Op-Ed: 5 ways to respond after suffering a ransomware attack

One type of attack causing particular problems for many organisations is ransomware. Indeed, according to research by Bitdefender^[1] there has been a 715 per cent year-on-year increase in detected attacks.

The potential damage of these cyber attacks is huge. Ransomware locks users out of their IT systems until a ‘ransom’ is paid. Yet despite the risk, many organisations still struggle with creating a suitable response to recover data and overcome the threat.

It doesn’t have to be this way. While ransomware is a menace, you don’t need to run the risk of being unable to respond effectively to an attack. Here are five immediate steps every business should take:

1. Recover and reopen:

Having immediate access to an effective recovery solution will mean a potentially catastrophic situation can be turned around in hours rather than weeks or even months.

Despite this, however, analyst Forrester^[2] says fewer than a quarter of businesses are prepared to recover quickly from a ransomware attack. The research says the problem is often that traditional backup and recovery products create siloed data and inadequate recovery processes.

Experts recognise that all organisations should backup their systems regularly, as well as testing those backups as part of a recovery plan. Then if ransomware does infiltrate your network, there's a method for restoring data without the need to pay cyber criminals.

2. Diagnose what happened:

It’s difficult to decide what to do if it’s not clear exactly what has happened. That might sound like straightforward advice but it’s surprising how few organisations can get a tight grip on the nature of the ransomware attack they’ve faced.

Companies need to dedicate more resources to security analysis and diagnosis. Gartner advises companies to conduct risk assessments and penetration tests to determine the attack surface and the current state of security resilience and preparedness in terms of tools, processes and skills to defend against attacks.

VIEW ALL

With modern data management platforms, some have the ability to flag security vulnerabilities proactively to an administrator. This saves more time for your team and allows you to be on the front foot with other tasks.

3. Alert internal stakeholders:

Fully diagnosis then needs to be followed by a period of engagement. It’s crucial information reaches the right stakeholders in a timely fashion. The National Cyber Security Centre (NCSC), which is the cybersecurity arm of the UK's GCHQ intelligence service^[3], notes the importance of developing an internal and external communication strategy.

Consultant EY says organisations must include all appropriate stakeholders^[4], such as IT, legal, compliance, human resources, operations and communications. Response plans should clearly define responsibilities and enable stakeholders to lead effectively in a crisis.

4. Notify data regulators:

The type of action you’ll need to take will depend on the location of the incident. There are a wide range of statutory requirements associated to the laws that have been enacted by data regulators in different geographies. Taking steps promptly could help your business to limit legal, financial and reputational ramifications.

Your organisation must also understand whether personally identifiable information is affected and, if so, how. Where data is breached, you’ll need to seek legal advice and assess whether information has been lost. You must consider the need to notify regulators and customers, as covered by key laws, such as the EU’s General Data Protection Regulation.

5. Communicate with customers:

The potential financial and legal ramifications of a ransomware attack are significant enough, but if you get the communication strategy with your customers wrong, you risk creating irreparable damage to the relationships you have with your client base.

Research suggests the extent of the confidence hit from a ransomware attack can be so significant that the culture at affected companies is never the same again. Yet even organisations impacted by ransomware can keeps customers onside, so long as they handle the incident transparently, competently and efficiently.

A successful ransomware attack could close some of your key communication channels, such as e-mail and internet-based VoIP networks. Finding ways to keep customers informed, such as manning customer service lines via mobile devices, will help to mitigate some of their concerns. Social media tools, meanwhile, can be used to push regular updates.

A successful ransomware attack will doubtlessly cause disruption and concern. However, by following these steps, that disruption can be kept to a minimum and normal operations resumed as quickly as possible. How ready is your organisation to deal with an attack?

Derek Cowan is director of systems engineering APAC at Cohesity