The ARM industry runs on data and information management. That is true at both the macro and micro level. Debt collection and debt buying firms, collection law firms, and repossession partners all control or process large volumes of sensitive personal information.
Within regulatory bounds, the industry is ready to use the benefits of digital innovation. But real threats make planning worthwhile now: ransomware, the challenge of a work-from-home or hybrid setup, and an always-evolving cybersecurity risk landscape.
To that end, consider the following risks and trends. We observed them across 1,250+ incidents handled in 2020. They are covered more fully in BakerHostetler's 2021 Data Security Incident Report (DSIR), with a link at the bottom of this article.
The Scourge of Ransomware
Ransomware surged in 2019. The main tactic was to encrypt as many devices as possible within a network at once. Then the Maze group changed the approach. It started to steal data before encrypting files. That gave the threat actor two pressure points: data encryption and the threat of publishing stolen data.
This let them push for a ransom even when the organization restored its systems from backups. The tactic paid off, and other groups quickly copied it in 2020. Ransom demands rose sharply. See Figure 1 below.

Across hundreds of ransomware engagements last year, we saw more threat actor groups than ever before. Many splintered from other groups. As a result, extortion tactics spread and demands climbed, sometimes into the eight-figure range.
Threat actors are also getting better at finding and encrypting backups. All of these factors drive up ransom demands and lengthen an organization's recovery timeline.
Most organizations know the risk of ransomware and the need to prepare. But those that have not lived through an event are unsure what actually happens, which makes preparation harder. Two good measures go beyond basic security recommendations: build a ransomware playbook, and run a tabletop exercise led by someone experienced in responding to these events. The DSIR covers both in more detail.
To help, you can use the ransomware matter data from the DSIR. It lists the many considerations an organization may have to address all at once on the first day of a ransomware matter. Your playbook, which you should test in a tabletop, should include strategies to assess and respond to business continuity impact.
It should also cover potential data theft with a threat to release the data publicly if the ransom is not paid. From there, identify the key response actions, the internal team responsible for managing the response, and the third parties you would bring in to help.
Some actions you can take ahead of time, such as deciding how you would assess revenue impact.
Cybersecurity Challenges of a Work from Home/Hybrid Environment
In the Spring of 2020, IT teams across the country scrambled to enable remote work under hard conditions. In that rushed move, shortcuts were taken and problems followed. IT teams plugged in unpatched appliances. Resources were pulled away from threat monitoring.
Organizations found unexpected security gaps. The pandemic's effect on finances, personnel, and shifting priorities pulled attention further from the security roadmap. As a result, new vulnerabilities appeared, and security events were not caught as quickly.
When an event was found, some of the hardest problems for our clients were core parts of any incident response: proper communication with employees and stakeholders, administrative and electronic containment, and deploying the right resources to investigate the scope of unauthorized activity.
Incident response is hard to manage even in the best conditions. A remote or hybrid environment makes the logistics harder still. To respond efficiently, an organization should develop an incident response plan (IRP). The IRP should identify your legal counsel, insurance, forensics, and IT support partners.
Keep one copy on your network and another off network, so it is always accessible. Maintain a communications strategy that lets you reach employees off of corporate email, so they stay informed and can assist with the investigation as needed.
Also weigh the merits of remote management tools and EDR solutions. They help with visibility, with identifying and terminating unauthorized activity, and with collecting forensic evidence for investigation.
No Easy Answers
Addressing cybersecurity risk is an ongoing effort. Staying one step ahead of sophisticated threat actors is nearly impossible. Still, an organization that invests time and resources to build plans and act on them will be ahead of the curve and ready for an efficient incident response.
The process starts with an effective risk assessment. Understand who is likely to target the organization. Identify the gaps in controls that could detect, prevent, or limit an attack. Then determine which threat and gap combinations are most likely to lead to a significant incident if left unaddressed.
From that baseline, assess and test your incident response plans. Take an honest look at your cybersecurity roadmap, and put the right measures and controls in place to reduce your top risks.
Every year, the BakerHostetler Digital Assets & Data Management Practice publishes a Data Security Incident Response Report (DSIR). It compiles statistics from the cybersecurity incidents we handled the prior year. The goal is to draw meaningful conclusions and insights about security incidents, regulatory enforcement actions, litigation, transactions, digital innovation, compliance projects, data governance, and advisory matters, and to help organizations address the issues that data and technology create.
Link to the 2021 BakerHostetler Data Security Incident Response Report
Found This Useful? Let's Get You Set Up.
Start an application and an expert will tailor the next steps to your situation.