Top executives are increasingly dreading the phone call from their fellow employees notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37% of organizations surveyed had been affected by ransomware attacks in the last year.

Worse, the days when executive leadership teams could fully delegate responsibility to a CISO (chief information security officer) are over. Regardless of reality, surveys have shown that about 40% of the public perception of fault for a ransomware attack land squarely on the CEO’s shoulders, and that 36% of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the Executive Leadership Team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public.

WHEN, NOT IF

Many teams center their plans around the prevention of the initial attack, not the response, after an adversary successfully gains a foothold. A ransomware attack is always a multi-stage process, and it is up to members of the ELT to set a strategy that slows and frustrates the adversary during an attack. Those aspects of planning should focus on quick response, tested containment techniques, and eradication. Some examples of questions you should ask might be:

• Does your team have Standard Operating Procedures for and regularly practice containment “battle drills” such as quickly changing all privileged account passwords throughout the entire enterprise?

• Do they have ways to quickly isolate a compromised network segment to preserve the integrity of the rest of the network?

• Is your team working toward zero-trust architecture?

• Does your team know where your critical data resides and is it encrypted at rest?

• Do they know what your business-critical services are, and what technical dependencies they have?

• Are your backups redundant and protected from casual access by a compromised administrator account?

The answers to these tough questions can be the difference between success and failure when facing an impending ransomware attack.

TEAMWORK MAKES THE DREAM WORK

Your top performers will often push themselves beyond the point of exhaustion during a major incident and make mistakes as a result. Do you have trusted individuals holding each other and their teams accountable to set a proper tempo? Generally speaking, incident responders can only perform at peak mental efficiency for about 10-12 hours per day, so that figure can be used to structure a good rotation. Does your team have an effective rest plan with redundancy built-in for key roles in case of personal life emergencies? Since your time as an executive is very limited, how do you want to be updated, and does the team understand that requirement? Is legal embedded into your organization’s incident command structure?

Some of the most successful responses also often involve specialized support from third-party security software/hardware providers as well. Does your incident response team have those relationships already established and have well-documented procedures for getting their support?

CAN YOU HEAR ME NOW?

Along with all the above questions, the overall question to ask yourself is: “How can we prepare for ransomware communications?” In terms of internal communication, it is critical to define what communication system will be used to send notifications. Is it capable of reaching and rallying the team after hours? Assuming the worst-case scenario where the entire corporate network is offline, do you have a truly out-of-band (OOB) communication method? Referring to the military planning model, it is no accident that even the lowest-level operations orders define primary, secondary, and tertiary methods of communication.

Time matters for external communications. Attacks on high-profile organizations generally appear in the media within 24 hours. Do your communications and PR teams have pre-built templates they can use for initial public notifications of an incident? Writing them now will save time and ensure that key details are not overlooked during a crisis. What are the key points needed to take control of the news cycle early? What is the approval chain — does the CEO need to personally review it, or can it be released at the direction of the head of corporate communications?

A thoughtful CEO might want to establish circumstances under which direct review is required, such as in the case of confirmed sensitive data compromise, but give corporate communications the authority to publish notifications without CEO review under all other circumstances. If you have a customer-facing team like customer care or help desk, is there a canned message they can provide that keeps everyone calm while ensuring that sensitive information is not shared? In all cases, legal counsel should be consulted and work in partnership with corporate communications.

NEGOTIATING WITH ATTACKERS

Are you willing to set a hardline policy that your organization will never pay a ransom under any circumstances? Organizations that set a precedent for making ransom payments are heavily targeted since they are perceived as a guaranteed payday by adversaries. In fact, a recent survey showed that 80% of organizations that paid a ransom were reattacked shortly afterward.

If you cannot set the hardline policy of non-payment, many secondary considerations are important, including the legality of the payment if an OFAC-sanctioned entity is involved. Do you have your legal counsel, cyber insurer, and possibly a professional ransomware negotiation firm you can contact quickly? As always, consult with your legal counsel.

Many IT professionals recommend that victims of ransomware never pay the extortion payment, since it is impossible to guarantee the return or decryption of the targeted data. it helps to draft ransomware payment decision trees to guide you through the decision qualitatively or quantitatively, ensuring you are making a well-reasoned decision while under extreme pressure.

ADVICE TO ANY CEO FOR PREPARING A RANSOMWARE PREPAREDNESS PLAN

• The executive leadership team can and should be closely involved with the development of the anti-ransomware plan.

• Attempted ransomware attacks are almost inevitable for the average organization today, but proper post-breach actions can allow excellent damage mitigation.

• Team structure and good communications plans matter just as much as strong cybersecurity tools and configuration.

Ransom payment considerations are complex and there is no “one-size-fits-all” answer, but in most cases, paying a ransom leads to increased targeting in the future. Contact GFI Digital to help protect your company from ransomware and have a plan to prevent data loss!

Source: Nate Pors – Cisco Talos