Is Your Business Continuity Plan Prepared to Respond to a Ransomware Attack?

Cyberattacks (including ransomware attacks) have been on the rise for the past several years, causing loss of productivity, damage to reputation, and, of course, impact on the bottom line. More than 50% of businesses surveyed in the Sophos Annual Ransomware Survey in 2020 suffered a significant ransomware attack. Globally, ransomware attacks will cost nearly $20 billion in 2021 alone.

Many companies are unprepared to deal with such an intrusion. What's your plan if you suddenly see a screen like the one above and then receive a ransom demand? Have you and your crisis team discussed how you would handle the situation? If not, it's time to determine what you must be prepared for if attacked. Questions must be answered before an attack occurs; you won't have time to start from zero once attacked. Below, we'll talk about some of the areas you need to be prepared to address.

A cyber crisis, whether ransomware or some other attack, requires immediacy on the part of your organization, so you already need to have some answers on how to handle this crisis. For example, has your management team and the executive board decided whether or not they would pay a ransom? If they decide to pay, do they have an emergency fund or access to Bitcoin to pay the ransom? The FBI recommends that ransoms not be paid because payment is no guarantee that you will get your data back - some experts say that only one in four victims actually recover their data. Companies often pay and are then asked for more money to receive an encryption key. Also, victims who paid were often targeted again.

Another question is whether to report an attack to the authorities. Ransomware attackers are bad actors but might also be terrorists or hostile nations. The Department of the Treasury's Office of Foreign Assets Control (OFAC) lists groups prohibited from receiving money from US companies or organizations. There are penalties for making such payments, whether you knew who the group was or not (and usually, these groups don't identify themselves). OFAC recommends notifying and cooperating with law enforcement because that could be a mitigating factor when determining penalties. Because of this, part of your crisis planning should include who will notify the authorities (local and FBI); all the necessary contact information should be included in the plan.

You might think, "Well, we have backups; we'll just use them." You followed the 3-2-1 backup rule - three copies on two different media types and one copy in another location - so why shouldn't you use them? But there might be some things to consider before using those backups. Your plan should include information on whether there may be regulatory or compliance implications of using those backups before steps are taken to identify exactly how the systems were affected. Also, can your IT Department identify how long the attackers have been in your systems? If they did much of the damage a week ago and you restore to yesterday's backups, you still need to be safe. You also need to ensure that your offsite data location has yet to be affected before you can switch to those backups. This must be part of your crisis management and business continuity plan. Should I call in a forensics team or your cyber insurance company to help in the investigation?

Finally, you must manage the story because you could have as little as 30 minutes before the news about the attack is out. Effective crisis communication helps preserve a business's credibility, reputation, and value. Your plan should be able to identify who the spokesperson or persons will be and how much information you will release. How will you release info to the media? If customer or client information has been accessed, then those companies or individuals also need to be notified; could you identify how that will be handled and by whom? Is there an employee notification plan in place? If not, that is another area that needs attention. In addition, will there be special phone numbers or email addresses that media and other stakeholders can use to get information about the attack?

As with any other crisis, planning is vital to surviving a ransomware attack, and the time to plan is now. Waiting is not an option.