deadlines. There’s a lot of real-world implications that it could have if you’re not picking through this in advance. So, we’ll leave it at that.

Justin Tarka: Thank you, everyone, for joining us today. We hope you found that insightful and helpful. Thank you.

Ben Perry: Thanks, everyone.

Announcer: Thank you for joining us on the Ogletree Deakins podcast. You can subscribe to our podcast on Apple Podcasts or through your favorite podcast service. Please consider rating and reviewing so that we may continue to provide the content that covers your needs. And remember, the information in this podcast is for informational purposes only and is not to be construed as legal advice.