Armed with an outline of what to do in a data breach, companies might feel confident their organization will know how to react should disaster strike. But facing the reality of a ransomware attack looks a lot different and feels much more chaotic than it did when discussing it in a conference room. Suddenly, you're dealing with systems going offline, disruption in customer-facing services, loss or encryption of data, and ransom demands of thousands to millions of dollars. In the heat of the moment, it may seem your business will never recover.
This is not an uncommon scenario; even the best-laid plans to protect data from attacks often go awry. According to Veeam's "2023 Ransomware Trends" report, while 41% of organizations have a "do-not-pay" ransomware policy, 80% tossed their rules aside and ended up paying the ransom to recover their data and end the attack.
The best way to withstand the storm is to ensure you're as prepared as possible. Whether you already have some semblance of a plan or are starting from scratch, here are some key elements that are easily overlooked when developing data breach response plans.
Consider Utilizing a Breach Counsel
A breach counsel is a legal team that can advise in case of a data breach to mitigate damages and ensure compliance is met. While it may seem like an added expense, these professionals are experts in data breach and security law and have been through similar incidents many times before, so they can approach things from a calm and experienced perspective.
Connecting with a breach counsel is vital because most cyberattacks are not one-off events. Threat actors target many organizations simultaneously, meaning you are likely not alone. A breach counsel can identify information about the attack, notify law enforcement, and check local regulations. This way, you can spend your energy and focus on dealing with the attack, restoring your data, and getting your business back up and running.
Some organizations may hesitate to loop in legal and law enforcement for fear of "bad press" or being roped into an investigation. However, notifying the police is a legal obligation in most places, and the more information the police have, the more likely they can find and prosecute the people responsible. They might also have information on the attack that could help your organization, such as a decryptor. Checking with online IT forums could also provide valuable insight into the attack. And arguably most important, failing to report encourages future cybercrime by sending the criminals a message that they can get away with no repercussions.
Use Your LinkedIn Network
When an attacker takes systems offline, it may include contact books, Active Directories, and access to email, meaning you won't have the correct information to contact your colleagues, third-party cybersecurity providers, or even your breach counsel. And in today's day and age, we rarely know contact information by heart, instead relying on autofill from our work computers.
One of the most effective ways to bypass this is to ensure you have a robust LinkedIn network, providing another way to contact stakeholders in an emergency.
Avoid Silos With Cross-Department Collaboration
IT teams may think they are the only ones who need to be looped in on the response plan, but that only opens the company to miscommunication and inefficiency when dealing with an attack. Another department may take it upon itself to communicate with the attackers or restore data, not knowing better, risking reinfection.
Providing a clear and transparent plan of action ahead of time keeps everyone in their lanes and provides reassurance that something is being done. Additionally, don't be scared to uplevel your plan to the C-suite level. Employees from the top to the IT admin role will be impacted and can have a role in the response.
Make Backups Immutable
Finally, I must acknowledge the pivotal role of backup and recovery in shielding organizations from the worst-case scenario — losing data forever or paying a huge ransom to recover. Backup storage is the last line of defense against a ransomware attack. Once attackers pass the firewall and evade antivirus software, your backup is often the only weapon left at your disposal.
However, cyberattacks are increasing in frequency and improving in sophistication, and targeting backups is becoming part of cybercriminals' everyday toolkit. Over 93% of ransomware attacks explicitly target backups, according to Veeam's report. Just backing up data is no longer adequate; organizations must ensure their backups use immutable object storage to prevent data from being altered or corrupted. Follow proper 3-2-1-1-0 best practices: Have at least three copies of your data; use two different types of backup media; keep at least one copy offsite; make one copy offline, air-gapped, or immutable; and make sure you have no backup errors. This can further help make ransomware recovery always possible and guarantee recovery against natural disasters or cloud outages.
Don't Underestimate Breach Response Preparation
Responding to a breach is a huge undertaking and should not be underestimated. There's no such thing as being over-prepared when protecting your business, but make sure you're not becoming complacent with a response plan sitting on a shelf collecting dust. One day — when, not if, an attack occurs — you'll be thankful you took a closer look.