29/01/20
PwC’s Global Crisis Survey 2019 shows that senior executives cite cybercrime as a trigger for the most disruptive crises. More specifically, ransomware is an ever-growing tool of cybercriminals, with access to critical and / or confidential data being blocked and following threats to leak or corrupt it unless a sum of money is paid. Increasingly sophisticated threat actors are using new and complex malware variants to target corporate and government networks as opposed to individuals. The 2019 Cybercrime Report by Cybersecurity Ventures predicts that by 2021 ransomware damages will cost the world $20 billion in 2021 with a business falling victim every 11 seconds. Successful attacks are highly disruptive and quickly become highly visible to the public. We have supported numerous organisations as they respond to both the technical recovery and to the challenging; “Is it ransomware - have you paid?”; questions about the progress of recovery, possibility of a data breach, likelihood of having infected partner organisations and the impossible, “when will you be back online?”.
An organisation's response to these key areas can influence whether they emerge stronger - retaining their reputation and securing their customer base - or whether they fail key stakeholders with an inadequate recovery plan and unclear communications as the business struggles in the wake of the attack. Despite the growing sophistication of these attacks, there are a number of steps organisations can take to reduce the likelihood of incidents, limit their impact when they occur, and ensure a swift and effective recovery.
Robust business continuity planning and exercising is essential: ensure that interdependent systems and key servers can be restored rapidly from backups, and that the frequency of backups aligns to the timeframe of data your organisation is prepared to lose if it can not be recovered. It is also essential to build and exercise the crisis and incident response structures, ensuring that the formal procedures for managing high priority incidents are well rehearsed, streamlining response efforts and ensuring the strategic senior leadership and technical tacticians can work together to restore service. Mature organisations use innovative techniques such as Cyber Wargaming to challenge themselves and ensure the response from across business functions are interlaced for maximum efficiency.
The crisis and incident response plan supporting a ransomware attack should not just focus on the technical response but time should be spent in advance discussing and agreeing a clear position on paying a ransom demand and defining a robust communications plan that spans suppliers, strategic partners, employees, law enforcement and regulators. Communications become more challenging in the event of a ransomware attack as organisations can often lose access to emails and other regular communication methods. Workarounds in these circumstances are key; in the age of social media where information travels quickly, it is important to keep control of the message and to update and reassure key stakeholders. With the implementation of the General Data Protection Act (GDPR) in May 2018, there can also be financial repercussions of ineffective communications; failing to notify the Information Commissioner's Office (ICO) of any associated major data breach within 72 hours of identification can result in a fine of up to 4% of global annual turnover.
Fast-paced, complex, and unpredictable, a ransomware crisis will test those supporting the response in ways that are hard to anticipate, and even harder to manage. Consider the human side of crisis response and ensure that people are supported and equipped to reach a successful outcome. Supporting this, having sufficient crisis and incident response resources and capability to respond to a complex ransomware attack will be essential. Arrangements to supplement in-house capability should be agreed in advance to avoid delays in responding to an attack. These may include specialist response capabilities like Public Relations (PR).
Strong cyber security hygiene policies and user awareness are also important to help prevent ransomware entering your IT environment through the most common delivery vector, phishing. This includes enforcing strong controls at your email gateways and network perimeters, and developing vigilant employees through robust awareness campaigns. Rigorous patch and vulnerability management also helps to reduce the likelihood of a successful ransomware attack by addressing any known vulnerabilities that have been exploited. There are also some common actions that can be taken to help rapidly reduce cyber risk.
With ransomware an ever-increasing cybercrime threat, steps that organisations take now will determine their ability to manage and emerge stronger from future attacks.