In this episode of CHATTINN CYBER, Marc Schein interviews Jennifer Coughlin, Founding Partner at Mullen Coughlin, a law firm exclusively dedicated to representing organizations facing data privacy events and information security incidents and the need to address these risks before a crisis hits. Jennifer focuses her practice solely on providing organizations of all sizes and from every industry sector with first-party breach response and third-party privacy defense legal services. In the first part of the conversation with Jennifer, we explore her journey to Mullen Coughlin, the top three cybersecurity threats organizations have faced in the past couple of years, and a detailed analysis of the industries most prone to the attacks.
Jennifer got into cybersecurity after John Mullen suggested the same to her decades ago, even before he got his first cyber case. They started their own cybersecurity firm Mullen Coughlin, which recently celebrated its fifth anniversary. Beginning with 13 attorneys, Mullen Coughlin expanded itself over the years and now has a team of 95 attorneys involved in data privacy and cybersecurity counseling. It is the largest privacy law firm in the US.
Cybersecurity breaches and vulnerabilities have increased in the recent decade. Jennifer lists the increase in incident response matters hence: In 2019, they had 2350 incident response matters, it grew to 3551 in 2020, and 3954 the following year. These numbers are not including the regulatory defense, litigation defense, and compliance.
The top three kinds of threats Mullen Coughlin handled in a recent couple of years have been ransomware attacks, business email compromises, and third-party events.
As Jennifer draws in from her organization’s reports, victim companies paid the attackers due to either of the following reasons:
- The threat actor deleted the data, and the victim organization didn’t have backups because they were encrypted.
- Or the victim organization had backups, but obtaining the key was quicker for restoration purposes.
- 26% of the time, payments were made only for key and delete purposes.
As statistics from 2020 show, only 25% of organizations paid the attackers ransom. 75% of the organizations agreed to take the risk as they didn’t find it worth paying for a promise from a threat actor. The percentage of organizations making payments for ransomware attacks came further down to 18% in 2021, indicating considerable progress in cybersecurity.
After assessing the likelihood of different industries being hit with cybersecurity threats, Jennifer breaks them down into 10 categories. As per her reports, in 2021, the top 10 industries affected by cybercrime (from the highest percentage of cases to the lowest) were as follows:
- Financial and Professional services
- Manufacturing and Distribution
- Healthcare and Life Sciences
- Hospitality and Entertainment
Compared with the reports from 2020, the Manufacturing and Distribution industry remained at the second position. Evaluating the possible reasons for the consistently high levels of cyber threats in the industry, Jennifer says it could be because of inconsistent deployment of cybersecurity practices in organizations and a lack of thoroughness about cybersecurity safeguards, laws, and regulatory compliance procedures.
Now, what do the threat actors do with the acquired data? They put it out on the dark web or get it sold.
Listen to the episode to get detailed insight into the explained cybersecurity threats and figures!
“We are as successful as we are because of every single person on our team. And we recognize that everybody, recognizes that they are valued, and they are part of helping organizations through these really scary events, defending them in regulatory investigations and litigation and also helping them be better before they experience (cybersecurity threats).”
“Just because data is taken and you pay for a promise of deletion from the threat actor doesn’t mean if there’s protected data in that exfiltrated data, you get to absolve yourself, of having to notify under the laws that apply to you. You still have to notify, even though you’re getting a promise from a threat actor, it’s never going to be enough for a regulator when you find out you didn’t notice. ”
“We’ve seen ransomware really evolve over the past few years. And it’s evolved to a point where threat actors realize if they exfiltrate data, they will be able to put more pressure on the organization to pay, because, one, the organization needs access to their data, and two, they don’t want to experience potential reputational harm or damage if their data is leaked out on the dark web.”
[00:53] – Jennifer’s way into cybersecurity
[03:43] – Why is the percentage of organizations paying ransom to threat actors low?
[10:36] – The organizations most prone to cyber attacks
[17:05] – Why the Manufacturing and Distribution industry continues to remain at the second position for the percentage of cyber threats faced
Connect with Jennifer: