12 July 2021

Ezat Dayeh, senior systems engineering manager, western Europe at Cohesity

The potential damage of these assaults is huge. Ransomware locks users out of their IT systems until a ‘ransom’ is paid. Yet despite the risk, many organisations still struggle with creating a best-practice response to ransomware.

It doesn’t have to be this way. While ransomware is a menace, you don’t have to run the risk of being unable to respond effectively to an attack. Here are the five immediate steps your business should take.

Recover and reopen

Having access to the right recovery solution will mean a potentially catastrophic situation can be turned around in hours. Rather than staying closed for weeks or even months, your business can recover rapidly and maintain a high level of business continuity.

However, analyst Forrester says fewer than a quarter of businesses are prepared to recover quickly from a ransomware attack. The researcher says the problem is often that traditional backup and recovery products create siloed data and inadequate recovery processes.

So what does the right recovery solution look like? Look for a service that uses emerging techniques like machine learning to detect anomalies in your backup data. Also look for cloud-based backups that allow your organisation to recover data snapshots at scale.

Experts recognise that all organisations should backup their systems regularly, as well as testing those backups as part of a recovery plan. Then if ransomware does infiltrate your network, there's a method for restoring data – without the need to pay cybercriminals.

Diagnose what happened

You can’t decide what to do if you don’t know what’s happened. That might sound like straightforward advice but it’s surprising how few organisations can get a tight grip on the nature of the ransomware attack they’ve faced.

The WannaCry ransomware attack of 2017, which is estimated to have affected more than 200,000 computers across 150 countries, spread so quickly that many organisations were unaware what had left them exposed. As is often the case, organisations that had not installed Microsoft's latest security update were affected by the attack.

Companies must dedicate more resources to security analysis and diagnosis. Gartner advises companies to conduct risk assessments and penetration tests to determine the attack surface and the current state of security resilience and preparedness in terms of tools, processes and skills to defend against attacks. With modern data management platforms, some have the ability to flag security vulnerabilities proactively to an administrator – saving more time for your team and allowing you to be on the front foot with other tasks.

And, if the unthinkable does happen, you’ll be several steps down the line in remediating damage and initiating that recovery, and understanding how it happened.

Alert internal stakeholders

Diagnosis needs to be followed by a period of engagement. It’s crucial information reaches the right stakeholders in a timely fashion. The National Cyber Security Centre (NCSC), which is the cybersecurity arm of the UK's GCHQ intelligence service, notes the importance of developing an internal and external communication strategy.

Consultant EY says organisations must include all appropriate stakeholders, such as IT, legal, compliance, human resources, operations and communications. Response plans should clearly define responsibilities and enable stakeholders to lead effectively in a crisis.

It’s particularly important that legal advisors are engaged as soon as an attack is discovered. These experts will ensure the investigations you undertake will stand up to scrutiny, helping your organisation to stay compliant with data protection and privacy regulations.

Notify data regulators

The type of action you’ll need to take will depend on the location of the incident. There are a wide range of statutory requirements associated to the laws that have been enacted by data regulators in different geographies. Taking steps promptly could help your business to limit legal, financial and reputational ramifications.

Your organisation must understand whether personally identifiable information is affected and, if so, how. Where data is breached, you’ll need to seek legal advice and assess whether information has been lost. You must consider the need to notify regulators and customers, as covered by key laws, such as the EU’s General Data Protection Regulation.

If the ransomware attack involves hackers reviewing and taking unencrypted data, with systems disabled for some time, then organisations need to report the incident to both regulators and affected individuals.

Communicate with customers

The potential financial and legal ramifications of a ransomware attack are significant enough – but get the communication strategy with your customers wrong and you risk creating irreparable damage to the relationships you have with your client base.

Research suggests the extent of the confidence hit from a ransomware attack can be so significant that the culture at affected companies is never the same again. Yet even organisations impacted by ransomware can keeps customers onside, so long as they handle the incident transparently, competently and efficiently.

A successful ransomware attack could close some of your key communication channels, such as e-mail and internet-based VoIP networks. Finding ways to keep customers informed, such as manning customer service lines via mobile devices, will help to mitigate some of their concerns. Social media tools, meanwhile, can be used to push regular updates.

Being open and honest is the best approach. The companies that communicate most effectively during a ransomware attack are those that have already contemplated, planned, and identified contingency measures for these types of scenarios.

Summary

A successful ransomware attack will create havoc in terms of your organisation’s relationships with its stakeholders and customers. However, while the damage can be severe, it doesn’t have to be unrecoverable. By taking the right steps quickly, your organisations can be up and running sooner than you might have thought possible.