2021 has been quite a year for ransomware attacks. Cyber criminals focused their sites on many organizations, with attacks on SolarWinds, Colonial Gas, JBS Foods, and recently Kaseya making the news. Ransomware attacks are up 151% this year, according to Sonic Walls’ Midyear Threat Report. These trends suggest that the attacks are not likely to stop.
In reviewing how Flagship has been able to help clients survive and thrive in this era of cybercrime, one of the most important lessons is the need for all companies to create an Incident Response Plan.
How should employees act when there is a cyberattack? An Incident Response Plan is a guide for what to do, who to call and what to communicate. Companies with a solid Incident Response Plan fare much better than those without. They can help employees stop an attack early and leave the next steps to the professionals, who can determine the cause and the strategy for remediation.
What to do? The first and simplest thing to tell employees is that if they detect an attack, turn off their workstation and disconnect it from the network. That will prevent the attack from moving laterally across systems within your IT environment. Plus, it may save any evidence of the attack on the workstation for the insurance and/or forensic firm.
Who to call? The first call should be to the office manager or internal IT team. Before an employee talks to anyone outside the organization, you should engage the company’s single point of contact, who will coordinate all communications, both internally and externally. That person should have a short list of senior people (e.g., CEO, Principles, owners, etc.) who need to be informed immediately.
Who to call next? Call your MSP or the IT services provider who may be connected to the event. They may be seeing the attack at same time, and if not, they need to be alerted that your organization may be threatened. Never sugar coat the situation when communicating with service providers. At the outset, it is difficult to detect how widespread an attack may be. Are you the only affected party? Is this part of the broader set of incidents? Either way, the service provider will be able to guide you on your next steps and how to get your IT environment operational ASAP. They can examine each workstation and server that appears to be impacted, test them 1-by-1, and install tools to fix the issue.
If you know that you might incur damages, whether due to the loss of data or request for a ransom payment, you must communicate with your cyber insurance agency early in this process. They need to be apprised of the situation and may want to contact (or recommend to you) a forensic consultant to determine the cause and damage of the incident.
Whether a broader set of employees or the whole organization are eventually informed is highly dependent on the nature of the attack. Many banks, public institutions, professional offices, hospitals, and other organizations may want to limit knowledge of the attack to affected customers for reputation purposes.
Understand your vendors’ Responsible Disclosure Process. Many MSPs and technology vendors have a Responsible Disclosure Process, which is their internal plan for how to communicate with clients in a timely way about cyberattacks. This is not necessarily a detailed plan, but their runbook for how to connect with clients in the event of an emergency. Ask your MSP and IT providers for their policy so that you have a complete picture of what information you can build into your plan.
Document your Incident Response Plan. Your plan should be documented and stored in two places, one outside your environment (e.g., DropBox, Box, etc.) and one available in paper form. It should include multiple forms of communication, such as personal emails, phone numbers, web conferencing links, etc. Make sure that your MSP has your emergency contacts and updated Incident Response Plan, so they know how to best support you if an attack occurs.
NOTE: This is second in a series of blogs on Ransomware 2021: Lessons Learned that we will be posting on our website. For more information on how to create an Incident Response Plan or have Flagship conduct one of our security assessments, please complete the form below.