5 Key Things to Include in your Ransomware Incident Response Plan

Ransomware has been a growing threat over the past few years, becoming the number one cause for lost business incomes for small to medium enterprises. In fact, studies have shown that the average cost of a ransomware attack was $283,000 or  $8,500 per hour in 2020.

Beyond the ransom itself, most organizations cannot afford the downtime cost nor the loss of customer trust that results from an attack. Your understanding and preparedness of what to do in case of an attack can make or break your organization's success. Beginning to create an incident response plan can be overwhelming, so here are our top 5 key things to include in your ransomware incident response plan. 

See why multi-layered security is your best defense against Ransomware.

Identify your Team and Assign Key Roles

To begin constructing your ransomware incident response plan, you must first identify the key players and assign specific roles to those players accordingly . While the head of IT is the most obvious player, your team should have members across the organization to take on the non-technical roles. Consider adding in the following people to your crisis response team: 

• C-level Employees- Your C-level employees are the top leadership. If a ransomware crisis were to occur, it is important that they are involved.  Head of Finance- The cybercriminals are after money, so it's always a good idea to have financials represented within the team.  
• PR or Marketing Lead- How do you plan to tell your customers or the rest of your organization? Your PR or marketing lead can handle that. 
• Lawyer or Attorney- Across all industries data privacy can be a huge concern with a ransomware attack. If you are in healthcare, education, or other industries that require compliance, ensure you have a legal voice on your team to help you navigate. 

By ensuring you have the right people on your team who all understand their roles you can then make your incident response plan a success.

Document your Governance Plan

After identifying your team and defining key roles and duties, you must document your organization's governance plan to ensure a clear chain of command if an attack were to occur. This will assure efficient response when tensions are heightened during an actual ransomware attack.

The three top segments for which to document in your ransomware response plan are listed below: 

Technical Response 

Your organization's CSO or IT director will take the lead on how to deal with a ransomware attack. They will best understand the repercussions of each decision on a technical level. 

Communications Response

Your plan should also include steps for your marketing or PR team to take. Being transparent and apologetic to your clients can go a long way in keeping their trust, so it is important to determine who your spokesperson will be, how you will communicate with partners, if you will take any interviews from the press, and how you will notify the rest of your organization. 

Ransom Response

Lastly, your organization will need to determine if it will consider paying the ransom if the attack threatens the sustainability of the organization. Though paying the ransom should be your absolute last resort, you will need to include your CFO to approve payment and release funds if your organization should decide to pay the ransom. 

Ensure a Backup and Recovery System is in Place

During a ransomware attack, cybercriminals hold important data hostage which causes expensive downtime. Even if you pay the ransom requested to unlock your system, there is no guarantee that the cybercriminals will actually give you access to your data.

Because of this, the FBI recommends never paying the cybercriminals ransom, Instead of paying the ransom, make sure you have a substantial backup and recovery system. Check in on your organization’s current system to see how this can get you back up and running after a ransomware attack. 

If you don’t currently have a system in place, Datalink Networks can help your organization find the perfect backup and recovery solution for your organization. If you do not know where to start when choosing the right backup and recovery provider, here’s another blog post that can help you ask the right questions: 

Blog Post: 8 Things to Ask Every Backup and Disaster Recovery Provider

Properly Train Your Organization

With nearly 70% of ransomware attacks coming from spam or phishing emails, it is crucial that you train your organization well. Regularly training your staff on the top types of phishing email and how to recognize them can dramatically decrease the risk of a ransomware attack being successful. 

Blog Post: The Essential Cybersecurity Toolkit

Although a great deal of ransomware attacks originate from emails, training your staff in overall best practices can also help keep your organization safe and secure. Because ransomware attacks can be deployed as soon as the cybercriminals enter gain access to your network, actions must be taken to prohibit them from gaining access. By training and enforcing best practices for your organization such as strong password policies, the use of multi-factor authentication (MFA), and connecting only to secure sources of internet you can proactively prevent cyberattacks from occurring.  

Practice your Plan and Review Regularly

Practice always makes perfect, and your ransomware crisis plan is no exception. By running through practice scenarios using the steps previously documented, you can truly be prepared if a ransomware attack comes your way. 

Whether monthly or quarterly, your IT team should exercise your plan to ensure: 

- You've confirmed SLA's 

- You've identified and resolved vulnerabilities

- Your team has had the opportunity to encounter challenges and learn from them

By reviewing roles and practicing on a quarterly basis, you can reassign tasks as employees leave the company as well as find any gaps within your plan. This gives you the advantage to adapt and make changes to your guide prior to ever needing it, ensuring that your organization can smoothly handle a ransomware crisis.  

Click here to read our article about Cybersecurity for small to medium businesses.

Need help creating an incident response plan? Let us help!