8 Critical Components of a Rock-Solid Ransomware Crisis Plan


A 2020 study from IBM found that it takes 280 days on average to detect and contain a security breach. That’s a 36 percent increase from the findings of IBM’s 2019 study. 

A cybercriminal can do a lot of damage to your systems, data, and applications in 280 days, which is why a proactive ransomware crisis plan must be a part of your disaster response and recovery strategy.

If you don’t have a ransomware crisis plan, or you have one but it hasn’t been updated in … well … ever, these eight critical components will help you craft a rock-solid ransomware safety net.

1. Ransomware Crisis Team

Your ransomware crisis team is the first line of defense against a debilitating cyberattack. Assembling the most effective team requires strategic planning and foresight. You can’t pick a random group of employees and “volun-tell” them to be on the crisis team.

To maximize the team’s skill set (and cooperation), include members from up, down, and across the organization. This will ensure the initiative has buy-in from the C-suite and that all business units have a say in the response and recovery effort.

Give all team members specific functions that utilize their skills and knowledge, and task the team with educating the rest of the company about preventing and responding to a ransomware attack.

2. First Response Action Plan

Early detection and neutralization are key to minimizing damage from a ransomware attack. The longer the malicious code is left to wander through the network, the more files it can encrypt.

The second a ransomware attack is confirmed, employees should disconnect from the network, isolate infected computers, and report the incident to the IT manager or network administration. Once the initial threat is contained, start changing passwords, diagnosing the extent of the damage, and involve the appropriate authorities. 

3. Documented Technical Response

Be sure to clearly document both your technical and communication-based responses, because you never know who will be around to initiate the crisis response plan when disaster strikes.

A swift technical response to a ransomware attack will help stop the infection and minimize downtime. Your technical response document should include information about which systems can be disconnected immediately with no issues, which systems have little tolerance for downtime, and which systems should only be disconnected if there is no other option.

To speed up data restoration, document in detail the steps required to:

  • Restore from a recent backup 
  • Use a third-party decryptor to recover data 
  • Move forward after data loss 
  • Negotiate with attackers and pay the ransom 

Note: With the appropriate plan and technology in place, this last step shouldn't be necessary. However, not every organization will be prepared when a ransomware attack occurs, and you may find yourself forced to make a tough decision. This is why we stress proactively addressing this as part of the crisis plan development. Having a data backup and recovery plan in place will help you avoid negotiating or paying a ransom.

4. Documented Communications Response

Having clear, consistent messaging in place will help convey confidence that you have the crisis well in hand. Draft boilerplate responses specific to particular audiences, including your customers, employees, legal counsel, and other major stakeholders. 

Be sure to also prepare statements for each of your organization’s communication outlets, such as website, social media, email, and telephone, and provide customer-facing teams with the appropriate company response to inquiries.

5. Frequent, Complete, and Tested Backups

Your crisis recovery is only as good as your most recent working backup. Schedule regular reviews of your backups and the restoration process to ensure you are recovering the greatest amount of data available.

Keep a copy of your backup in the cloud and separate from the company network to protect it from localized threats and ransomware strains that specifically target backup files.

6. Cyber Insurance Policy

As ransomware and other cyberthreats continue to proliferate, many companies are turning to cyber insurance to cover their liability for privacy, data, and network exposure. There are different types of coverage available, so be sure to pick one that includes data loss, fees and penalties, and business disruption. 

7. Business Continuity and Disaster Recovery Strategy

During and after a crisis, it’s critical to get business operations back to something like normal as quickly as possible. Creating a business continuity and disaster recovery strategy long before you need it will enable your crisis team to jump into action immediately.

8. Simplified Cybersecurity and Data Loss Prevention

Complexity in IT infrastructures creates weak spots for cyberattackers. Opting for a simplified solution provides better visibility and easier threat detection across all systems. 

Look for an integrated data and ransomware protection solution that includes cybersecurity and data loss prevention capabilities for comprehensive but streamlined ransomware protection.

Ransomware has become an accepted risk of doing business today, but that doesn’t mean you can’t fight back. Taking a proactive approach to ransomware prevention and planning ahead for how to respond to an attack will mean the difference between bouncing back fast with near-zero data lost and hemorrhaging money, customers, and reputation while you scramble to piece your data back together.

Download A Ransomware Crisis Plan is Now a Business Imperative to learn more about how ransomware affects businesses and what you can do to create a rock-solid strategy to mitigate risk and prevent data loss.