The stories read like a movie trailer. An unknown and unseen force takes over your company. Except, this time, it’s not the next “Die Hard” movie; it’s your real day.
Ransomware is one of the latest venues that seems like a bad dream but is a real problem. Company assets are being held hostage with little recourse but to pay an unsavory suspect. How does one anticipate or address these concerns?
Like anything, it goes back to the old saying that the best offense is a good defense. Preparing for a ransomware attack is not easy; it is nearly impossible to anticipate all of the scenarios. Looking at some of the recent ransomware attacks is an excellent preparatory step – who knew what and when? How did the attack happen, and, more importantly, how are you prepared to respond?
In recent attacks, major hospital systems and even entire cities have found that their assets are frozen unless they are willing to release sums of money to have the problem go away. Sometimes that may seem like the easy way out – but is it the right idea, and will it merely leave you more vulnerable and an easy target for future attacks?
The best offense is, indeed, the preparation to imagine the unimaginable – your digital assets are at someone else’s disposal. Let’s examine the steps involved:
Develop a plan that contemplates precisely the worst-case scenarios. Discern how you might learn of it, your notification plan internally and externally; run through the potential exposure in terms of financial loss (or delay) and reputational risk.
2) Determine a plan.
Document your anticipated response – are there scenarios based on the degree of loss? Are there implications to trickle to your largest customers? How will you let them know – publicly or privately?
3) Payment or fight it – are you willing to payout?
Many companies are steadfast and say we won’t give in to a “terrorist” type of threat – but at what cost? Consulting law enforcement well in advance and seeking out reasonable counsel is prudent so that you are prepared to prevent rush-to-judgment decisions.
4) Stick to the plan
Whether you are determined to fight it out or wait it out or pay it out – if you’ve developed a program and thoroughly vetted it in discussion and documentation ahead of time, you’re well-prepared. But, and this is key, you need to have the intellectual discipline to stand by what you have planned.
5) Communicate and execute.
There will be repercussions to any decisions, but if you have planned and stick to the outline of what your policy calls for, you know you have determined most scenarios -there is no easy answer. Be sure you have the support of senior management and your board, if needed, then take the course of action you have planned.
6) Monday morning quarterback it.
Once you’re well down the path of ensuring that the appropriate recovery is underway, you’ve engaged outside expertise to dissect and discern that you’ve taken the right steps and on the path to a full recovery of data, access, and resources, take a strategic pause and look at what went well and what didn’t – did you make the right decisions and what would you do the next time differently?
There are no easy answers. It is easy to anticipate a “we’ll never negotiate” strategy until you’re caught in the situation. Rather than taking a hard line, unless, of course, you have the full backing of your board, a team of experts, and astute law enforcement professionals, you can’t just assume you’re going to be right every single time. Learning lessons from prior attacks is an excellent lens to help you plan, document, and execute the right plan for your business. Your goal should be to prepare and to minimize the impact on your business and your customers.