As more and more people realize that cyberattacks don’t just happen to ‘others’ but are likely to happen to their organizations, it should be clear that simple awareness of these events is not sufficient: you have to prepare for when, not if, these events happen. We recently had the chance to sit down with Stu Panensky, Partner at FisherBroyles, LLP. Stu and his team have dealt with over 100 ransomware attacks in a counseling role and have a lot of wisdom to share about the current state of cyberattacks and what organizations can and should do to prepare for them.
Incident Response Plan
One of the key issues we covered in the discussion was the importance of an Incident Response Plan. This is a set of instructions or procedures to detect, respond to, and limit the consequences of a cyberattack against an organization’s information systems.
You want to have this plan put together (and written down) for three reasons:
- You don’t want to have to figure out what to do and who to call while the event is happening—you need to account for the fact that it’s very hard to make rational decisions in disaster scenarios.
- You want to have a written document to reference in case computers are encrypted and you can’t use them to access the plan—there should be multiple copies of this printed plan with multiple people to avoid a single point of failure.
- You want to have gamed out scenarios, such that there’s a step-by-step checklist you can follow to help the organization respond quickly and calmly—this should include conditions in which the organization can stay ‘open’ and move to non-digital tools to carry on business, and other conditions in which such actions are not tenable.
Generally, in a ransomware situation, threat actors are trying to shorten the timeline. They put pressure on for a decision to be made quickly, but Stu and his team counsel victims to press for more time. This, firstly, allows for the environment to be secured, and secondly, gives time to see if there are alternatives to getting back up and running without relying on a decrypting tool from the threat actor.
The reason you will often need time to secure the environment is the complexity of given networks and interlocking programs, including on-premise servers vs. cloud servers, etc. It’s no good negotiating if the environment is still vulnerable to new attacks.
Tactics that the threat actor can use to create pressure include:
- sending emails to your help desk to keep it busy all day long
- accessing a customer list and sending emails to those customers telling them, “Did you know we’ve attacked this company you do business with?”
- threatening to make the data breach public, creating a public relations problem
Stu told us a “Christmas miracle” story, in which threat actors had attacked a school district right before Christmas vacation. Stu and his team spent a lot of time early in the process communicating with the threat actor. They explained the difficulty for a large bureaucratic organization like a school district to get ransom money at this time of year, with faculty, staff, and students getting ready to go on Christmas vacation.
Stu attributes this transparency as well as playing on the particular time of year with a once-in-a-lifetime resolution in which the threat actor gave the decryption key with the note to “make sure the kids get taught about cybersecurity.”
While Stu says that this is not an outcome most people should expect, he believes that part of how it happened was because he and his team had been highly communicative from the start, and that’s a best practice to implement.
Audit Your Vendors and Contracts
While many organizations understandably outsource their data security to a third party, they aren’t always clear what the conditions are regarding a cyberattack. Go over your contracts with third party IT providers and find out what is in your agreement in regards to cyberattacks and what their obligations are. You can go further than this and ask what measures they have in place to make sure they are auditing their own systems to be prepared for every sort of attack.
Be aware that you may have responsibilities as well. Stu shared with us an engagement letter that a client had with a retailer in which there was a security provision, that in the case of a cyberattack, including but not limited to ransomware, they were to be notified immediately. If you have engagements with a provision such as this, you need to add it to your incident response plan: “Contact X per their security provision.”
Another way to outsource risk is to get cyber insurance; Stu says that this is the best form of security. While we agree, of course, he also noted one particularly underutilized aspect of cyber insurance: crisis communications. This is coverage that enables a client’s marketing or internal public relations team to hire a firm to guide them through media statements, social media strategies, social media monitoring, etc. to help get ahead on messaging. This is important not only for internal stakeholders like employees and investors but also for all those who are watching the event happen and may have some tie to the situation.
Stu underlined that there was not a single one of his small or mid-sized clients that did not benefit from having cyber insurance.
No One Is Immune
As we said at the beginning, it’s not a question of ‘if’ but ‘when’ a cyberattack will happen to an organization you are involved with. It’s not just because of the large number of threat actors out there; it’s also because every organization has something of value that some criminal can chase. Those items of value need to be safeguarded thoughtfully and intentionally now, before a crisis happens.
If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.
Click here to learn more about how we can help secure your business data!