Headlines say it all: your organization’s data faces an increasing risk of being caught up in a hostage situation. From the SolarWinds hack to the Colonial Pipeline incident, malicious cyber actors are finding ways to infiltrate systems with malware and block access to key data until a ransom is paid – usually in cryptocurrency like Bitcoin. As with serious hostage situations, there is a threat that what is being held for ransom gets eliminated.
Organizations need to be prepared for the new information security threats they face, because ransomware style attacks are only growing in frequency and magnitude. According to the Verizon 2021 Data Breach Investigation Report, ransomware was the cause of 1 in 10 breaches reported in 2020, doubling its prevalence compared to the previous report. Compromised servers, workstations and devices can grind your business to a halt, keeping any device connected to the compromised system offline for days, weeks or months. If data is lost, the resulting disruption could stretch out even longer.
An effective way for management teams to prepare their organization for a ransomware situation is through a simulated ransomware event, or a tabletop exercise. The following are key ways that ransomware tabletop exercises can improve your organization’s cyber-attack preparedness and responsiveness.
Illuminate the Soup-to-Nuts Ransomware Response
Ransomware tabletop exercises can be particularly useful for illuminating your organization’s obligations during a ransomware attack and how well processes work in a “real life” scenario. During a tabletop exercise, your management team would walk through your organization’s entire ransomware response: detection, containment, eradication, recovery, and post-incident activities. Tabletops are a facilitated discussion amongst an organization’s executive leadership and/or technical teams, led by an information security expert, to guide your organization’s management team through questions and considerations that arise during each response phase.
Know Who to Notify First
Communication questions begin as soon as ransomware is detected. Management teams should be able to clearly define how they find out the organization is a victim of a ransomware attack and then have a plan for how and when to notify other key personnel within the organization. There should also be an evaluation of whether the incident rises to the level of needing to activate other response teams, such as individuals tasked with other elements of business continuity planning.
Additionally, your organization will have to notify key external parties. During the detection phase, work should begin with whoever among management is responsible for vetting and issuing breach communication to stakeholders, customers, and the media. Some arrangements with customers or vendors may have requirements around timing of your communication with them, so it’s important to know how outside factors may affect communication timelines. Insurance, legal considerations and litigation risks will be a factor, so a plan should involve steps for insurance and legal team consultation prior to release of breach communications.
Plan for Containment
Key to any cyber-attack is to isolate the compromised device or server as quickly as possible so that other systems are not also compromised by the breach. Management teams should know who holds the authority – and permission set – to shut down enterprise-wide corporate computer systems. Communication will continue to be a top issue in the containment phase and will likely include a broader net of contacts.
Determine When You Would Pay Ransom
Whether or how to pay out on a ransomware attack is a huge question the organization may face during an incident. Factor in the specifics of your cyber liability insurance policy, which may have a provision that would cover the cost of a ransom in certain scenarios. It will be helpful to understand if you have insurance coverage in advance of having to make the call in a real-life event.
As mentioned before, many cyber bad actors deal in cryptocurrencies, which your organization may not have sitting around. Management teams should have a clear definition of when they would pay out a ransom and how they would access the currency to do so.
Fine Tune Your Response During Recovery
While the organization’s information security team gets busy restoring data from back-ups and getting systems back online in the recovery phase, management teams will face a serious test of communication plans. Again, have a plan to vet disclosures about the ransomware incident and your organization’s response with your legal team, and others as deemed necessary and appropriate, to ensure disclosure requirements are handled correctly.
Plan for Changes
In the final stage of a ransomware attack – the post-incident activities – management teams take center stage. Communication to internal and external entities wraps up as the organization goes through what happened, why, and how the organization can improve its response to future similar attacks in detail. Documentation of the discussion points and post-incident analysis will be critical – and may even be required or demanded by stakeholders. The questions or scenarios that could not be answered or those that resulted in action items should be assigned to a responsible party and followed up on. Your organization should also update key contact lists, incident response procedures, business continuity plans and other applicable documentation based on the results of the tabletop exercise to ensure any lessons learned have been incorporated.
Finally, as a result of the tabletop exercise and lessons learned, training should be provided to employees to ensure those responsible are aware of and prepared to execute any updated protocols or plans so that your organization is better positioned for a real ransomware event if it should occur.
Taking the Next Step
For more information on cybersecurity protocol or tabletop exercises, please contact us.