Repelling A Ransomware Attack: Cynthia Cole of Baker Botts On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Plan for an Incident. Today, it is not a question of if an organization will be a victim of a cyberattack, but when. Companies must maintain a strong Incident Response Plan and test it regularly with key stakeholders.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Cynthia Cole.
Cynthia Cole is the Deputy Department Chair (Corporate) for the Palo Alto and San Francisco offices of Baker Botts, where she has been instrumental in growing the privacy and data security and tech transactions practices. Prior to joining Baker Botts, Cynthia was general counsel and interim CEO at various technology companies, in both the United States and France. Cynthia is also an adjunct professor of law at Northwestern University Pritzker School of Law, and serves on the advisory board of LeaderXXchange, a purpose-driven organization that advises and promotes diversity and sustainability in governance, leadership & investment. She’s also on the board of the Palo Alto Art Center Foundation. Cynthia is a recognized thought leader and has been honored consistently for her contributions to data privacy & security and diversity and leadership generally, both inside and outside the legal profession. She was recently recognized as one of the “Top Cyber Lawyers in California” by The Daily Journal, 2022.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
On the move!
My family is originally from the Midwest. I was born in Kentucky, moved to Sierra Leone, Africa, back to Michigan, Ohio and so on until I had lived in 6 different states and 2 continents before the age of 14. I went on to add three more states, and include Washington DC and France to the list of places I have lived. I was talking with someone just that the other day and she said: “Don’t you think that helps you translate in your work? You probably feel at home just about anywhere and can relate to just about anyone.”
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I have always been interested in tech. Tech is what brought me to Silicon Valley in 2000 when I graduated from Northwestern law school. I like to learn about how things work. But this practice didn’t exist in 2000. So, as I accumulated different experiences in technology and the industry and became more interested in privacy and data use, it was a logical progression to data security. At this point I don’t think you can separate the two — you can’t just be an attorney who processes breach notifications but who doesn’t understand the privacy compliance structure and the data security process that has been broken to prompt the notice.
Can you share the most interesting story that happened to you since you began this fascinating career?
My most interesting stories are best told through allegory. Ill repeat an answer I gave in a prior interview, years ago. It is even more true today.
“A Homeric tale: an epic where I never truly went home, or at least back to the start: promises made and kept, foreign travel, wine, battles, raging storms, lost friends, new friends, disguises, narrow straits, encounters with fantastic sea creatures, a tapestry to unweave every evening and through it all: navigating by my inner compass. A hero for some, a demon for others.”
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
My willingness to fail, my desire to learn and my fondness for people. I called upon all of those traits when, in 2017, I went from being interim CEO and General Counsel at Spectra7 Microsytems, to going back into private practice at Baker Botts in Palo Alto, California. I had no assurance that I would be able to build a practice at a firm after 13 years in house, but I really liked the people and the vision (and still do) and thought that even if I failed I would have learned a tremendous amount that I could take with me no matter what happened. And as it turns out, I have never been more fulfilled professionally.
Are you working on any exciting new projects now? How do you think that will help people?
I am passionate about creating ways for people to learn, which is why I invest so much energy into thought leadership, teaching and mentoring. In 2021 I started the Privacy Flash Five, which is a monthly video/audio clip of less than 2 minutes where I highlight 5 of the latest privacy and security stories. I wanted to create something easily shareable and easily digestible especially after two years of very heavy video conference fatigue.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
I don’t approach Ransonware from behind a wall of IT knowledge and technology jargon. I take the time to explain it like I learned it-as part of much larger issues of data and people management and a breakdown in a system that has a profound impact on business continuity.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
4 types of ransomware
Historically, the two main types of ransomware are crypto and locker. More recently, double extortion and ransomware as a service (RaaS) have become popular.
Locker ransomware blocks access to computer systems. This variant uses social engineering techniques and compromised credentials to infiltrate systems. Once inside, cyber criminals block users from accessing the system until a ransom is paid.
Crypto ransomware is more widespread than locker ransomware. It encrypts all or certain files on a computer and demands a ransom from the victim in exchange for a decryption key. Newer variants also infect shared, networked and cloud drives. Crypto ransomware spreads through various means, including malicious emails, websites and downloads.
Double extortion ransomware encrypts files and exports data to blackmail victims into paying a ransom. With double extortion ransomware, attackers threaten to publish stolen data and threaten to publish stolen data if their demands are not met.
RaaS involves perpetrators renting access to a ransomware strain from the ransomware author, who offers it as a pay-for-use service. RaaS creators host their ransomware on dark net sites and allow criminals to purchase it as a subscription — much like a SaaS model.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
Both. Even though businesses are the first line victim, private individuals pay the price as well in lost and black market data and business volatility (to name only a few)
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
Your cyber lawyer — you need someone who can give you cover and advice and help you, calmly, activate next steps, including your communication strategy.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
Call in outside experts (security, forensic, technical) to help assess and diagnose next steps with an objective eye.
Should a victim pay the ransom? Please explain what you mean with an example or story
In an ideal world no one would pay the ransom, but this isn’t a black and white problem with a black and white solution.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
There are technological issues that should be addressed, but this is a people problem — people inside the company in silos who don’t communicate across department or when they do communicate issues are not heard, because the one who holds the budget doesn’t fully understand the problem. This also leads to the company not being aware of a problem for much longer than it should, which exacerbates the core issue of poor network security.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Continue to raise the issue as one that touches everyone and remove the stigma of being the victim of ransomware. Like in most things, the more transparency, the easier it is to address the root problems.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
Taken from the Text of the Privacy Flash Five Security edition 2021 (December 2021)
Here the top five ways companies can protect themselves against a cyber-attack.
- Software. The first line of defense is to have reputable and up-to-date antivirus and endpoint detection monitoring software, and regularly scan for vulnerabilities.
- Strong Security Practices. Companies must adopt enterprise-wide security practices, including multi-factor authentication and strong password requirements. Security should be a top priority at all levels of the organization.
- Backup Data. Regular, offline backups of data are critical. Recent ransomware variants can delete or encrypt backups housed online or on connected systems.
- Train Employees. Employees should understand general cybersecurity issues, including how to identify and report suspicious activities.
- Plan for an Incident. Today, it is not a question of if an organization will be a victim of a cyberattack, but when. Companies must maintain a strong Incident Response Plan and test it regularly with key stakeholders.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Listening. I don’t think listening gets enough credit for how powerful a tool it is in positive communication and problem solving. So many people are so anxious to talk or act, move ahead and show how much they know, that they don’t listen to what is being said by others or what isn’t being said. Active listening takes a tremendous amount of focus and it allows us to better integrate what the other person is saying by creating space and silence, which often is more powerful, helping ideas and connections to form.
How can our readers further follow your work online?
https://www.bakerbotts.com/people/c/cole-cynthia-j
www.linkedin.com/in/cynthia-cole-b67b354
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
