The news is continually filled with stories of large ransomware attacks. Maybe you’ve even been a victim of such an attack. If that’s the case, having a strong security and risk management strategy with documented and practiced recovery steps is crucial to your recovery.
But even so, once your company is back up and running, the fight still isn't over. Here are seven steps to take in the aftermath of a ransomware attack.
Your team was in the dogfight and recovery with you. In fact, many people outside of your team – probably more than you will ever know – helped keep the business running with manual processes and communications. Take the time to recognize and reward your team. Without them, you wouldn't be back up and running.
No one wants to experience a ransomware attack, but in the end, it can bring your team closer together. You will find processes and tools that worked well and others that didn't meet your needs. Your team will gain insight into skills they need or ones they didn't even know they had. Document what worked and where you can make improvements. Get your team’s feedback during a post-mortem and through interviews with key members.
Just because you are up and running doesn't mean everything is secure. Many times, ransomware will leave behind additional payloads for execution, or the attacker may have found additional ways in. After you are back running, audit your systems to find other entry points, security gaps, or any payloads the attacker may have left, and make upgrades to block the known attack vector that was used. This cleanup will not only allow you and your team to sleep better at night, but it will go a long way in communicating ongoing risks to the leadership team. Execute a penetration test. Partners can ramp this up more quickly for you than you could execute it in-house. Move quickly to ensure any additional entry points are found.
Training is an ongoing effort and not a single, annual event. Treat this event as an opportunity to continue driving the message about the shared security model you will implement. While ransomware might enter the organization through an employee-furnished entry point, training shouldn't be focused on a specific user or group. Rather, ensure that all account holders, including executives, receive the training. Executives may be even more susceptible to attacks based on the attention and risk.
While communication is key in any crisis, when it comes to cyberattacks, the focus of communication should be internal. Establish processes to receive feedback on the attack internally and follow up on any issues. Make sure the team understands that they should not communicate externally, except through the appropriate channels. Even discussions over the dinner table can lead to sensitive information being leaked. Because there may be legal ramifications of a cyberattack, the ability to control the message for accuracy is paramount.
When a security breach happens, blame can sometimes be a constant companion. Once you work through the problem, you need to gain the trust of internal and external users and executives. Accept the fact that something went wrong. Blaming a lack of resources or other parties won't make the problem better, and in some cases, it will make it worse. Look for opportunities to show how your team used existing processes, tools, and people to recover quickly and get the company's operations back on stable ground. In the following months, share metrics that show how you are monitoring the gaps that allowed the virus entry into your organization in the first place. These metrics should also include training, monitoring, log aggregation, budget reassignment information, and the ability to fend off similar attacks when they are found. Continue communicating the appropriate metrics to the right people. Showing your commitment to the safety of the company's data and systems will make everyone feel more secure.
Many enterprises have cybersecurity insurance built into their existing policies; know what is included. This may include money for additional help during the troubleshooting and lockdown phase, or budget for audits and research. During and after the problem, you will welcome resources from almost anywhere. The insurance teams may have resources you can contact. They can also help you understand the budget additions you may get from an insurance claim and provide guidance on how to use the money.
What’s next?
The work isn't done once your systems are back up and running. The organizational recovery from a ransomware attack can take months to years.
As with all issues, communicate to your leadership internally, but allow the right channels to take care of all the external communications. Make sure your team knows how much you appreciate their commitment, but also be honest with them about the amount of work still ahead. Work hard on the metrics to understand where you can improve and use them to gain the trust of your customers.
Jason Hood has almost 30 years of experience running cloud, infrastructure (server, storage, and network), desktop, service desk, security, HPC, and data teams for both Fortune 500 and private equity-funded companies. Most recently, he has focused on the operations side of large data centers, IT modernization, and cloud migrations.