The five immediate responses to ransomware attacks

Ransomware represents the biggest threat to business as usual for British firms and the risk will continue to grow. In the past month we’ve seen the rail firm Northern and six schools on the Isle of Wight affected. And, a product made by US IT firm Kaseya, was subject to a cyber attack which has made a significant impact worldwide. Research suggests there has been a 715% year-on-year increase in detected attacks. 

Ransomware is a common attack and a type of malware which can make data or systems unusable until the victim makes a payment. This of course does not guarantee the criminals will halt the attack.

The potential damage of these assaults is catastrophic. Ransomware locks users out of their IT systems until a ‘ransom’ is paid. Yet despite the risk, many organisations still struggle with creating a best-practice response to ransomware.

It doesn’t have to be this way. While ransomware is a menace, you don’t have to run the risk of being unable to respond effectively to an attack. Here are the five immediate steps your business should take.

1.  Plan for recovery from an attack

Plan for an attack, even if you think it is unlikely. There are many examples of organisations that have been impacted by collateral malware, even though they were not the intended target.

Having access to the right recovery solution will mean a potentially catastrophic situation can be turned around in hours. Rather than staying closed for weeks or even months, your business can recover rapidly and maintain a high level of business continuity.

So, what does the right recovery solution look like? Look for a service that uses emerging techniques like machine learning to detect anomalies in your backup data. Also look for cloud-based backups that allow your organisation to recover data snapshots at scale.

Experts recognise that all organisations should backup their systems regularly, as well as testing those backups as part of a recovery plan. Then if ransomware does infiltrate your network, there's a method for restoring data – without the need to pay cybercriminals.

2.  Diagnose the problem

If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover.  You can’t decide what to do if you don’t know what’s happened. That might sound like straightforward advice but it’s surprising how few organisations can get a tight grip on the nature of the ransomware attack they’ve faced.

Companies must dedicate more resources to security analysis and diagnosis. Gartner advises companies to conduct risk assessments and penetration tests to determine the attack surface and the current state of security resilience and preparedness in terms of tools, processes and skills to defend against attacks. With modern data management platforms, some have the ability to flag security vulnerabilities proactively to an administrator – saving more time for your team and allowing you to be on the front foot with other tasks. 

And, if the unthinkable does happen, you’ll be several steps down the line in remediating damage and initiating that recovery and understanding how it happened. 

3.   Notify internal stakeholders

Diagnosis needs to be followed by a period of engagement. It’s crucial information reaches the right stakeholders in a timely fashion. The National Cyber Security Centre (NCSC), which is the cybersecurity arm of the UK's GCHQ intelligence service, notes the importance of developing an internal and external communication strategy. 

Consultant EY says organisations must include all appropriate stakeholders, such as IT, legal, compliance, human resources, operations and communications. Response plans should clearly define responsibilities and enable stakeholders to lead effectively in a crisis.

It’s particularly important that legal advisors are engaged as soon as an attack is discovered. These experts will ensure the investigations you undertake will stand up to scrutiny, helping your organisation to stay compliant with data protection and privacy regulations. 

4.   Notify data regulators

The type of action you’ll need to take will depend on the location of the incident. There are a wide range of statutory requirements associated to the laws that have been enacted by data regulators in different geographies. Taking steps promptly could help your business to limit legal, financial and reputational ramifications. 

Your organisation must understand whether personally identifiable information is affected and, if so, how. Where data is breached, you’ll need to seek legal advice and assess whether information has been lost. You must consider the need to notify regulators and customers, as covered by key laws, such as the EU’s General Data Protection Regulation.

If the ransomware attack involves hackers reviewing and taking unencrypted data, with systems disabled for some time, then organisations need to report the incident to both regulators and affected individuals.

5.   Communicate with customers

The potential financial and legal ramifications of a ransomware attack are significant enough – but get the communication strategy with your customers wrong and you risk creating irreparable damage to the relationships you have with your client base.

Research suggests the extent of the confidence hit from a ransomware attack can be so significant that the culture at affected companies is never the same again. Yet even organisations impacted by ransomware can keeps customers onside, so long as they handle the incident transparently, competently and efficiently. 

A successful ransomware attack could close some of your key communication channels, such as e-mail and internet-based VoIP networks. Finding ways to keep customers informed, such as manning customer service lines via mobile devices, will help to mitigate some of their concerns. Social media tools, meanwhile, can be used to push regular updates.

Being open and honest is the best approach. The companies that communicate most effectively during a ransomware attack are those that have already contemplated, planned, and identified contingency measures for these types of scenarios. 

Summary

A successful ransomware attack will create havoc in terms of your organisation’s relationships with its stakeholders and customers. However, while the damage can be severe, it doesn’t have to be unrecoverable. By taking the right steps quickly, your organisations can be up and running sooner than you might have thought possible.