How to Create a Rock-Solid Ransomware Crisis Plan

OCTOBER 29TH, 2020

Cybersecurity experts have indicated that ransomware attacks are on the rise, and healthcare organizations have become prime targets. Recently, some large players in the COVID-19 vaccine and testing effort were affected by a ransomware attack on healthcare software provider eResearchTechnology. Although IQVIA and Bristol Myers Squibb said their backups helped limit the severity of the impact on their research, they admitted that some systems were unavailable for a time as a result of the attack.

These days, there are numerous reasons to make sure you have a general crisis/disaster recovery plan in place. And the increasing frequency of attacks and the severity of the latest ransomware strains make now a great time to plan how your organization will protect itself and bounce back from a ransomware attack when (not if) it happens.

Although you will need to tailor your strategy to fit your organization’s specific business objectives and systems, there are some standard best practices for creating an effective ransomware crisis plan.

Appoint a ransomware response/recovery team.

A crisis response team is invaluable when it comes to recovering quickly after a successful ransomware attack. Be sure your team includes a broad and deep assortment of members to ensure all systems and business lines are covered and that you have buy-in and support for the initiative from the top down. 

The team should have members from the C-suite, IT/infosec, HR, finance, legal, and at least one representative from each business line. Assign each member specific tasks during the response, and have the team educate employees and stakeholders on disaster policies and procedures. 

Purchase a cyber insurance policy.

Many companies are opting for cyber insurance to help offset damages in the event of a ransomware attack. Currently, there are no real standards for cyber insurance, so do your due diligence when shopping for a policy.

It’s important to understand what the insurance policy will and won’t cover. Does it include legal costs and downtime? Can you use the policy to pay a ransom? You also need to ensure the policy offers adequate coverage for the amount of data you need to protect.

File a copy of the policy with your disaster recovery plan so it’s easy to find if you need to open a claim.

Educate employees on steps to take if ransomware infection occurs.

The majority of successful ransomware attacks are a result of poor human choices, such as clicking a bad link or opening an infected email attachment. To minimize the impact of ransomware on your data, it’s crucial to act fast. 

Train employees in the proper steps to follow immediately if they suspect a ransomware infection:

  • Disconnect from the network
  • Isolate infected computers
  • Notify network admin
  • Notify the appropriate authorities

Document the technical response.

An appropriate technical response to a ransomware attack can significantly reduce downtime and data loss. As you draft your ransomware crisis plan, dig deep into the company’s technology assets to ensure all systems are covered. 

Do a full inventory of all hardware, software, and business applications. Make sure you fully understand your company’s  infrastructure, including network shares, local hard drives, system interdependencies, and so on.

Review business continuity protocols, such as RTOs and RPOs; create clear, detailed instructions for restoring from backup; and document the process for setting up alternative workspaces/communication tools in the event of a long outage.

Document a detailed communications response.

Communicating openly and cohesively throughout a ransomware event will create visibility for employees and stakeholders and reassure customers that the company is doing all it can to protect their data.

The communications response should include: 

  • A dedicated spokesperson to direct the conversation and provide customer-facing employees with official speaking points
  • A list of all the people who need to be notified of the event (e.g., customers, employees, major stakeholders, and the legal team)
  • Boilerplate messaging for each audience segment and communication platform, including email, website, social media, and telephone
  • An internal communication plan for easily disseminating information, such as which business operations are impacted and updates on the recovery effort

Protect and practice your plan.

Your ransomware crisis plan is only effective if it works. This goes for both the backups and the process itself. 

Implementing a 3-2-1 backup strategy ensures you have at least three copies of your backup, stored on two different media, with one copy stored off-site or in the cloud. Keep backups separate from the main network because certain ransomware strains now specifically target backup files.

Test the backup and restore process frequently to ensure everything will work when you need it to. Test your people, too, by scheduling regular ransomware response drills. Add some surprise ones, as well, to observe how employees react when they aren’t expecting a drill.

Invest in a ransomware protection solution.

A comprehensive ransomware protection solution is a key component of your crisis plan. Opt for a solution with both cybersecurity and data protection capabilities for maximum peace of mind.  

Look to the cloud for flexible security coverage that protects both your cloud and on-site environments. Cloud-supported image-based backup is also a good option because it ensures whatever is on your server is in the backup.

In today’s highly uncertain business environment, ransomware attacks are increasing in frequency and impact. A rock-solid ransomware crisis plan is no longer optional if you hope to minimize downtime and data loss from a successful attack. Download A Ransomware Crisis Plan is Now a Business Imperative to learn more ways to protect your organization and your customers from today’s rapidly evolving ransomware strains.