April 28, 2021
Ransomware attacks are the most common form of data security incidents and can impact organizations of any size in any industry. Threat actors are becoming more sophisticated every day and can infiltrate your IT systems for months without anyone noticing, strategically evaluating your infrastructure for weaknesses.
Once they are ready to act, they encrypt files containing sensitive information and lock down your systems, presenting a ransom demand for an encryption key. Customers, employees and even vendors can be impacted, requiring effective communications to maintain revenue and rebuild trust among key audiences as a complicated, unpredictable and time consuming investigation proceeds. Whether the organization restores from backups or pays to obtain the encryption key, it can take organizations weeks, if not months, to return to normal operations.
I recently came across a particularly helpful report from BakerHostetler, a national law firm with a practice specializing in data security incidents. The report cited several measures to take when thinking about how to effectively address ransomware risk, including:
- Guarding against phishing, address security gaps caused by limited utility of antivirus against banking trojans like Trickbot and Emotet, and secure remote access (e.g., open RDP ports).
- Enabling Multi-Factor Authentication (MFA) for the organization and any service providers with remote access.
- Evaluating your business continuity and disaster recovery plans and how they integrate with your incident response plan.
- Looking at your strategy for backups. Current backups, segmented from production systems and easily accessed, can help you avoid business interruption without paying a ransom.
- Understanding your insurance resources. Think through the hourly impact of downtime in the event you have to decide whether, when, and how much ransom to pay.
- Preserving evidence. Ransomware attacks also involve access to data that triggers notification obligations – contractual and legal. In the rush to restore systems, some organizations wipe and reimage devices without preserving evidence, which complicates the ability to determine what occurred after the attacker gained access to the network before ransomware was deployed.
As always, a comprehensive communications strategy is essential when dealing with business interruption and legal compliance issues such as those created by threats like ransomware. Get your insurance, legal, IT and communications resources lined up in advance because seemingly it is not a matter of if, but when, and how bad your organization will be impacted by ransomware.
Want to talk about your organization’s preparation for a crisis situation like a ransomware attack? Feel free to drop me a line to talk.