With ransomware attacks on the rise, it is important to understand how you would respond to such a crisis. Unfortunately, how you handle a ransomware attack determines how much the incident will affect your finances, customers, and reputation.
If your business makes a bad move and responds poorly, this could hit it heavily. It is crucial that you have response actions and plans set in place to help mitigate losses. If you are interested in protecting your business from a ransomware attack, take the following recommendations into account:
1. Create and follow an incident response plan (IRP) to reduce damage.
The best way to mitigate losses is by creating a well-prepared plan that is also shared with employees. Staff should be made aware of their roles and responsibilities if there were to be an incident. A good place to start creating your plan is by using the gold/silver/bronze model.
Essentially, the gold or the executive team will be responsible for the business’ strategy and responding to stakeholders regarding the incident. While the silver team, on the other hand, are the departmental heads of the company who ensure that resources are available and ensures that tactics are used correctly by the bronze team. As you can guess, the bronze team completes the operation and delivers the response.
Once the IRP has been written, it should provide a step-by step set of instructions to help staff understand how they should respond to security threats. It also guides the company on how to recover from the crisis.
2. Identify and contain the source of the attack then fix the vulnerability.
Your IT team must immediately identify where the attack is coming from and attempt to contain it. They will have to figure out the type of attack method that was chosen.
For example, did the attack come from someone clicking a link in a phishing email or a drive-by pop-up? Was it from a bad actor who exploited someone’s vulnerability by providing access to internal resources? There are many ways this attack could have happened and that’s the responsibility of your cybersecurity team to find out.
In regards to containment, your IT team must ensure that the malware doesn’t begin to spread. If it is not successfully contained, the company is at risk of the restored data being contaminated. IT should also determine what the business’ vulnerabilities are so that the attack cannot happen again in the future.
3. Contact law enforcement and legal representatives
If you find yourself dealing with a cyber-attack, immediately contact law enforcement. It is recommended to contact the FBI’s Internet Crime Complaint Center (IC3). Even if the FBI is unable to assist you with the attack, they do have resources available to guide you.
One benefit of contacting law enforcement is that they can help determine the size of the breach and also guide you on how to proceed. They can even communicate with the attackers. Organizations should also contact their legal representatives and speak with counsel who specialize in cybersecurity. The reason this is best practice is because you will need to be prepared in case the attack results in litigation. Please note that it is generally required that businesses must contact regulatory bodies within 72 hours of learning of the attack.
4. Decide whether you should pay the ransom.
This is the hardest question that you will have to face. Should you pay the ransom? Unfortunately, there is no easy way to answer this as it depends on your company’s ability to recover from the attack.
Your cybersecurity team will need to consult with executive management on how to respond. From there the executive team can determine if the risk is high enough that the company may not be able to recover their information in an appropriate timeframe. If that is the case, you may choose to pay the ransom. However, paying the ransom could be avoided if you implemented security measures to detect, prevent, and recover from ransomware attacks.
5. Communicate news of the attack to other parties.
It is important to contact interested parties and stakeholders of the incident. This could include customers, employees, partners, legal representatives, insurance companies, and the public. It is crucial that you are timely with communication as you would hate for your stakeholders to learn of incident from a secondary source.
In addition, all communication should be done by following the legal strategy throughout the response process. If you decide to speak to the media, it is recommended to have a public relations spokesperson or senior executive handle this.
6. Ensure that you meet regulatory compliance obligations.
Your organization should be mindful of any compliance obligations. This is especially true for those in financial services or health care sectors. By having an experienced lawyer a part of your legal team, they will help you navigate potential legal, compliance, and regulatory risks.
It is important to note that stolen data can trigger compliance obligations on an expedited timeline. For example, you may have to provide notice before completing your own investigation.
This could be the case for attacks that involve data subject to Defense Federal Acquisition Regulation Supplement (DFARS) regulations, New York State Department of Financial Services (NYDFS) regulations, or the European Union’s General Data Protection Regulation (GDPR). If you are also under contractual obligations with certain customers or vendors then you may have to notify them as well within a certain time frame.
7. Review what happened before, during, and after the cyber-attack to make changes.
It is important to learn from this experience, so review what happened during the entire timeline of the attack. If you find any flaws, come up with solutions to improve. Also consider meeting with relevant vendors to determine the possible causes for the attack and find ways to prevent them in the future. Another way to help your company avoid this experience is by reviewing the IRP that you created and see if anything in your plan needs updated.