How careful planning can take the pain out of ransomware breach response
There is plenty that organisations can do to enhance their resilience to ransomware breaches. But no preventative strategy can ever be 100% guaranteed to succeed. The modern corporate attack surface is simply too porous and expansive, and threat actors too persistent, for that. That’s why network defenders should also be primed and ready for a worst-case scenario.
As we explained in our previous blog, an attack can strike at any time. And when it does, those in charge are often trapped in a whirlwind of confusion. The key to successfully managing such a situation lies with forward planning.
Planning for a breach
Ransomware is among the most common and acute cyber-threats facing UK businesses. And the threat will continue to grow with the advent of AI, the National Cyber Security Centre (NCSC) recently warned. For smaller businesses its impact can be particularly destructive. A 2022 study revealed that a fifth of US and European businesses had nearly been forced into bankruptcy by a historic attack. Last year one of the UK’s largest privately owned logistics firms entered administration due to “disruption” caused by a ransomware compromise.
Yet it doesn’t need to be this way. It all starts with putting the right team together. Ideally, it should include key representatives from the IT and security function, PR and legal – and possibly also HR and customer service stakeholders. That’s because, when a ransomware attack hits home, it can impact disparate parts of the business.
PR is essential to help organisations manage their external communications strategy. HR should be on hand to manage internal comms and cross-departmental collaboration. And legal will dispense critically important advice on engaging with regulators, managing potential customer/employee class action suits, and more. For most organisations, customer service will also need to be involved to manage the fallout for end customers. If any piece fails, there could be significant financial and reputational repercussions, including customer churn, regulatory fines and lawsuits.
The average cost of a UK data breach is calculated at $4.2m (£3.3m) today. But in some cases, ransomware has caused losses measured in the tens of millions. From a regulatory perspective, organisations need to think not just of data protection watchdog the Information Commissioner’s Office (ICO) but also any relevant industry-specific bodies, like the Financial Conduct Authority (FCA).
Putting the pieces in place
Every organisation is different, and there’s no single agreed format that an incident response team should take. Most important is that everyone has a clearly defined role that they understand, and that they are working under unequivocal instructions from an incident response lead. In many cases, this will be a senior individual from the IT team. Crucially, they need not only experience of working under pressure – and ideally in crisis incident response situations – but must also be given the authority to lead for the duration of an incident. That means even members of the organisation and board senior to that individual must respect their decision making.
The next thing a team needs is a plan. This is where many organisations fall down, by attempting too much. No one can predict how or when a ransomware breach will take place, and what its impact may be on the organisation. But many try, by building out complex incident response plans which will likely be redundant as soon as attackers strike. The key to success is rather to keep things simple and high level. The incident response team will need to improvise, but within their own clearly defined roles. It’s also important to ensure any pre-written plan is accessible in a crisis – ie, not stored on a server that has been encrypted by ransomware.
In a similar way, organisations shouldn’t overthink things by scheduling frequent incident response training exercises. In a typical organisation there are mini incidents occurring all the time which can be used to hone the skills of team members. Once a driver has passed their test, they aren’t forced to sit another one every six to 12 months: simply by being behind the wheel they continue to practice and improve the required skills.
Communicating clearly
Above all, when working through post-ransomware breach response, organisations must foreground the importance of clear communication. That could mean:
- Communication between incident response team members
- Communication with the board and senior managers (they should be kept updated at frequent intervals)
- Communication with the wider community of employees – to ensure they follow policy by limiting what they publish online about an incident, and to maintain morale during what could be a long road to recovery
- External comms. It’s vital that a senior spokesperson is chosen as part of the incident response team. This individual should be the face of the organisation during the breach response. External comms is critically important to prevent rumour and speculation, especially in the early hours and days following a breach
This is by no means a comprehensive checklist for post-ransomware breach response. But it’s somewhere to start.