Advice from the ISACA Ransomware Response Checklist
A decade ago, most companies realized that being hit with a data breach was inevitable—the well-known “when, not if” statement drove that idea home.
The time has come to make a similar realization about ransomware. Tenacious cybercrime rings and the easy availability of ransomware toolkits, as well as the financial rewards, are why ransomware attacks are increasing.
But even if an organization anticipates a ransomware attack is likely, they may not understand how vital it is to have a plan already in place, with a very detailed outline of what all parties should be doing.
When an attack happens, the immediate reaction is how to get the data back. At that point, the CISO may be getting advice from leadership, legal and others in the company on how to best approach the ransomware response.
However, all this helpfulness is not the right response here, according to Pam Nigro, VP security at Medecision and ISACA board chair, and Rob Clyde, executive chair of the board of directors for White Cloud Security and ISACA board director.
Perhaps the most important voice during ransomware recovery is that of the communications officer, Nigro and Clyde said in a conversation at RSAC 2023.
Designating a Communications Officer
Organizations often underestimate the importance of having a dedicated voice to guide the company through the attack and its aftermath, both internally and, equally important, externally with customers and media. It allows for one voice to answer questions and prevent conflicting messaging from coming from the company.
But this voice shouldn’t be chosen in the midst of an attack response, said Nigro and Clyde. The communications officer, as well as the rest of the ransomware response team, should be put in place when things are calm—in other words, before an attack happens.
The problem is too many organizations don’t know where to start in planning for a ransomware attack. The incident response plan in place for data breaches and other types of attacks won’t necessarily cover a ransomware attack. How do you go forward when your data is locked and there’s a chance your system is corrupted?
A ransomware attack could impact your company’s email system or internal communications, for example. After the attack is not the time to come up with a solution about how to continue to communicate with employees. A communications officer would be charged with setting up an alternative communication infrastructure, like a Slack channel or a group SMS (especially in a small company) that can be put into action immediately to keep employees up to date and keep misinformation from spreading.
Putting Together a Plan
During RSAC, ISACA introduced the Ransomware Incident Management Quick Reference, which guides organizations through the steps to improve ransomware readiness across key areas of planning and preparation, identification and detection, analysis, containment, eradication, recovery, and postmortem, lessons learned and after action.
The ISACA reference is set up as a detailed checklist that includes suggestions on what roles are needed on the response team, policies and procedures to follow and information about cyberinsurance. The document also offers guidelines to follow as you make your way post-attack.
Even if your company has a ransomware attack and response plan in place, reviewing it against the ISACA reference can help you identify some things you may have missed or not even thought of. For example, you probably have backup systems in place, but are you also replicating data? By replicating data, it will always be fresh and offers more current data than the standard backup will.
Microsharding is another suggestion that your organization may not be practicing. Microsharding separates your data into different storage areas but also digitally shreds the data to scrub it of any identifiers. If the company is hit with a ransomware attack, you can get better insight into what data was corrupted.
Ransomware hits everyone, no matter the size or type of business. You don’t need a large budget or a large team to create an incident response plan. The ISACA reference offers a starting point, especially for organizations lacking security maturity. It provides structure on how to best understand your landscape and your security posture, allowing you to make sure you know where you need protection and how to recover your data. Most importantly, it will allow you to determine who will act as the voice of your incident response to avoid confusion and conflicting messages.
Because, remember, the threat actors want to create chaos, which makes you an easier target. If you have a script to follow, you have a better shot at thwarting their objectives. If they can’t make money off you, quick and easy, they’ll move on to the next potential victim.
