Three Ways to Make a Ransomware Attack Worse

Ransomware attacks can often start as a chaotic situation in which organization scramble to get their response in order and strategize on how to recover. Many different aspects come into play during the first few hours of finding out about a ransomware outbreak and those can be detrimental to how the recovery unfolds.

Unfortunately there are ways by which the responding teams and executive management can worsen the impact of an attack, add millions to the cost of a data breach, or complicate it with legal liability without realizing it. These are three ways to make a ransomware attack worse:

1.       Don’t Have a Plan for Crisis Level Cyber Incidents

If your organization is planning to use “we are all adults” as the plan and playbook to a major cyber-attack, the response itself can escalate an incident a cyber crisis. Neglecting to make decisions in advance, when heads are cooler and more logic and streamlining can be poured into the process, is a recipe for disaster, quite literally. Seemingly ‘easy’ decisions, like having a documented ransom payment policy in place, become heated discussions under fire. Along with other decisions, miscommunications, figuring out who is the ‘incident commander’ and what department’s authority takes precedence during the crisis, the missing and untested plan will cost you time and money in throes of an actual attack, and ultimately make it worse on every front. That includes the overall atmosphere amongst employees during and after the attack.

2.       Don’t Align Your Response Strategy with Regulatory Requirements

During a cyber-attack, like data breaches and ransomware cases, IT and security team are fighting to douse many fires at once. As they rush to recover servers and machines, and provide others parts of the organization with data and updated information, this hurried process can result in technical team missteps that would inadvertently violate regulatory requirements. Every time I assess or draft a cyber crisis plan, I ask whether the plan in place has been aligned with regulatory and compliance requirements. Nine times out of ten the answer is no. Either none thought about undertaking the project internally, or there is an actual silo between the security and regulatory departments and they don’t really talk to each other. During a cyber crisis, this misalignment can lead to reporting delays, data subject impact, and even data destruction that will result in additional fines from a regulator. As a recent example, Irish authorities have fined a Dublin-based healthcare entity 460,000 euros following the compromise of patient PII and the permanent deletion of 2500 records. The situation was exacerbated by the fact that attackers managed to also encrypt backup snapshots. The collective response missteps in this case are what cost the organization extra money even through they did report on time, within the first 48 hours.

3.       Hide Information About The Attack (or lie)

There are too many examples of cyber crisis that got worse later on because organizations opted to hide information about the attack. Whether these decisions took place early after discovering the incident, thereby directly impacting customers, or made later on, as financial impact became more pressing, hiding information is never a good idea. One recent example comes from a SEC settlement where a software maker in US agreed to pay $3M over charges of misleading statements about the extent of a 2020 ransomware attack. That’s a few million dollars above and beyond what the actual breach, and the ransomware extortion would have already costed, plus other lawsuits that typically get filed in the wake data breaches. As a reminder, the average cost of a breach in the US stands at $9.44M, already the highest cost across any other geography.

This goes directly back to having plans in place, with pre-made decisions as much as possible, linked with a proper risk assessment and a list of considerations that executive already got the chance to deliberate at least once. Another core element that could help here is to document a Leader’s Intent. It’s about providing a very clear instruction that would enable anyone in the organization to take actions in line with its mission and values. For example, for a hospital, a Leader’s Intent could be: “Save patient lives, no matter the cost”. For a services organization it could be “Our customers come first, spare no effort”. These are overarching statements from a CEO, for example, that can be the beacon through a major crisis even if teams work across the globe, across time zones, and can’t meet with leadership due to the attack’s constraints.

Another critical piece in the puzzle is crisis communications. If the communications team is not prepared to respond to a cyber-attack situation on its end, the company can seem to hide information, not report it on time, and ultimately appear to not have its customers’ best interest in mind. 

In some cases, unprepared response can cause organizations to provide non-factual answers, and then appear to be out of touch with reality when customers have a different version of the story published in the media.

Needless to say, the reputational impact is one of the costliest aspects of any cyber-attack, with plummeting stock prices, NPS, lost business, and long-term customer churn.

 

Mitigate the Impact of Ransomware Attacks

1.       Have a proper and detailed plan to deal with cyber crisis. Have ransomware playbooks in place for the technical team and one for the executive team. Being ready can pay dividends in case of an actual attack, and it can also make you sleep better at night.

2.       Align response strategy with the regulatory and compliance department. Breaking this silo can save a lot of money and internal scrambling during an attack.

3.       Be honest and up front about what the organization knows about a cyber-attack.  Communicate early, working with the CISO and CIO to deliver accurate messages in a set cadence. You don’t have to know everything right away, but you do have to tell affected customers, employees and your business ecosystem that you are sparing no effort to learn more and make things right.