In our previous blog of this series, Cyber Defense: Protect Data from the Inside Out Part 1 – Deter Ransomware Attacks, we shared guidance from the FBI to prevent a ransomware attack. However, with the complexity of globalization, distributed IT networks, and the variety of applications and devices, it is sensible to establish a contingency strategy in the event of an attack.
Failing to plan is planning to fail. – Alan Lakein
Everyone has a plan 'til they get punched in the mouth. – Mike Tyson
Contingency plans should target four areas: communication, containment, business continuation and cost. Here are some tips to achieve these goals:
Build a Team
Establish an Incident Response Team that defines roles and responsibilities and leverages the knowledge of a diverse group from areas like IT, Legal, Privacy, Information Governance, Corporate Communications and Finance/Insurance. Equally crucial is gaining support from the C-Suite and Board Members. Surprisingly, top executives have not traditionally been part of the process. According to a recent study, 57 percent of companies still say boards and C-suite executives are not informed and involved in data breach preparedness and more than a 25 percent say their board members are unwilling to take responsibility for successfully executing an incident response plan.1 Make sure to get the top brass involved so they will be prepared to respond to business disruption and protect brand reputation.
Anticipate Life without Email
The National Institute of Standards and Technology (NIST) in their Cyber Security Framework recommends that ‘response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.2 However, ransomware attacks can freeze the system of the target company. That means no email, no Skype, no Intranet. How then can companies implement communication response activities? Public schools have been leveraging phone chains both manual and electronic to alert parents, teachers and students of a school closing for decades. Governments and municipalities use their own Broadcast Emergency Response System. Companies have access to employee home phones and cell phones and can set up automated calling and texting to instruct employees not to open their laptops, for example, to minimize damage. Messages can be particularly effective at preventing use of an infected computer if an attack originates in another time zone while employees are asleep in the United States. Millions of dollars can be saved if people are alerted not to log-in, and avoid infecting their devices. A communications plan should also be developed to report to regulators and inform customers if their personal information has been breached, or to advise partners if they have been exposed to a potential attack via their connection to the victim of an attack.
Watch Your Assets
In the chaos of a breach, having an updated inventory of systems can help focus efforts on the highest priority technologies and data storage repositories. With so many systems on-premises and in the cloud, in addition to other applications and websites connected to the network, many companies don’t have a detailed knowledge of the systems landscape, or access to system information if the network itself is not available. Additionally, IT departments charged with protecting systems may not have a sense of where the most sensitive data is stored and how if flows through the organization. Data classification of sensitive or private personal data stored in the organization is critical. With growing consumer scrutiny of how companies manage personal data and implementation of regulations like the EU’s General Data Protection Regulation, data classification will increase customer confidence, enable breach notification, and assist in determining system recovery priorities.
Practice Makes Perfect
Imagine firemen running into a burning building without ever having done fire drills. Untrained firefighters would be dangerous and put lives at risk. Training is just as important for a ransomware response plan. Practicing the response to a breach will increase comfort with the process, surface potential shortfalls in the plan, and make sure key players know and understand their responsibilities. A practice run might include testing the communications systems, restoring ‘lost’ data, stress-testing the help desk routines and scripts, identifying personal data located in the ‘breached’ system. These drills can be instructive to stakeholders and produce data to give executives confidence in the preparedness of the organization.
It Takes a Village
Companies have key partners, vendors, major accounts and regulators. Consider how all of these groups may be affected in the event of a breach. Even the broader supply chain of procurement and manufacturing can be crippled by an enterprise network breach if they are dependent on receiving data from financial systems, for example. Building a response plan may include the input of a company’s broader network to protect production and business alliances. In addition, communication with regulators and law enforcement before a breach is always better than a mea culpa afterwards. Reaching out to examiners before an event will show strong compliance and build relationships with the law enforcement officers that can help catch hackers.
Ransomware and other cyberattacks are increasingly common across industries. However, 86 percent of companies do not have data breach response plans in place.3 Starting a plan can be daunting, but focusing on actions that address communication, containment, business continuation and cost will enable companies to kick-start a plan that can be mobilized quickly to minimize damage.
All companies are vulnerable to a ransomware or other type of attack as hackers get more sophisticated. Start now to make sure your response is equally as effective as today’s cyber criminals.
1Morelli, Michael. “Experian Fourth Annual Study on Data Breach Preparedness Released,” October 9, 2016, http://www.experian.com/blogs/data-breach/2016/10/19/fourth-annual-study-on-data-breach-preparedness-released/
2“Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0, National Institute of Standards and Technology, February 12, 2014, https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
3“Experian Fourth Annual Study on Data Breach Preparedness Released” http://www.experian.com/blogs/data-breach/2016/10/19/fourth-annual-study-on-data-breach-preparedness-released/