Who Do You Call If Your Business Gets Affected by Ransomware?
The average ransomware payout in 2018 was $6,733, according to Coveware. The average overall business impact was almost $55,000, with business impact lasting an average of 5.5 days. Arguably worse, 15% of all data affected by these breaches was rendered unrecoverable. These attacks are growing in prevalence, increasingly affecting businesses of scale, the average employee count being 71, and are presenting unique challenges to the assessors of risk in the business community.
It is my sincere hope that you’re coming to this article from a place of proactive research. If you’re in a position where the walls have already been breached, please feel free to reach out to us directly for specific advice. The rest of this article will serve to build a set of guidelines, or an emergency plan, in case of an attack.
We’ll go over the following steps to head off a crisis, and end our article with a few recommendations for how to protect your business.
If you’ve been hit by ransomware, you should:
- Contact your IT leadership
- Immediately contact your business insurance carrier
- Provide as much detail as possible to any customers affected
- Remediate the affected assets
- Protect the overall IT environment
Call Your Ghostbusters Immediately
While we try to make as much fun of the nature of our work as possible, this isn’t a laughing matter. If you have IT leadership in the organization, they need to be informed as quickly as possible about the suspected breach, if they haven’t reached out to you already. The sooner the tech team can ascertain what’s been compromised, the sooner they should be able to quarantine the attack.
The goal of ransomware is to attack vulnerabilities within an environment to extract financial gain. The amount of value a malicious attacker is able to gain is directly linked to how many important documents they’re able to hold hostage.The amount of documents or sensitive information your attacker is able to get their hands on depends entirely on how long the intrusion goes undetected. We know that there may be some shame or fear about reporting that you clicked a phishing link, but the problem compounds with each action you take afterwards. The sooner you report it, the sooner your security team can respond and everyone can start the healing process.
A healthy IT department should have the capacity to isolate and quarantine the affected workstation or mailbox, and keep the malware from spreading. In the event that a workstation, application server or other asset gets compromised and held for ransom, it’s important to set policies that determine how much your organization is willing to pay to rid itself of an intrusion. Sometimes, a ransom number is low enough that paying it justifies removing the burden from your environment.
A good CIO or technology strategy leader should be able to help set this process in place. Think of it like a fire escape plan for your business – establish it, review it for efficacy often, communicate it clearly to employees, and do whatever you can to make sure you don’t need to follow it.
Contact your business insurance carrier
Cyber liability insurance is a rapidly growing risk management subset, and with good reason. Individual carriers have all sorts of policies specifically linked to mitigating the downside and damage of cyber intrusion, including ransomware. Some general liability policies will include this coverage as well.
We are by no means experts in insurance here (in fact typing out that last paragraph made me a little ill), but we do respect the value they provide for us and our clients. There’s no shortage of risks in the modern business environment, and covering your eyes and ears to them won’t make you any safer.
The world of cyber intrusion is rapidly evolving, and even if the risk managers of the world aren’t at the forefront of understanding it, they aren’t too far behind.
To get the greatest amount of value from this practice, ensure that your technology strategy works in line with your insurance policy’s. Properly evaluating the true cost of an attack, the value and fidelity of your data and the action plans associated with remediation from a technology level can help your insurer right size the policy for your business.
Communicate any breach to your customers
This part undoubtedly sucks, but the only thing worse than your biggest client getting a fake invoice link from your accounts payable team is pretending like you didn’t know it happened. The nature of ransomware is to continue to infect as many vulnerable clients as possible; while internal networks are often set to contain peer to peer attacks, things like email, document sharing and collaboration suites afford the opportunity for attacks to spread outside the organization.
Knowing and clearly defining your role in protecting customer data can be daunting, but it is absolutely critical for success in the digital age. For many companies, the burden of responsibility is pretty low, and most of that security burden gets passed to the software vendors they choose. In other instances, additional responsibility is required to secure customer or patient data, the compromise of which can be financially devastating for a business to realize too late. The modern business, of any size, requires a data loss prevention strategy, and a consistent security risk assessment policy.
Remediate the affected assets
When I was in high school, my brother and I practiced body checks for hockey using yoga balls in our basement. We’d take turns running at each other, learning how to hit, and take hits. One time, I launched my brother, Adam, into the drywall, his backside landing just above the floor, creating an Adam sized hole in the wall. Terrified, we put my sister’s giant teddy bear in front of the hole, and hoped our parents wouldn’t notice.
They did. That was not a good day for Adam and I. If you have a hole, you’re going to have to figure out how to patch it. This happens to be one of the biggest value drivers of Virtual Desktop services; that an infected ‘desktop’ can be wiped and reimaged from a data center without the physical machine needing to be touched.
In any configuration, though, a plan needs to be in place and followed in the event that any IT asset gets compromised. The sooner an attack can be acknowledged and sequestered, the better everyone’s going to feel.
Secure the perimeter
If there’s any value in being attacked, it's that your organization can identify where your threats are, and how to patch them up. The world of IT security is growing rapidly to support the increasing number and nature of threats, but there will never be a perfect defense force. As such, understanding the attack vector of the ransomware can lead your IT team to shore up defenses they may not have considered.
Unfortunately, there’s no shortage of risks associated with managing a team and network, but there are many ways to reduce them. As with any disease, an ounce of prevention is worth a pound of cure. Creating policies and procedures to safeguard your company ahead of an attack can keep your downside and your downtime as low as possible, and reduce potential threats to mere speed bumps.
It is chronically important that your company is protected from malware. If you’re experiencing a ransomware attack, or simply want to make sure your company is protected from ransomware, Framework can help.