Ransomware: Your Checklist for Building an Incident Response Plan
Ransomware is a rising global threat with potentially devastating consequences and none of us are immune to its threat. In 2021, the UK security service, GCHQ said UK ransomware incidents had doubled, while the World Economic Forum’s global risk report revealed that in 2020 malware and ransomware attacks had increased by 358% and 435% respectively.
Experts warn that ransomware is developing and spreading faster than our ability to effectively deter and prevent attacks. Jeremy Fleming, the director of GCHQ attributes this rise in ransomware to its high success rate, “I think that the reason [ransomware] is proliferating – we’ve seen twice as many attacks this year as last year in the UK – is because it works. It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested,” he said.
The proliferation of hackers for hire and ransomware-as-a-service (RaaS) has also contributed to the growing popularity of ransomware. Nowadays, RaaS schemes are easy to access, relatively cost-effective, negate the need for cyber expertise and are run like legitimate businesses, even offering round the clock customer service and “help centres” to guide victims through the process of making ransom payments.
This growing threat is reflected in research by Adarma that found 94% of UK businesses leaders are either concerned or very concerned about ransomware attacks – hardly surprising since over half (58%) admitted to having experienced a ransomware attack.
But, despite so many falling victim to ransomware, an astonishing 96% of respondents are confident in their organisation’s existing measures to deter or prevent an attack, while 95% are confident they’ve got the right measures in place to respond in the event of an attack, even though 22% admitted they don’t have a cyber incident response (IR) plan.
The figures suggest there’s a disconnect between organisational confidence and their actual ability to deal with ransomware threats. So, what can be done to address the imbalance?
Before anything else preparation is the key to success
“The main advantage you have over an attacker is your time to prepare a response with your plan, your people, your capabilities and your environment with readiness needing to cover prevention, detection, response and recovery. A natural result of an attack is confusion and the more prepared you are the more you can control this factor.” – David Calder, Chief Product Officer, Adarma
Preparation is key and will ensure that your organisation can comprehensively respond to an incident at a moment’s notice, but this IR plan needs to be regularly refreshed and updated with a view of the threats you are likely to face.
An IR plan should be well-documented, rigorously tested, regularly rehearsed and encompass the entire organisation – from technical first responders to functional teams, business units and strategic decision makers.
With a robust IR plan, you can get your business operations back to normal at the lowest possible cost, while minimising the impact of the attack; be that reducing loss of revenues, the cost of remediation, reputational damage, or the cost of a ransom payment.
So, to help get you started, below are 15 questions executives should ask their teams when creating and/or updating the organisation’s IR plan:
Questions to ask when creating or updating your organisation’s ransomware incident response plan
1. What type of events are considered incidents and how is an incident identified?
2. Who is the incident manager during an incident?
3. Who are the organisation’s ransomware incident response team members, both internal and external? Should this include legal, publications relations, and communication team?
4. How will these team members collaborate during the incident?
5. What are the escalation points and who should they be escalated to?
6. Regular communication channels (email, phone and online collaboration tools) should not be used during an attack – always assume they’re compromised. In this case what are the alternative communication channels you will use to manage the incident?
7. What is the internal and external communications plan?
8. What types of information does the company have and what are the disclosure requirements for each type?
9. What is the business’ stance on paying a ransom?
10. What is the minimum-viable operations required to keep the business running in the event of an attack? What backup measures will we need to evoke?
11. How do we balance recovering the business with recovering security (i.e., visibility and control)?
12. Following an attack, do you have a process to identify improvements to incident response plans, additional security controls, preventative measures, or new security initiatives needed.
13. How will you understand and quantify the financial impact to the organisation, in terms of man-hours, business down time, regulatory fines and possible ransoms payments?
14. How will the incident be documented? Including the timeline, critical path, affected assets and containment and eradication measures taken.
15. If you have cyber insurance, what is covered in the event of a cyber attack?
Ready to take your Ransomware Incident Response to the next level?