Most security experts warn that it is not a question of if a business will get hit by ransomware, but when.
Every 14 seconds a business falls victim to ransomware, according to Cybersecurity VenturesOpens a new window , with the average cost from an attackOpens a new window totaling $133,000. Overall, ransomware shaves $8 billion off corporate profits globally per year.
This makes ransomware a significant security issue for companies of all sizes, and a ransomware response plan an essential document for minimizing the damage. With a ransomware response plan, businesses can take swift and decisive action in the chaotic first few hours after an attack.
So if you don’t have a ransomware response plan, you need one. Here’s what should be included.
1. First Response Protocol
The single most important part of a ransomware response plan is outlining what happens in those first few minutes after a system has been infected.
Typically, these initial actions include removing the device from the network, identifying compromised data, and collecting evidence of the attack such as emails or applications that were used for infection.
“The first steps in the event of an incident include immediately shutting down affected systems and isolating them from the network to prevent worm-enabled malware from spreading to other systems,†says James Slaby, director of cyber protection for cybersecurity firm, AcronisOpens a new window . “Appoint someone ahead of time with the authority to quickly make that shutdown call when necessary.â€
2. IT Department Contact Information and Protocol
One of these first response steps, or the second step after the first response, should be alerting the IT department. A good ransomware response plan will outline the order of who to contact, and include contact information for reaching these people.
Some businesses will handle incident response in-house, while others might simply list a third-party provider that can jump into action when ransomware strikes.
“Partner with an incident response team if you don’t have the skills,†advises Daniel Wiley, head of incident response for cybersecurity software firm Check PointOpens a new window .
3. Company Policy on Paying Ransom
One of the trickiest issues related to a ransomware attack is the question of paying ransom. Should the business gamble on recovering data by paying ransom, or write off the data and walk away?
Security experts often stress that paying ransom is not a good idea, because there’s no guarantee of data recovery and payment could trigger a second attack. But privately, many admit that paying ransom sometimes makes sense.
“I understand the ethics of not rewarding a crime, but more than 20 percent of companies go out of business after a ransomware attack, so it’s tempting to pay,†says Darryl Richardson, chief product evangelist for ransomware prevention solution provider, AparaviOpens a new window .
Make sure your ransomware response plan definitively answers this question, and outlines under what situations your company will pay ransom.
4. Guidelines for Data Recovery
If your business has a ransomware response plan, it probably also has a backup system in place. That’s good, because you’ll need these backups after a ransomware attack.
Your ransomware response plan should indicate where data backups are kept, and the process both for restoring data and determining data loss as a result of restoring from the backup. Make sure that your plan includes the proper protocol for avoiding ransomware infection of the backup, as well.
“Keep in mind that cybercriminals can infect both your files and the backups kept on primary storage,†says Richardson. “So files kept in the cloud or offsite are a backup to your backups.â€
Aparavi recommends having backups in the cloud, ideally on multiple clouds, or at least offline copies that can be used in the case of an attack. These backups should be immutable and encrypted, too.
5. Process for Identifying Other Targets and Tightening Security
If one device has been compromised by ransomware, others devices also might be at risk. Your ransomware response plan should include the steps the business will take after an infection to identify and protect other IT resources in light of the attack.
“Post-attack identification starts with forensics: conducting a crime scene investigation to figure out where and how the attack was able to slip past your cybersecurity tech, and both policies and processes so you can shore them up against future occurrences,†notes Slaby at Acronis.
That can mean poring through a variety of event logs such network firewalls, app servers, and security appliances, as well as interviewing employees to determine the mechanism, timing and vector of the attack.
“After completing your CSI, take a moment to survey the cybersecurity resources you’ve deployed and what assets you’re defending them with, and revisit your risk management strategy more broadly,†he adds. “That should bring you to the tactical beginning of this continuous process loop: scanning for vulnerabilities and keeping abreast of your patch management process.â€
6. List of Who to Contact Outside the Company
When your business is hit by an attack, more than the IT department should know about it. Law enforcement and the cybersecurity industry often should be informed about the attack, and this includes the FBI if your business is in the United States. Depending on the scope of the attack, businesses also might contact their public relations firm.
In your ransomware response plan, include all external parties that should be contacted, as well as the protocol for when and how to reach out.
“A business might be ashamed, or they might fear being hit again if they look vulnerable,†say Richardson. “I advocate being as transparent as possible. The industry needs to keep closer track of incidents and cryptoware variants so we can collectively do a better job of cyber defense, and we can’t do that if they aren’t disclosed.â€
Having a ransomware response plan in place won’t stop an attack. But it can significantly reduce the damage from one. It also will serve as a calming element in the midst of the chaos that ensues from an attack.
If nothing else, that alone makes a ransomware response plan worth having.