It should be surprising, but it’s not.
If you haven’t heard yet, the North Carolina State Bar was hit by a ransomware attack.
Our State Bar announced on Thursday, October 3 that (on September 30) ransomware had infected the Bar’s servers. According to the report, a response team was able to stop the bleeding—but there were consequences.
A later follow-up revealed that the State Bar suffered from about a week of downtime (if you compare information from the two reports). This follow-up also indicated that the Bar lost at least five days of data for the “Membership and CLE databases.”
Here at Proactive IT, this cyberattack is more than just news. It isn’t just a headline.
Our clients include North Carolina attorneys.
The North Carolina State Bar ransomware attack is significant for them—as well as the other businesses we serve. In the aftermath of this event, here are five things I’d like to point out.
1. The bad guys aren’t sparing the legal industry.
Cybercriminals aren’t intimidated by the legal industry.
It wasn’t too long ago since Recorded Future documented how APT10 (“a Chinese state-sponsored threat actor”) infiltrated a law practice. It’s been less than a year since the American Bar Association wrote, “The FBI has reported that law firms are often viewed as ‘one-stop shops’ for attackers.”
Forward-thinking attorneys, take note.
The North Carolina State Bar ransomware attack is yet another piece of evidence that cybercriminals won’t leave the legal industry unscathed. Now is the time to get ahead of the cybersecurity curve before the bad guys target your firm.
2. Cybercrime happens to your neighbors.
Notice that the cyberattack didn’t target the American Bar Association; the attack went after the North Carolina Bar Association.
While the bad guys attack the Equifaxes of the world, they also attempt to target smaller businesses and individuals, myself included.
No organization is too big to fail—or too small to go unnoticed.
If the North Carolina State Bar can fall prey to ransomware, how much more will the small legal firm fall victim? Don’t assume cybercrime is only something you read about on the internet. It happens to business owners like you.
3. Having data backups isn’t enough.
I’ve already mentioned how the North Carolina State Bar ransomware attack created the loss of days of data. And according to the follow-up report, the Bar had data backups.
But here’s where the problem lay. The Bar seems to indicate that data was only saved up to a certain point.
Given this information, it looks like successful backups weren’t occurring on a daily basis. Or perhaps the local backups got compromised as well, and the offsite backups were not up-to-date. In any case, once the ransomware attack hit, there was a significant gap between the data the Bar needed and the data it could recover. Sadly, with the right methodology, the North Carolina State Bar’s data loss exposure could have been limited to hours or minutes.
4. Downtime doesn’t have to be lengthy.
I’ll be blunt. After the ransomware attack, the North Carolina State Bar was down way too long.
Cybercrime will probably create some downtime for an organization. That’s to be expected. But it shouldn’t drag on for around a week. A solid business continuity plan—that’s properly executed—allows an organization’s infrastructure to be fully functioning in hours (not weeks).
5. Ransomware doesn’t need to be a big threat anymore.
Ransomware may constantly be in the headlines, but the prevalence of ransomware attacks says more about organizations’ cybersecurity methodology than about the trickery of the bad guys. Personally, I am much more concerned about the Silent Bad Actor™ problem than ransomware.
Ransomware attacks can be made highly improbable by following standards, such as the NIST Cybersecurity Framework, and layering up-to-date cybersecurity tools (such as next-generation endpoint security). Most importantly, we must closely manage our security and backup systems by sweating the details.
Is your cybersecurity well-rounded?
In a previous blog, I explained how some businesses focus on simply protecting their IT infrastructure—versus using the NIST Cybersecurity Framework of “Identify, Protect, Detect, Respond, and Recover.”
The North Carolina State Bar ransomware attack is a classic example of why cybersecurity requires a well-rounded approach.
I’m sure the Bar had cybersecurity protections for their IT infrastructure. However, from a cursory look at the evidence, we see indicators of insufficient business continuity preparedness.
In the same way, it’s not enough to focus on protecting your organization from cyberattacks. You need to follow the NIST Cybersecurity Framework (and sweat the details) so you can recover with minimal damage…even if the worst occurs.
To learn more about the NIST Cybersecurity Framework, I’d encourage you to check out NIST’s website. I’m also happy to discuss any questions you might have about NIST or cybersecurity. You can send us a quick message here or call our office at 704-464-3075.
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.